-2

I am having issues when trying to insert ("username" as i use as an example) into my mysql db.. anyways, as soon as I update the site, I get the "success" message I set, if it worked as it should and a blank row is inserted into my db. However, it also works the normal way when typing something into the textbox (after I got the "success" message) and press submit, it's also getting inserted into the db. But my issue is this first blank insert that shouldn't be there, I have no further idea how to solve that one atm :/

I also get a notice in the top of the site, saying "Undefined index: username", I have no idea what I've done wrong :/

Here's my code btw:

<?php
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "pw";
$dbname = "dbname";

$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
if($conn->connect_error) {
    die("Connection Failed: " . $conn->connect_error);
}

$user = $_POST["username"];

$sql = "INSERT INTO account (username) VALUES ('$user')";
if($conn->query($sql) === true) {
  echo "Success!";
} else {
  echo "Error: " . $sql . "<br />" . $conn->error;
}
$conn->close();
?>
<form method="POST" action="">
    <input type="text" name="username" placeholder="Username" /><br /><br />
    <input type="submit" name="submit" value="Go" />
</form>

Thx in adv. :)

Enten92
  • 1
  • 2
  • what would happen if my username was `'; DROP TABLE account; --`? – castis Jan 26 '15 at 17:59
  • 1
    **WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). The way you've coded this will only work under specific circumstances and is extremely risky. – tadman Jan 26 '15 at 18:00

1 Answers1

4

1) You are vulnerable to sql injection attacks. Enjoy having your server pwn3d.

2) Your code runs unconditionally, EVERY TIME the page is loaded. Therefore when a user first hits the page, you run your code. Since no form has been submitted, $_POST['username'] is undefined and you end up inserting an empty string into the DB.

At bare minimum you should have something like

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    ... db code here ...
}

so that it only runs when a POST was performed.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • What if the user decides to not enter anything in the output? – Funk Forty Niner Jan 26 '15 at 18:01
  • Op didn't mention that, so neither will I. – Marc B Jan 26 '15 at 18:01
  • Hey thanks for the commens, I added the request method thing in the top of the db code, it works better now, however, if I just hit enter, as Fred said (not entering anything), it does input an empty row in the db as well :S sorry for being a noob >. – Enten92 Jan 26 '15 at 18:28
  • `if (isset($_POST['username']) && ($_POST['username'] != '') { do db stuff }` – Marc B Jan 26 '15 at 18:29