-1

Im not to great with PHP/MySQL so excuse my ignorance. I have a login form on my website, i have created a form for creating an account, visually everything is fine, however, i need the data to be sent to my customer account table in mysql. When i submit the form, it seems to work, creating the ID 1, but all other fields are blank.

PHP:

<?php

$hostname="localhost";
$username="createaccount";
$password="******";
$dbname="Island_Web_Design";
$usertable="customer_accounts";
$connection = mysql_connect($hostname, $username, $password);
mysql_select_db($dbname, $connection);

$sql="INSERT INTO customer_accounts (firstname, lastname, email, password)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[password]')";


if (!mysql_query($sql,$connection))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record added";

mysql_close($con);

?>

HTML:

<form role="form" action="Create_Account.php">
                            <div class="row">
                                <div class="col-xs-6 col-sm-6 col-md-6">
                                    <div class="form-group">
                                        <input type="text" name="firstname" id="firstname" class="form-control input-sm floatlabel createinput" placeholder="First Name">
                                    </div>
                                </div>
                                <div class="col-xs-6 col-sm-6 col-md-6">
                                    <div class="form-group">
                                        <input type="text" name="lastname" id="last_name" class="form-control input-sm createinput" placeholder="Last Name">
                                    </div>
                                </div>
                            </div>
                            <div class="form-group">
                                <input type="email" name="email" id="email" class="form-control input-sm createinput" placeholder="Email Address">
                            </div>
                            <div class="row">
                                <div class="col-xs-6 col-sm-6 col-md-6">
                                    <div class="form-group">
                                        <input type="password" name="password" id="password" class="form-control input-sm createinput" placeholder="Password">
                                    </div>
                                </div>
                                <div class="col-xs-6 col-sm-6 col-md-6">
                                    <div class="form-group">
                                        <input type="password" name="password_confirmation" id="password_confirmation" class="form-control input-sm createinput" placeholder="Confirm Password">
                                    </div>
                                </div>
                            </div>
                            <input type="submit" name="submit" value="Create Account" class="btn btn-primary btn-block register">
                        </form>

Thank you in advance.

JoeyG
  • 701
  • 6
  • 10
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jan 08 '16 at 21:45
  • 2
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 08 '16 at 21:45
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 08 '16 at 21:46
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Jan 08 '16 at 21:46
  • Do yourself a favor, simply place a `print_r($_POST)` or `var_dump($_POST)` in the PHP page which receives the form submission. Fill out your form, submit and look closely at the data that gets printed to the screen. Familiarize yourself with how form data is posted to scripts, including what gets passed and what doesn't. – Jay Blanchard Jan 08 '16 at 21:47
  • If you are new! learn using mysqli or PDO!!!! – Adam Buchanan Smith Jan 08 '16 at 21:47
  • I get that you are not happy with my code, i picked it up off the net, if you would kindly advise (in full) how i should go about it. this was my question. Thanks – JoeyG Jan 08 '16 at 21:49
  • The default method for forms is GET, not POST. All of your variables would be available in the `$_GET` array. As for coding something better there are tons of links in the comments which will help you. – Jay Blanchard Jan 08 '16 at 21:51
  • as far as i know im using MySQLi its with godaddy cpanel – JoeyG Jan 08 '16 at 21:55
  • You're using the `mysql_*` functions, not `mysqli_*` – Jay Blanchard Jan 08 '16 at 21:59
  • Well today it wasnt working, and i called godaddy and they switched the Mysqli function on, so im assuming that im using that? also, this is the code i got from godaddy.... as far as i would assume, they are correct. – JoeyG Jan 08 '16 at 22:12
  • To fix your code add `method="post"` to your form tag as @Jeeves said below. GoDaddy enabled MySQLi for you, but you actually have to use the MySQLi functions in order to invoke it. – Jay Blanchard Jan 08 '16 at 22:14
  • Thanks @jay, where can i find these functions? how come it still works without? – JoeyG Jan 08 '16 at 22:17
  • MySQLi functions are prefixed with `mysqli_`. You can find more [here](http://php.net/manual/en/book.mysqli.php). – Jay Blanchard Jan 08 '16 at 22:18
  • The reason that it still works is because GoDaddy has not upgraded PHP to the point where deprecation of the functions are met. When they do, if you're not using MySQLi or PDO, all of your database interactions will fail. – Jay Blanchard Jan 08 '16 at 22:25
  • @jay, i did notice when looking around there is a "version" drop down, i didnt want to touch it though incase i broke it. – JoeyG Jan 08 '16 at 22:29
  • I feel your pain @JoeyG – Jay Blanchard Jan 08 '16 at 22:31
  • so from my code above, what could i implement to make it safer? – JoeyG Jan 08 '16 at 22:32

2 Answers2

2

For starters you should stop using mysql_* functions for new code. It is removed from the language in the latest version (7). Instead upgrade to either mysqli or PDO:

Why shouldn't I use mysql_* functions in PHP?.

