0

I have created a simple form to create new users for a system i'm developing but for some reason when the form is processed the field for "password" is not being stored in the database, or at least it appears that way as the rest of the fields in the table are filled in all bar the "password" field.

The code for the form is as follows:

<form action="create_admin.php" method="post" enctype="multipart/form-data">
        <div style="float:left; width:45%">

        <!-- username -->           

        <p>
            <label>Username:</label><br/>
            <input type="text" class="text small" name="username" id="username" value="" />
                <span class="note">*required</span>

        </p>

        <!-- password -->

        <p>
            <label>Password:</label><br/>
            <input type="text" class="text small" name="password" id="password" value="" />
                <span class="note">*required</span>
        </p>


        <!-- other comments -->                 
            </div>

        <div style="width:45%;float:right">
        <!-- user_id_account -->

        <p>
            <label>Position:</label><br/>
                <select name="position" class="styled" style="width:240px">
                    <option value="0">n/a</option>
                    <option value="Design"  >Design</option>
                    <option value="Development"  >Development</option>
                    <option value="Sales"  >Sales</option>
                    <option value="Management"  >Management</option>                        
                </select>
        </p>

    </div>  


        <p>
            <input type="submit" class="submit long" value="Save and Return" name="submit" />
        </p>

     </form>

And the form processing code is as follows:

<?php require_once("includes/db_connection.php"); ?>
<?php require_once("includes/functions.php"); ?>

<?php
if (isset($_POST['submit'])) {
    //Process the form
$username = mysql_prep($_POST["username"]);
$password = $_POST["password"];
$position = $_POST["position"];

$query  = "INSERT INTO admin (";
$query .= " username, password, position";
$query .= " ) VALUES (";
$query .= " '{$username}', '{$password}', '{$position}' ";
$query .= ")";

echo $query;

try { $result = mysqli_query($connection, $query);
} catch (Exception $e) {
    return 'Caught exception: '+  $e->getMessage()+ "\n";
}
//Test if there was a query error
if ($result) {
    //Success
    // would normally use a redirect ie redirect_to("somepage.php");
    //$message = "Subject created.";
    redirect_to("list_admins.php");
}else {
    //failure
    //$message = "Subject creation failed.";
    //redirect_to("add_project.php");
    echo $query;
}
} else {
// This is probably a GET request
redirect_to("add_admin.php");
}?>

<?php
// Close database connection
if(isset($connection)){ mysqli_close($connection); }
?>

I thought perhaps the problem was my SQL statement but i've tried it from within phpMyAdmin and it seems fine. Can anyone shed some light as to where i might be going wrong here?

*Note: i realise i haven't set the password input to password as i just want to save it as plaintext for the moment until i get everything working and will add encryption to it at a later stage.

DannyW86
  • 201
  • 3
  • 8
  • 20
  • 4
    Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo May 14 '14 at 17:06
  • 1
    Why the `+`'s in `return 'Caught exception: '+ $e->getMessage()+ "\n";`? Plus, what does `mysql_prep()` do? – Funk Forty Niner May 14 '14 at 17:06
  • Does the query echo? Do you get any errors? Which part of your `if ($results)` fires (the redirect, or the echo)? – random_user_name May 14 '14 at 17:07
  • are you getting the password value in php? – ɹɐqʞɐ zoɹǝɟ May 14 '14 at 17:07
  • 1
    `mysqli_*()` functions do not throw exceptions. Your try/catch block is essentially useless. If there's a failure, the functions will return a boolean false. And if the query's failing, you should spit out `mysqli_error()`. Even if the query string itself is 100% perfect, there's far too many OTHER reasons for a query to fail. – Marc B May 14 '14 at 17:07
  • Add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` if you're not already doing so. – Funk Forty Niner May 14 '14 at 17:09
  • By echo'ing before your redirect, your redirect won't work. – Arian Faurtosh May 14 '14 at 17:12
  • he is redirecting with a function, so you cannot assume that it won't work... the function might check if there are headers sent and if so do a JS or HTML redirect – Fabrizio May 14 '14 at 17:14

2 Answers2

2

Your try-catch block won't throw anything. Try something like this to get your insert in properly. Also note that if you echo before you can't redirect.

$query  = "INSERT INTO admin ( username, password, position ) VALUES ( ?, ?, ? )";

echo $query;  // <-- If you echo this, your php redirect won't work, unless you use Javascript

if($stmt = $connection->prepare($query)){
    $stmt->bind_param('sss', $username, $password, $position);
    $result = $stmt->execute();
    $stmt->close();
}else die("Failed to prepare!");
Arian Faurtosh
  • 17,987
  • 21
  • 77
  • 115
  • The thing is im using the exact same code for the form processing bar different values being passed into a different table and its all working fine? The username and position are both saving into the database, just the password field is being left blank? – DannyW86 May 14 '14 at 18:50
0

if its the problem with only your password. Please verify

  1. If There is a mismatch in datatype of password field in the mysql database with the input values.

  2. After first step verification if the problem still persists, try to echo the password value in the processing page, if it is displaying it correctly perform trials with the syntax.

user3575290
  • 21
  • 3
  • Only with the password yes, but the input as you can see is just set to text and the type in the database is set to varchar so i don't see why there is an issue? To add to this i have entered the SQL statement directly in phpMyAdmin to see if it was my SQL that was wrong but it worked fine, its as if the word "password" in the code is preventing something? – DannyW86 May 14 '14 at 19:00