-1

My code did not work. I am building website with login using php and mysqli. I include prepared statement to improve security but i think i am doing it wrong. please help.

it cannot send the information to the database.

"prepared failed!" show up. What is the problem??

<?php

  if(isset($_POST['signup-name'], $_POST['signup-password-1'], $_POST['signup-password-2'], $_POST['signup-email-1'], $_POST['signup-email-2'], $_POST['signup-country'], $_POST['recaptcha_challenge_field'], $_POST['recaptcha_response_field'])){
    if(!empty($_POST['signup-name']) and !empty($_POST['signup-password-1']) and !empty($_POST['signup-password-2']) and !empty($_POST['signup-email-1']) and !empty($_POST['signup-email-2']) and !empty($_POST['signup-country']) and !empty( $_POST['recaptcha_challenge_field']) and !empty( $_POST['recaptcha_response_field'])){

      echo"ok";

      $username = $_POST['signup-name'];
      $password1 = $_POST['signup-password-1'];
      $password2 = $_POST['signup-password-2'];
      $email1 = $_POST['signup-email-1'];
      $email2 = $_POST['signup-email-2'];
      $country = $_POST['signup-country'];

      //$recaptcha_challenge_field = $_POST['recaptcha_challenge_field'];
      //$recaptcha_response_field = $_POST['recaptcha_response_field'];
                if (filter_var($email1, FILTER_VALIDATE_EMAIL) && ($email1==$email2) && ($password1==$password2)) {
        include 'db_info.php';
        $mysqli = new mysqli("localhost", $db_uusseerrss, $db_ppwwdd, "user_db");
        if (mysqli_connect_errno()) {
          echo "no ok";
          printf("Connect failed: %s\n", mysqli_connect_error());
          exit();
        }

        $query = "INSERT INTO user_info (`username`, `email`, `password`, `country`) VALUES( ?, ?, ?, ?)";
        if ($stmt = $mysqli->prepare($query)) {
          $stmt->bind_param('ssss', $username, $email1, $hashed_password, $country );
          $stmt->execute();
          $stmt->close();
          //mysqli_close($link);
        }else{
          die('prepare() failed: ' . htmlspecialchars($stmt->error));
        }
      }else{
        echo "filter failed!";
      }
    }else{
      echo "value is not set";
  }

    }
  }

?>
meda
  • 45,103
  • 14
  • 92
  • 122
John
  • 143
  • 1
  • 9

2 Answers2

0

You can show what errors you got using function mysqli_error($mysqli)

else{
   var_dump(mysqli_error($mysqli));exit;
   die('prepare() failed: ' . htmlspecialchars($stmt->error));
}
Felipe
  • 11,557
  • 7
  • 56
  • 103
-1

One error is obvious

INSERT INTO user_info (`username`, `email`, `password`, 'country')

country has single quote needs to be 

INSERT INTO user_info (`username`, `email`, `password`, `country`)

OR

INSERT INTO user_info (`username`, `email`, `password`, country)
Abhik Chakraborty
  • 44,654
  • 6
  • 52
  • 63
  • Backticks are ONLY required when the word is reserved by MySQL. None of those words are reserved and therefore there's no reason to escape with backticks, just a heads up. – Ohgodwhy Apr 26 '14 at 18:26
  • 1
    yes thats correct. Backticks are only needed for reserved keywords or if you have col names having a space etc. – Abhik Chakraborty Apr 26 '14 at 18:27
  • still does not work does not tell the reason, you need to use the mysqli error to get the error and catch whats going wrong. – Abhik Chakraborty Apr 26 '14 at 18:30
  • no php error are shown. is there any i can identify the error – John Apr 26 '14 at 18:33
  • http://stackoverflow.com/questions/13021122/issues-with-mysqli-prepare http://stackoverflow.com/questions/18453924/detecting-errors-in-mysqli-prepared-statement – Abhik Chakraborty Apr 26 '14 at 18:34
  • @Ohgodwhy Doesn't mean you can't just be safe and use backticks anyway. What if in some version down the line MySQL makes `country` a reserved system word? – Kermit Apr 26 '14 at 19:26