Secondly you should prevent the SQL injection holes you have in your code:

How can I prevent SQL-injection in PHP?

Thirdly you should hash your password to prevent them from leaking when you have for example a security hole in your application.

password_hash()

Finally to get to your question: if you don't tell your form to POST it will make a GET request instead. Change your form to <form role="form" action="Create_Account.php" method="post">.

You can and should debug your code yourself for issues like these. The simplest form would be to use var_dump(); on your variables to see whether the contain what you think they contain. And you can also inspect the requests being made by opening the developer tools of your favorite browser.

Your code could / should be rewritten as:

<?php

$dbConnection = new PDO('mysql:dbname=Island_Web_Design;host=localhost;charset=utf8', 'createaccount', '******');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $dbConnection->prepare('INSERT INTO customer_accounts (firstname, lastname, email, password) VALUES (:firstname, :lastname, :email, :password');

try {
    $stmt->execute([
        'firstname'=> $_POST[firstname],
        'lastname' => $_POST[lastname],
        'email' => $_POST[email],
        'password' => password_hash($_POST[password], PASSWORD_DEFAULT, ['cost' => 14]),
    ]);
} catch(\PDOException $e) {
    die('Error: ' . $e->getMessage());
}

echo "1 record added";
Community
  • 1
  • 1
Jeeves
  • 208
  • 2
  • 8
  • Thank you for your answer, ideally id like to see visually. can someone put something together so that i can understand the difference? – JoeyG Jan 08 '16 at 21:56
  • Yeah. OP chould be able to read the entire answer, because everything on top is actually more important. Also you are overwriting my changes. – Jeeves Jan 08 '16 at 21:59
  • @JoeyG I tried to add an image, but as a new user I am not allowed to add more links. – PeeHaa Jan 08 '16 at 22:05
  • where do i put this passowrd_hash segment? @jeeves – JoeyG Jan 08 '16 at 22:16
  • Let me write up an example. – Jeeves Jan 08 '16 at 22:18
  • I have updated my answer based on the information and suggestions in my post. To verify the password supplied by the user later on log in see http://php.net/manual/en/function.password-verify.php for more information. – Jeeves Jan 08 '16 at 22:27
  • @jeeves, i get a server error. im assuming its because of the PDO bit? – JoeyG Jan 08 '16 at 22:40
  • Check your error log. Also what PHP version are you on? – Jeeves Jan 08 '16 at 22:46
  • PHP version 5.4 but will only let me go to 5.5. PDO is ticked but there is lots of variations that are not ticked. – JoeyG Jan 08 '16 at 22:51
-3

Please never do this:

('$_POST[firstname]','$_POST[lastname]','$_POST[email]','$_POST[password]')

read this: Is SQL Injection possible with POST?

Fix add method="post" inside form balise, thanks @jay

Community
  • 1
  • 1
Moon
  • 19
  • 3
  • This has been covered in comments and is not an answer to the question. – Jay Blanchard Jan 08 '16 at 21:47
  • i just start on stackoverflow i can't do comment – Moon Jan 08 '16 at 21:51
  • [It's not hard to earn enough rep to make comments.](http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead) – Jay Blanchard Jan 08 '16 at 21:53
  • @jay ok, so show me an example of what you would do in this case, with my coding above? that would help alot. thanks – JoeyG Jan 08 '16 at 22:04
  • @jay this is why i just put link... – Moon Jan 08 '16 at 22:08
  • Link only answers are considered *bad*, especially when they do not actually answer the question. – Jay Blanchard Jan 08 '16 at 22:10
  • I am reading your links, like i stated at beginning, i have limited knowledge, so everything im reading is foreign to me. I guess i will search and find somehow. thanks anyway. – JoeyG Jan 08 '16 at 22:11
  • To fix your code add `method="post"` to your form tag @JoeyG as Jeeves said above. – Jay Blanchard Jan 08 '16 at 22:12
  • Thank you @jay, this works now. I will take a look at the links you posted to get a better understanding, but for now this is working. – JoeyG Jan 08 '16 at 22:15
  • And to be perfectly clear @JoeyG, I apologize if you were under the impression I was belittling anyone. It is always my goal to be positive and to teach. Comments may seem terse and straightforward, but they are meant to do only one thing....teach. ¯\\_(ツ)_/¯ – Jay Blanchard Jan 08 '16 at 22:17
  • You may not get that on SO every time @JoeyG. This is more like a "teach a man to fish" kind of place and rarely will you get a truckload of code written for a problem. – Jay Blanchard Jan 08 '16 at 22:21