0

I am trying to create a SignUp form for a web application I am developing and haven't programmed with mySQL in a while and when I fill out the HTML form I just get to a blank page (register.php) and no values are passed into the database table. The code, both HTML and PHP, are below. Any guidance as to what I'm missing or why this isn't passing through would be sincerely appreciated.

This is the HTML form to sign up:

        <div class="panel-body">
        Please fill out the form below.
        <br>
        <form action="register.php" method="post">
        <div class="form-group">
        <label for="exampleInputEmail1">Email address</label>
        <input type="email" class="form-control" id="exampleInputEmail1" name="email" placeholder="Enter email">
        </div>
        <div class="form-group">
        <label for="exampleInputPassword1">Password</label>
        <input type="password" class="form-control" id="exampleInputPassword1" name="password" placeholder="Password">
        </div>
        <button type="submit" class="btn btn-default">Sign Up</button>
        </form>

And here is the code on register.php:

$user = "smartkrawldb";
$pass = "Nixon15!";
$db = new PDO( 'mysql:host=XX.XXX.XXX.XX,dbname=smartkrawldb, $user, $pass);

$form = $_POST;
$email = $form['email'];
$password = $form['password'];

$sql = "INSERT INTO users ( email, password) VALUES ( :email, :password)";
$query = $db->prepare( $sql );
$query->execute( array(':email'=>$email, ':password'=>$password));
Matthieu McClintock
  • 135
  • 1
  • 7
  • In the insert you are using column `pass` but in select it's `password` ? – Royal Bg Mar 29 '15 at 21:55
  • 1
    When in doubt, try adding some print statements. While debugging I like to add print statements before Im actually running any query lines. Save your query as `$sql = (whatever your query is)` then run print $sql, and then on the next line your `mysql_query($sql)` – DaOgre Mar 29 '15 at 22:01
  • 2
    This code is vulnerable to [SQL injection](http://stackoverflow.com/q/60174/2257664), this is a serious security issue, you should fix this. – A.L Mar 29 '15 at 22:33
  • I have changed it to PDO. Is it still vulnerable and if so, any suggestions? – Matthieu McClintock Mar 29 '15 at 22:56
  • @Matthieu - the error messages you've added to the edit log, can you put them into the question, so they are visible to readers? – halfer Mar 30 '15 at 00:37
  • You have a quote and missing semi-colon in `( 'mysql:host=XX.XXX.XXX.XX,dbname=smartkrawldb, $user, $pass)` - Read the manual http://php.net/manual/en/pdo.connections.php `('mysql:host=localhost;dbname=test', $user, $pass)`. That's why your code is failing. – Funk Forty Niner Mar 30 '15 at 00:52

2 Answers2

1

Does it work if you try this instead?

$email = $_POST['email'];
$pass = $_POST['pass'];
$query = mysql_query("SELECT * FROM users WHERE email = '{$email}' AND password = '{$pass}';

I highly recommend you to switch over to PHP's PDO Object workflow instead, so much more secure and easy to work with.

halfer
  • 19,824
  • 17
  • 99
  • 186
Fredrik Borggren
  • 107
  • 6
0

$_POST['submit'] is passing no value (it'a submit button), at all.

try to var_dump, changing your last lines to this:

if(isset($_POST['submit'])) { 
signUp(); 
}
else {
     echo "the problem with post_submit is that is not here inside: ";
     var_dump($_POST);
     }

to get an idea of what is inside the $_POST superglobal.

cheers!

urka_mazurka
  • 138
  • 1
  • 11
  • I executed this and got nothing: function newUser() { $email = $_POST['email']; $pass = $_POST['pass']; $query = mysql_query("INSERT INTO users (email, password) VALUES ('$email, $pass)"); $data = mysql_query ($query)or die(mysql_error()); $sql = $query; var_dump($_POST); if($data) { echo "You're registered!"; } } – Matthieu McClintock Mar 29 '15 at 22:29
  • try changing your last two lines to : if(isset($_POST['submit'])) { signUp(); } else {echo "the problem with post_submit is that is not here inside: "; var_dump($_POST);} – urka_mazurka Mar 29 '15 at 22:48