-2

Hello i haven't any php problems at screen when its running but i also dont have any activity at database, the information not INSERTED. what will be my next step to resolve this problem? Thanks for helping us.

see code at:http://businesstrends.co.il/learn/probcode.php

Also i want to get more information about how make it more secure.

if(isset($_POST['submits'])){
    $connect = mysql_connect("localhost","root","","");
    function secure($secure){
        mysql_real_escape_string($secure);
    }
    $username = secure($_POST['username']);
    $password = secure($_POST['password']);
    $repassword = secure($_POST['repassword']);
    $firstname = secure($_POST['firstname']);
    $lastname = secure($_POST['lastname']);
    $fullname = $firstname." ".$lastname;
    $BirthDayDay = secure($_POST['BirthDayDay']);
    $BirthDayMonth = secure($_POST['BirthDayMonth']);
    $BirthDayYear = secure($_POST['BirthDayYear']);
    $birthday = $BirthDayDay."/".$BirthDayMonth."/".$BirthDayYear;
    $email = secure($_POST['email']);
    $acceptterms = secure($_POST['acceptterms']);

    /* echo $username."<br>".$password."<br>".$repassword."<br>".$firstname."<br>".$lastname."<br>".$birthday."<br>".$email."<br>".$acceptterms; */
    if(isset($acceptterms)){
        if(empty($username) && empty($password) && empty($repassword) && empty($firstname) && empty($lastname) && empty($BirthDayDay) && empty($BirthDayMonth) && empty($BirthDayYear) && empty($email) && empty($acceptterms)){
            echo "אחד מן השדות ריקים";
        }else{
            if($password == $repassword){
                if(mysql_query("SELECT username FROM users WHERE $username == username ") == 0){
                    if(mysql_query("SELECT email FROM users WHERE $email == email ") == 0){
                        mysql_query("INSERT INTO users (ID, fullname, username, password, email, birthday, tags, gold, activation) VALUES ('NULL', '$fullname', '$username', '$password', '$email', '$birthday', 'belarge', '0', '0')");
                        echo $fullname."נרשמת בהצלחה לאתר בשם המשתמש:".$username.".";
                        mysql_close($connect);
                    }else{
                        echo "האימייל בשימוש";
                        mysql_close($connect);
                    }
                }else{
                    echo "שם משתמש בשימוש";
                    mysql_close($connect);
                }
            }else{
                echo "הסיסמאות אינן תואמות";
                mysql_close($connect);
            }
        }
    }else{
        echo "לא אישרתם תקנון!";
        mysql_close($connect);
    }
}
Baruch Belete
  • 62
  • 8
  • Related: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – BlitZ Feb 16 '14 at 07:39
  • 6
    mysql extension is [deprecated](http://stackoverflow.com/questions/13944956) as of PHP 5.5.0, and will be removed in the future. Instead, the [MySQLi](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. Please don't use `mysql_*` to develop new code. – bansi Feb 16 '14 at 07:39
  • why is the `function secure` inside the if loop? isn't it making things more confusing? also it is not returning anything – bansi Feb 16 '14 at 07:41
  • [mysql_query](http://www.php.net/mysql_query) returns a [resource](http://www.php.net/manual/en/language.types.resource.php) on success and `FALSE` on failure. so comparing it to `0` doesn't make any sense. – bansi Feb 16 '14 at 07:50
  • bansi, what i need to write if i want to comparing to TRUE?. – Baruch Belete Feb 16 '14 at 15:51

1 Answers1

0

Change:

if(mysql_query("SELECT username FROM users WHERE $username == username ") == 0){
                    if(mysql_query("SELECT email FROM users WHERE $email == email ") == 0){
                        mysql_query("INSERT INTO users (ID, fullname, username, password, email, birthday, tags, gold, activation) VALUES ('NULL', '$fullname', '$username', '$password', '$email', '$birthday', 'belarge', '0', '0')");
                        echo $fullname."נרשמת בהצלחה לאתר בשם המשתמש:".$username.".";
                        mysql_close($connect);
                    }else{
                        echo "האימייל בשימוש";
                        mysql_close($connect);
                    }
                }

To:

if(mysql_num_rows(mysql_query("SELECT username FROM users WHERE '$username' = username ")) == 0){
    if(mysql_num_rows(mysql_query("SELECT email FROM users WHERE '$email' = email ")) == 0){
        mysql_query("INSERT INTO users (ID, fullname, username, password, email, birthday, tags, gold, activation) VALUES ('NULL', '$fullname', '$username', '$password', '$email', '$birthday', 'belarge', '0', '0')");
        echo $fullname."נרשמת בהצלחה לאתר בשם המשתמש:".$username.".";
        mysql_close($connect);
    }else{
        echo "האימייל בשימוש";
        mysql_close($connect);
    }
}

Remember 'NULL' is a string but NULL is null. MySql does NOT use == for equality check (it uses =) .

P.S: mysql extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Please don't use mysql_* to develop new code.

Community
  • 1
  • 1
undone
  • 7,857
  • 4
  • 44
  • 69