-1

I'm following Rob Percival's 'The Complete Web Developer Course' and I'm stuck on lecture 206, where you create a form asking for an email and passwords, and it inserts it into a MySQL database. The instructor corrects some of the code 'off camera', so I can't double check my code.
When I press submit to my form, it appears successful, but nothing is added to my database.I have checked with other users and they have the same query written, and I have also included a check to see that the connection to the database was successful.

$link = mysqli_connect("localhost", "cl22-megadb", "xGKCe.bcB", "cl22-megadb");
if (mysqli_connect_error()) {
  die("Could not connect");
}
$query = "SELECT * FROM users WHERE email='".mysqli_real_escape_string($link, $_POST['email'])."'";
        $result = mysqli_query($link, $query);
        $results = mysqli_num_rows($result);
        if ($results) echo "That email adress is already registered. Do you want to login?";
        else {
            $query = "INSERT INTO 'users' (`email`, `password`) VALUES('".mysqli_real_escape_string($link, $_POST['email'])."','".md5(md5($_POST['email']).$_POST['password'])."')";
            mysqli_query($link, $query);
            echo "You've been signed up!";
        }
    }
}

?>

<form method="post">
  <input type="email" name="email" id="email" />
  <input type="password" name="password" id="password" />
  <input type="submit" name="submit" value="Sign Up" />
</form>

Is there a MySql log or something else I can check in order to investigate what actually happens to my MySql insertion attempt?

isaiki
  • 1
  • 3
  • 1
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Jan 22 '16 at 20:15
  • 1
    You'll also want to learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 22 '16 at 20:16
  • Add error checking, such as `or die(mysqli_error())` to your queries. Or you can find the issues in your current error logs. – Jay Blanchard Jan 22 '16 at 20:16
  • Wrong quotes on `'users'`, since it is a table, not a string. Those should be backticks. You also are SQL injectible by concatenating the password to the end of the hash and that defeats the hash's purpose. – chris85 Jan 22 '16 at 20:17
  • Echo your queries and see what you have and paste them manually. Also, http://dba.stackexchange.com/questions/62129/how-to-log-all-mysql-queries-into-log-file – johnny Jan 22 '16 at 20:19
  • Suggestion: replace the check **if($results)** to **if($results != 0)** @isaiki and you should more errorchecks in yor code – Asif Mehmood Jan 22 '16 at 20:20

1 Answers1

1

You are using single quotes on table name it should be backticks or nothing.

$query = "INSERT INTO 'users' ...

Should be:

$query = "INSERT INTO `users` ...
devpro
  • 16,184
  • 3
  • 27
  • 38