-1

I'm new to php and sql and all that stuff, and I was watching a tutorial on youtube about forums in php and wonder why this code doesn't echo "Success" when submitting the form. I also wonder why it echo out Failure before I have submitted the form. I have connected successfully to the database.

<!DOCTYPE HTML>
<html>
    <head>
        <title>Register</title>
    </head>
    <body>
        <form action="register.php" method="POST">
            Username: <input type="text" name="username">
            <br/>
            Password: <input type="password" name="password">
            <br/>
            Confirm Password: <input type="password" name="confirmPassword">
            <br/>
            Email: <input type="text" name="email">
            <br/>
            <input type="submit" name="submit" value="Register"> or <a href="login.php">Log in</a>
        </form>
    </body>
</html>
<?php
    require('connect.php');
    $username = $_POST['username'];
    $password = $_POST['password'];
    $confirmPassword = $_POST['confirmPassword'];
    $email = $_POST['email'];

    if(isset($_POST["submit"])){
        if($query = mysql_query("INSERT INTO users ('id', 'username', 'password', 'email') VALUES('', '".$username."', '".$password."', '".$email."')")){
            echo "Success";
        }else{
            echo "Failure" . mysql_error();
        }
    }
?>

Connect.php

<?php

$connect = mysqli_connect("localhost", "root", "") or die("Could not connect to server!");
mysqli_select_db($connect, "php_forum") or die("Could not connect to database!");

?>
Emil Øgård
  • 1,009
  • 2
  • 10
  • 12
  • 4
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). Also, this code is *wide* open to [SQL injection](http://bobby-tables.com/). – esqew Dec 29 '14 at 00:59
  • Show your connect.php – iatboy Dec 29 '14 at 01:05

2 Answers2

3

There are a few things wrong here.

You're using the wrong identifiers for your columns in (and being quotes):

('id', 'username', 'password', 'email')

remove them

(id, username, password, email)

or use backticks

(`id`, `username`, `password`, `email`)

mysql_error() should have thrown you an error, but it didn't because of:

  • You're mixing MySQL APIs with mysqli_ to connect with, then mysql_ in your query.

Those two different APIs do not intermix with each other.

Use mysqli_ exclusively and change your present query to:

if($query = mysqli_query($connect, "INSERT...

and change mysql_error() to mysqli_error($connect)

as a rewrite for that block:

if(isset($_POST["submit"])){
    if($query = mysqli_query($connect,"INSERT INTO users ('id', 'username', 'password', 'email') VALUES('', '".$username."', '".$password."', '".$email."')")){
        echo "Success";
    }else{
        echo "Failure" . mysqli_error($connect);
    }
}

Just to test the error, make the changes as I outlined just above, while keeping the quotes around your columns the way you have it now. You will then see the error that MySQL will throw. You can then do as I've already outlined above and remove the quotes around the column names, or replace them with backticks.

The tutorial you saw may very well used backticks, but were probably not distinguishable enough for you to tell that they were indeed backticks and not single quotes.

However, your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Also, instead of doing:

$connect = mysqli_connect("localhost", "root", "") or die("Could not connect to server!");
mysqli_select_db($connect, "php_forum") or die("Could not connect to database!");

You should be checking for errors instead, just as the manual states

$link = mysqli_connect("myhost","myuser","mypassw","mybd") 
or die("Error " . mysqli_error($link));

So in your case:

$connect = mysqli_connect("localhost", "root", "","php_forum") 
or die("Error " . mysqli_error($connect));

Edit: and I changed action="register.php" to action="" since you're using the entire code inside the same page.

<!DOCTYPE HTML>
<html>
    <head>
        <title>Register</title>
    </head>
    <body>
        <form action="" method="POST">
            Username: <input type="text" name="username">
            <br/>
            Password: <input type="password" name="password">
            <br/>
            Confirm Password: <input type="password" name="confirmPassword">
            <br/>
            Email: <input type="text" name="email">
            <br/>
            <input type="submit" name="submit" value="Register"> or <a href="login.php">Log in</a>
        </form>
    </body>
</html>
<?php
    require('connect.php');
    $username = $_POST['username'];
    $password = $_POST['password'];
    $confirmPassword = $_POST['confirmPassword'];
    $email = $_POST['email'];

    if(isset($_POST["submit"])){
        if($query = mysqli_query($connect,"INSERT INTO users (`id`, `username`, `password`, `email`) VALUES ('', '".$username."', '".$password."', '".$email."')")){
            echo "Success";
        }else{
            echo "Failure" . mysqli_error($connect);
        }
    }
?>
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thank you, it now echo "success". Thanks for the security tips too, I will use that, but now I just try to make something easy work. Any idea why the code gets ran before I submit the form? – Emil Øgård Dec 29 '14 at 01:28
  • @EmilØgård You're welcome. I can't see why the query would run, what with how you've a conditional statement `if(isset($_POST["submit"]))`. Are you sure you're using the same code and the submit button is named as you have it now? – Funk Forty Niner Dec 29 '14 at 01:34
  • @EmilØgård You should also remove `or Log in` from inside your form and place it outside the form tags. That could be the reason why. Did you keep the `if(isset($_POST["submit"]))`? Reload to see my change under **as a rewrite for that block:** – Funk Forty Niner Dec 29 '14 at 01:36
  • Yes I am sure. I also tested with `if(isset($_POST['submit'])){ echo "submitted"; }` and it also ran successfully. Is there anything wrong in that line? – Emil Øgård Dec 29 '14 at 01:40
  • @EmilØgård Did you reload my answer to see the change I made to it under **as a rewrite for that block**? You may have overwritten the conditional statement. – Funk Forty Niner Dec 29 '14 at 01:43
  • @EmilØgård I've tested your code with my fixes and it did not perform the query on loading the page, not till I hit the submit button. – Funk Forty Niner Dec 29 '14 at 01:47
  • Could you post all my code with your changes so I could copy it and see? – Emil Øgård Dec 29 '14 at 01:49
  • @EmilØgård Well I can't replicate the problem. As I said, I tested this with your form and the fixes I made, and it did not enter in DB upon loading the page. I will make a complete write up. Give me a few minutes. I will add it as an edit under my original answer. – Funk Forty Niner Dec 29 '14 at 01:50
  • I just replaced all my code with yours, and it still submits to the database. Can it be a problem that has nothing to do with the code? – Emil Øgård Dec 29 '14 at 01:59
  • @EmilØgård I have no idea. At this point, I suggest you split your HTML form from your SQL as seperate files. If it still does it, then something may be in your system's cache or you didn't clear your computer's cache. It's very hard to say at this point now. That's all I can make of it. If you decide to split them in two files, rename them both to different names. Or keep what you have now and upload it as a different name. – Funk Forty Niner Dec 29 '14 at 02:02
  • Will do. Nice of you to remember I am new here. Thank you very much for the help! – Emil Øgård Dec 29 '14 at 12:22
  • @EmilØgård You're very much welcome Emil, *cheers* and welcome to Stack :) – Funk Forty Niner Dec 29 '14 at 12:23
  • 1
    It's answers like this that make me want to nominate you for sainthood – John Conde Dec 30 '14 at 03:49
  • @JohnConde Thank you John, that's kind of you to say :-) – Funk Forty Niner Dec 30 '14 at 03:54
-1

:It will echo ;Failure' so executing this bit of code

 else{
            echo "Failure" . mysql_error();
        }

whenever $_POST["submit"]) is not set and it will be not set anytime you open you page (even if you navigate to it from your bookmark of from google search results) or when you submit you FORM in GET mode

rgasiore
  • 140
  • 7