INSERT INTO not working properly MySQL

Question

I am having trouble with "INSERT INTO" with MySQL. I am trying to make a userData table where users can enter a new username and password and then it will confirm that their user has been added to the database. Currently this is only a demo, so it doesn't matter if there are duplicate users and such. Here is the code that I have now.

<? include("header.php"); ?>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 
  <!-- Username input -->
  <p><label for="txtusername" class="text-center">Username:</label> 
  <br><input type="text" title="Enter your new username" name="txtPassword" /></p> 

  <!-- Password input -->
  <p><label for="txtpassword" class="text-center">Password:</label> 
  <br><input type="password" title="Enter your password" name="txtPassword" /></p> 

  <!-- Password confirmation -->
  <p><label for="txtpasswordconfirm" class="text-center">Confirm Password:</label> 
  <br><input type="password" title="Confirm your password" name="txtPassword" /></p> 

  <p><input type="submit" name="Submit" value="Submit" /></p> 

</form> 
<?
//Connect to the user content database
$con = mysql_connect("localhost","my_username","my_password") or die(mysql_error());
mysql_select_db("userData") or die(mysql_error());

// Define a variable for the user input
$input_username = $_POST['txtpassword'];
$input_password = hash("md5", $_POST['txtusername']);
$input_password_confirm = hash("md5", $_POST['txtpasswordconfirm']);

echo "Input username: " . $input_username . "<br>";
echo "Input password hash: " . $input_password;
echo "Input password confirmation hash: " . $input_password_confirm;
echo "Are the hashes equal: " . hash_equals($input_password, $input_password_confirm);
if($input_password == $input_password_confirm) {
    $sql = "INSERT INTO nickpalm_userData (username, passwordHash)
    VALUES 
    ('$input_username', '$input_password')";

    //Attempt to create a new user and show a success message
    if(mysql_query($sql)) {
        echo "<script type=\"text/javascript\">alert('Thank you! Your data has been submitted');</script>";
    }
    //If there is an error creating the user, then show an error
    else {
        echo "ERROR: " . $user_query . "<br>" . mysql_error($con);
    }
}
?>

When I go to the webpage and try this, there is no message that the user has been added to the database as I intended and it simply refreshes the page when I click the submit button. Is there something wrong with my form or is it simply my lack of experience with MySql? Here is the link to the page: http://nick-palmer-design.com/projects/CTF/newuser.php

You need to consider using [password_hash](http://php.net/manual/en/function.password-hash.php) instead of MD5, as the latter is NOT secure. Also [mysql_ functions are deprecated](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) and your script is [open to SQL injection](http://bobby-tables.com/) — Machavity, May 05 '15 at 16:41
Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 05 '15 at 16:44
I believe these 2 lines are wrong `$input_username = $_POST['txtpassword']; $input_password = hash("md5", $_POST['txtusername']);` you are setting the posted password to the user name, and hashing the posted username as the password, which will cause this - `if($input_password == $input_password_confirm)` to be false — Sean, May 05 '15 at 16:46
Add error reporting to the top of your file(s) right after your opening ` — Jay Blanchard, May 05 '15 at 16:46
Sean, thanks for the feedback! Any ideas on how I can remedy this? Also, people keep saying that MySQL is depreciated. How can I implement something better? — Nick P, May 05 '15 at 21:51

score 0 · Answer 1 · answered Jul 24 '15 at 20:21

Unless I missed something, this should be your exact code converted to MySQLi - and it should work aswell.

  <p><label for="txtpasswordconfirm" class="text-center">Confirm Password:</label> 
  <br><input type="password" title="Confirm your password" name="txtPassword" /></p> 

  <p><input type="submit" name="Submit" value="Submit" /></p> 

</form> 
<?
//Connect to the user content database
$con = mysqli_connect("localhost", "my_username", "my_password", "userData") or die("Error " . mysqli_error($con));

// Define a variable for the user input
$input_username = mysqli_real_escape_string($con, $_POST['txtpassword']);
$input_password = password_hash($_POST['txtusername'], PASSWORD_DEFAULT);
$input_password_confirm = password_hash($_POST['txtpasswordconfirm'], PASSWORD_DEFAULT);

echo "Input username: " . $input_username . "<br>";
echo "Input password hash: " . $input_password;
echo "Input password confirmation hash: " . $input_password_confirm;
echo "Are the hashes equal: " . hash_equals($input_password, $input_password_confirm);
if($input_password == $input_password_confirm) {
    $sql = "INSERT INTO `userData` (`username`, `passwordHash`) VALUES ('$input_username', '$input_password')";

    //Attempt to create a new user and show a success message
    if($sql) {
        echo "<script type=\"text/javascript\">alert('Thank you! Your data has been submitted');</script>";
    }
    //If there is an error creating the user, then show an error
    else {
        echo "ERROR: " . $user_query . "<br>" . mysqli_error($con);
    }
}
?>

INSERT INTO not working properly MySQL

1 Answers1