-1

wen i register a account EX: my , game in my sql EX: id name password 1 my game 2 my game but i only press submit once and it ads it twice my php its down below and my my html its a form lablel imput submit

<?php

define('DB_NAME', 'abcd');
define('DB_USER', 'abcd');
define('DB_PASSWORD', '******');
define('DB_HOST', 'localhost');

$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);

 if (!$link)
{
die('Could NOT Connect: rong pass ' . mysql_error(rong_pass));
}
$db_selected = mysql_select_db(DB_NAME, $link);

if (!$db_selected) 
{
die ('Cant\'t use' . DB_NAME. 'abcd' . mysql_error());
}
echo 'log in succes';
$id = $_POST["id"];
$com_name = $_POST["com_name"]; // Since method=”post” in the form
$log_in = $_POST["log_in"];
$password = $_POST["password"];



$sql = "INSERT INTO members (com_name, log_in, password) VALUES                   
('$_POST[com_name]','$_POST[log_in]','$_POST[password]')";
$result = mysql_query($sql);

$result = mysql_query($sql) or die (" could not save record sorry ");

mysql_close();
?>
</ p><a href="demo.html">inapoi</a>

//tot odata ai fost adaugat in baza noastra de date
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Remus Afrem
  • 11
  • 3
  • we will need to see your form page with the elements in it that posts to your script that you've posted in your question – unixmiah Apr 24 '15 at 16:40
  • 2
    Well, you do execute the query twice: `$result = mysql_query($sql); $result = mysql_query($sql)`. And you have an sql injection problem. Two :-) – jeroen Apr 24 '15 at 16:40
  • 2
    You are vulnerable to [sql injection attacks](http://bobby-tables.com), you are using obsolete/deprecated mysql libraries, and if you're getting two inserts into the DB, then this code is being executed twice: because you ARE calling mysql_query() twice. – Marc B Apr 24 '15 at 16:41
  • right i found it and fix it for now i work on posting log in check to be able to see the site and when i get all this to work together i will have to come back and see how can stop injections or other attacks thx a loot for the help – Remus Afrem Apr 24 '15 at 17:00

3 Answers3

2

The reason being is, you're calling mysql_query() twice.

$result = mysql_query($sql);

$result = mysql_query($sql) or die (" could not save record sorry ");
  • Remove one.

Important sidenote:

Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

Plus, this or die (" could not save record sorry ") doesn't help you.

Use or die(mysql_error()) to get the real error once that fires up.

Add error reporting to the top of your file(s) which will help find errors, should there be any along the line.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Regarding password storage:

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Edit: It seems that Q&A has been deleted, no idea why.

- Consult ircmaxell's answer here https://stackoverflow.com/a/29778421/ where he utilizes PDO with prepared statements and password_hash().

Pulled from his answer:

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Looks like you'll be busy for a while, I'm going to get some coffee. Oh, and the whole plain-text password stuff probably needs to copy-pasted in as well ;-) – jeroen Apr 24 '15 at 16:45
  • @jeroen oh yeah.... that's next. Enjoy the coffee! – Funk Forty Niner Apr 24 '15 at 16:45
  • @jeroen done. I never take mine "plain" neither, but as an added "specialty". Plus, a cappuccino is so much tastier. – Funk Forty Niner Apr 24 '15 at 16:47
  • *Sidenote about my link in the answer:* I honestly don't know why that Q&A http://stackoverflow.com/q/29777684/ was deleted. I thought it made for a good reference. Only 10k+ members can view it, sorry. – Funk Forty Niner Apr 24 '15 at 16:53
  • @jeroen ah, will you lookah dat! thanks for the update. thought I'd pull the code from his answer though, just in case it disappears again. – Funk Forty Niner Apr 24 '15 at 16:58
0
$sql = "INSERT INTO members (com_name, log_in, password) VALUES                   
('$_POST[com_name]','$_POST[log_in]','$_POST[password]')";
$result = mysql_query($sql);

$result = mysql_query($sql) or die (" could not save record sorry ");

You're running the SQL Insert twice. Remove one of those and all will be good! :)

laminatefish
  • 5,197
  • 5
  • 38
  • 70
0

Looks like you are running the query twice....

$result = mysql_query($sql);

$result = mysql_query($sql) or die (" could not save record sorry ");
CargoMeister
  • 4,199
  • 6
  • 27
  • 44