1

I'm trying to create a form for admin registration. The code works correctly but more than one admin can register for this page. How can I make it so that only one admin can register?

<html >
<head>
<title></title>
</head>
<body>
<?php
print ("<form action='admin.php' method='post'>
    <p>Name
        <input type='text' name='firstname'  />
    </p>
    <p>Surname
        <input type='text' name='lastname' />
    </p>
    <p>Username
        <input type='text' name='username' />
    </p>
    <p>Password
        <input type='password' name='password' />
        </p>
        <p>Email <input type='text' name='email'/>  </p>
      

      
    
  <input type='submit'  value='Register'/>  
</form>

        ");



if( !($database=mysql_connect("localhost","root",""))||!(mysql_select_db("st_login",$database))  )
   print("Could not connect");

if(isset($_POST['firstname'] )&&isset($_POST['lastname'])&&isset($_POST['username'])&&isset($_POST['password'])
  /*&&isset($_POST['notat'])&&isset($_POST['lendet'])*/&&isset($_POST['email'])){
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$username=$_POST['username'];
$password=md5($_POST['password']);
$email=$_POST['email'];
/*
$notat=$_POST['notat'];
$lendet=$_POST['lendet'];
*/

$query = "INSERT INTO  login (firstname, lastname, username,password,email,admin) VALUES ('$firstname', '$lastname',
 '$username','$password','$email',1)";
}
if ( !empty($firstname)&&!empty($lastname)&&!empty($username) &&!empty($password)&&!empty($email))
{
  if(!($result=mysql_query($query,$database)))
{
    print("Could not execute query");
    die (mysql_error());//ose error
}
echo "YOU HAVE BEEN REGISTERED SUCCESSFULLY!You are the admin of this page";

}
else echo 'Fill in all the blank fields';
mysql_close($database);
?>

</body>
</html>
Here is my database database
SidOfc
  • 4,552
  • 3
  • 27
  • 50
Doggy
  • 63
  • 2
  • 10
  • 2
    Well, you're not checking to see if there are any admins in the db before adding one. Btw... Don't use deprecated `mysql_*` functions and your query is wide open for SQL injections. – M. Eriksson Jan 17 '16 at 09:22
  • 1
    Check if a record is there with `admin = 1` or not. Use `SELECT` statement for that. – Rajdeep Paul Jan 17 '16 at 09:22
  • 1
    Btw. Why are you printing the form through PHP instead of having it in the HTML-markup? – M. Eriksson Jan 17 '16 at 09:23
  • 2
    I forgot... using `md5()` for password hashing is really insecure. You should use something like sha256 with a proper salt (don't roll your own. Use `password_hash()` if you're on PHP 5.5+ or use some other "official" package if you're not) – M. Eriksson Jan 17 '16 at 09:30

1 Answers1

1

Add a check when inputting user data to the form. Check whether there are any rows where the field admin is set to 1 (or whatever you use)
Sample code for that

$result = mysql_query("SELECT firstname FROM mytable WHERE admin=1");
if(mysql_num_rows($result)== 0) {
     //check if the post variables are set and input the values to the table
} else {
     // Admin already exist      
}

As mentioned in comments, you should stop using mysql_, and use mysqli_ or PDO with prepared statements instead, an example is given below. Keep in mind that you cannot mix APIs, so your entire code will have to be converted from one to the other.

$mysqli = new mysqli("host", "user", "password", "database");

$result = $mysqli->query("SELECT firstname FROM mytable WHERE admin=1");
if ($result->num_rows == 0) 
     //check if the post variables are set and input the values to the table
} else {
     // Admin already exist      
}

Reference

Community
  • 1
  • 1
toing_toing
  • 2,334
  • 1
  • 37
  • 79