php code not working as expected form will not submit the correct data

Question

so I've got this code that supposedly sends you an email after you entered a valid one and answered a security question. My problem is the fact that the form won't submit the answer i've given it. It always echoes "submit" on the begging of the second php block. Also if u can spot any other errors i might have missed let me know please. Thanks anticipated.

<?php
define ('DB_SERVER','fenrir');
define ('DB_USERNAME','ArchivrTW');
define ('DB_PASSWORD','vPOZOa1txS');
define ('DB_DATABASE','ArchivrTW');
$connection = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
    if(!$connection)
            {
                    die('Could not connect because: ' . mysql_error());
            }
?>
<?php
$test = $_POST['email'];
$query = "SELECT 'EMAIL' FROM 'USERS' WHERE 'EMAIL'=$test";
echo(strlen($query));
if(strlen($query) > 42)
    {
                            $query1 = "SELECT 'SecurityQ' from 'USERS' WHERE 'EMAIL' =$test";
                            $query2 = "SELECT 'SecurityA' from 'USERS' WHERE 'EMAIL' =$test";
                            $result = mysqli_query($connection,$query);
                            $result1 = mysqli_query($connection,$query1);
                            $Results = mysqli_fetch_assoc($result);
                            $Results1 = mysqli_fetch_assoc($result1);
                            $Results2 = mysqli_fetch_assoc($result2);
                            echo($Results1);
    }
?>
<form action="recover.php" method="post">
    <p>Security Question Answer: <input type="text" name="answer" placeholder="Type your answer here" /> </p>
    <p><input type="submit" name="answer" id="answer" /> </p>
</form>
<?php
$answer=$_POST['answer'];
echo($answer);

                                    if (count($Results) >= 1 && strcmp($_POST['answer'],$Results2) == 0)
                                            {
                                                    $REQ_STATUS = 1;
                                                    $new_passwd = rand(1,1000000);
                                                    $to = $email;
                                                    $subject = "Archivr-Forgot Password";
                                                    $msg = "Use this generated password to log in then change it using the Edit Profile Menu";
                                                    mail($to, $subject, $msg);
                                            }
                                    else
                                            {
                                                    $message="Account not found or wrong security question answer";
                                            }

                                    if($REQ_STATUS == 1)
                                            {
                                                    $update_query="UPDATE USERS set PASSWORD =".$new_passwd." where EMAIL ='". $to ."'";
                                            }



?>
    </body>
</html>

The first block works, problem is the form or the second block.

Answer 1

1. You are vulnerable to sql injection attacks;

2. You have duplicate field names:

   <p>Security Question Answer: <input type="text" name="answer" placeholder="Type your answer here" /> </p>
                                               ^^^^^^^^^^^^
   <p><input type="submit" name="answer" id="answer" /> </p>
                       ^^^^^^^^^^^^^
   

Since the field names are the same, the submit button overwrites/replaces the text field, and you end up submitting a blank value.

Answer 2

You're using the incorrect identifier qualifiers for all your tables and columns being single quotes and not wrapping the $test variable in quotes; it's a string.

This one for example:

SELECT 'EMAIL' FROM 'USERS' WHERE 'EMAIL'=$test

should read as

SELECT `EMAIL` FROM `USERS` WHERE `EMAIL`='$test'

where you may have seen a tutorial somewhere, that the ticks resembled regular single quotes. They are not the same; those are two different animals altogether.

You will then need to follow the same method above and do the same for the rest of your queries.

Using this for example:

$result = mysqli_query($connection,$query) or die(mysqli_error($connection));

would have signaled a syntax error.

Then this mysql_error() - That should read as mysqli_error($connection). You cannot mix MySQL APIs. They do not intermix with each other.

---

You also don't seem to be doing anything with:

$update_query="UPDATE USERS set PASSWORD =".$new_passwd." where EMAIL ='". $to ."'";

Whether it's relevant to the question or not, you're not actually executing that query.

---

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

---

References:

• https://dev.mysql.com/doc/refman/5.0/en/identifier-qualifiers.html
• http://php.net/manual/en/mysqli.error.php

---

Footnotes:

Your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

• Plus, since you're using the entire code in one file, you will get warnings to the effect of "Undefined index xxx....", therefore you will need to use a conditional isset() and or !empty() around your executable code and for the POST arrays.

Passwords:

I'm hoping you're using a modern-day password hashing method, since this looks to me, being related to resetting passwords.

For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Answer 3

Both your form field and your submit button have a name of "answer". Rename your submit button name to "submit" or something else.