php pdo blank page when running script for form

Question

I am trying to complete a registration form for users to register to the site. I was using mysql_* earlier on but got advised that mysqli_* or pdo would be better due to mysql_* being depreciated in PHP7. So, here's my code. Every time I execute this code, I just get a blank page, my 'error' message doesn't appear nor does the 'New record created successfully!' message. I have looked about on the web and cannot find out the problem with this script.

<?php

if (isset($_POST['submit'])){

$servername = "localhost";
$username = "user";
$password = "pass";
$dbname = "db";

$username=$_POST['username'];
$firstname=$_POST['firstname'];
$middlename=$_POST['middlename'];
$surname=$_POST['surname'];
$email=$_POST['email'];
$recovery_email=$_POST['recovery_email'];
$password=$_POST['password'];

        if (!$_POST['username'] || !$_POST['firstname'] || !$_POST['surname'] || !$_POST['email'] || !$_POST['password']) {

            header('Location: http://makeupstudiofix.co.uk/user/register/?error=fields');
            exit();

        } else {

        try {
            $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

            $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $sql = "INSERT INTO user_logins (username, firstname, middlename, surname, email, recovery-email, password)
            VALUES ('$username', '$firstname', '$middlename', '$surname', '$email', '$recovery_email', '$password')";

            $conn->exec($sql);
            echo "<Script>alert('New record created successfully')</script>";
        }
            catch(PDOException $e)
        {
            echo $sql . "<br>" . $e->getMessage();
        }
            echo 'error';
}
}

$conn = null;

?>

Any help is greatly appreciated.

Answer 1

Do go over my answer in its entirety. There are quite a few things that stand to go haywire here.

---

You're not getting errors because you're not checking for them on the PHP side.

Firstly, you see your recovery-email column?

It contains a hyphen and MySQL is interpreting that as recovery MINUS email, in thinking you want to do math.

Either wrap it in ticks:

(username, firstname, middlename, surname, email, `recovery-email`, password)

or rename it using an underscore recovery_email (unless that was a typo).

You're not seeing the syntax error for it, likely due to the first conditional statement and is never making it in there to start with.

Use error checking during testing:

• http://php.net/manual/en/pdo.error-handling.php

Also consult:

• http://dev.mysql.com/doc/refman/5.7/en/identifier-qualifiers.html

Plus, make sure your form and its elements are not failing you. Your form requires to use a POST method and that all your inputs bear the name attributes for them.

I.e.: <input type="text" name="username"> etc.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Possible conflict:

However, there may be a conflict in variables here $username, $password where you are using the same variables for your POST arrays and your login credentials.

Another thing is that your code is dependant on this conditional statement:

if (isset($_POST['submit'])){...}

So, that may also be why you're getting a blank screen, and/or you have syntax errors. (Use error reporting for it).

Add an else{ echo "Submit button not set..."; } for it just above $conn = null;.

If it falls into that, then you'll know what to go after; the input probably does not have the submit name attribute for it.

I.e.:

<input type="submit" name="submit" value="SUBMIT">

or that your submit button may be a <button> without the type="submit" type.

That is unknown, since you did not post your HTML form in your question.

---

Footnotes:

Even though you're using PDO, your code is still open to an SQL injection.

Use a prepared statement

• http://php.net/pdo.prepared-statements

---

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

• PBKDF2 For PHP

---

Final notes:

As Logan pointed out in his answer, using a conditional !empty() is a better method to check for empty fields, however it wouldn't cause the blank screen you're getting.

• http://php.net/manual/en/function.empty.php

Answer 2

You should use something like bindParam() instead of putting the variables straight to your query.

$sql->bindParam(':username', $_POST["username"], PDO::PARAM_STR, 12);

Do it for the other variables to be binded in your query.

And instead of

(!$_POST['username'] || !$_POST['firstname'] || !$_POST['surname'] || !$_POST['email'] || !$_POST['password'])

it should be

(empty($_POST['username']) || empty($_POST['firstname']) || empty($_POST['surname']) || empty($_POST['email']) || empty($_POST['password']))/* DO IT FOR THE REST OF THE VARIABLES */

You should also think of hashing your password. You can try the simple but reliable password_hash().