-1

I am trying to store registration data into database but something I cannot quite understand keeps happening, the line below which is in my register.php form is printed out first before the HTML loads

query($sql) === TRUE) { echo "New record created successfully"; } else { echo "Error: " . $sql . " " . $dbcon->error; } $dbcon->close(); } } ?>

Here is my code and I also would like to check if the email being used is registered, which in that case one should get an error saying 'Email is already registered'

Here is my PHP Code:

<?php
session_start();
if(isset($_SESSION['user'])!="")
{
    header("Location: index.php");
}

include_once 'dbconnect.php';

if(isset($_POST['signup']))
{
    //performing verfication
    $upass = $_POST['upass'];
    $pass2 = $_POST['pass2'];

    if ($upass == $pass2){

            $fullName=mysqli_escape_string($_POST['fullName']);
            $tphon=mysqli_escape_string($_POST['telephone']);
            $email=mysqli_escape_string($_POST['email']);
            $role=mysqli_escape_string($_POST['role']);
            $upass=mysqli_escape_string($upass);
            $pass2=mysqli_escape_string($pass2);

            $upass = crypt($upass);

            $sql = "INSERT INTO users (fullname, telephone, email, role, pass)
            VALUES ('$fullName', '$tphon', '$email', '$role', '$upass')";

            if ($dbcon->query($sql) === TRUE) {
                echo "New record created successfully";
            } else {
                echo "Error: " . $sql . "<br>" . $dbcon->error;
            }

            $dbcon->close();

        }
 }   
?>

and here is my HTML form:

    <form id="wizardForm" action="register.php" method="POST">
   <div class="row m-b-lg">
      <div class="col-md-4 center">
         <div class="login-box">
            <a href="register.php" class="logo-name text-lg text-center">Timewise</a>
            <p class="text-center m-t-md">Enter the following Details to Register</p>
         </div>
         <div class="form-group col-md-12">
            <label for="exampleInputName">Full Name</label>
            <input type="text" class="form-control" name="fullName" id="exampleInputName" placeholder="Full Name">
         </div>
         <div class="form-group  col-md-12">
            <label for="telephone">Telephone</label>
            <input type="text" class="form-control" name="telephone" id="telephone" placeholder="Telephone" >
         </div>
         <div class="form-group col-md-12">
            <label for="exampleInputEmail">Email Address</label>
            <input type="email" class="form-control" name="email" id="exampleInputEmail" placeholder="Enter email" >
         </div>
         <div class="form-group col-md-12">
            <label for="role">Role</label>
            <input type="radio" name="role" value="N" /> NORMAL <input type="radio" name="role" value="C" /> COMPANY <br/>
         </div>
         <div class="form-group col-md-12">
            <label for="exampleInputPassword1">Password</label>
            <input type="password" class="form-control" name="upass" id="exampleInputPassword1" placeholder="Password" >
         </div>
         <div class="form-group col-md-12">
            <label for="exampleInputPassword2">Confirm Password</label>
            <input type="password" class="form-control" name="pass2" id="exampleInputPassword2" placeholder="Confirm Password">
         </div>
         <div class="form-group col-md-12">
            <input type="submit"  name="signup" value="Submit" class="btn btn-success btn-block">
         </div>
         <p class="no-s text-center">2015 &copy; Timewise Errand Services</p>
      </div>
   </div>
</form>

Kindly help!!!

john
  • 41
  • 8
  • what are you getting right now ?? – Pruthviraj Chudasama Feb 29 '16 at 12:40
  • what error you are getting ?? – Arun Kumaresh Feb 29 '16 at 12:49
  • crypt($upass); this needs to be declared as $upass = crypt($upass); – Adam Hull Feb 29 '16 at 12:49
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). – Jay Blanchard Feb 29 '16 at 13:23
  • [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Feb 29 '16 at 13:25
  • `if(isset($_SESSION['user'])!="")` is not the way you use `isset()` and that code will fail immediately. – Jay Blanchard Feb 29 '16 at 13:26
  • because, your PHP's not being parsed and your escape function's failing you once you've installed a webserver / PHP and used it correctly. Edit: *Ain't that right Sam?* - @JayBlanchard ;-) RTM http://php.net/manual/en/function.mysqli-escape-string.php – Funk Forty Niner Feb 29 '16 at 13:29
  • @JayBlanchard The how does one use it? I don't have an idea. – john Feb 29 '16 at 13:30
  • and Lord knows what the HTML form looks like – Funk Forty Niner Feb 29 '16 at 13:30
  • 1
    *Too true Ralph. Too true.* @Fred-ii- – Jay Blanchard Feb 29 '16 at 13:31
  • `if(isset($_SESSION['user']) && $_SESSION['user'] != '')` for starters. But @Fred-ii- is right - if you're not running this on a web server no amount of code correction will make this work. – Jay Blanchard Feb 29 '16 at 13:32
  • @Fred-ii- Here is the HTML form: ket me add he HTML form on the question – john Feb 29 '16 at 13:33
  • Edit your post to add any further information. *Do not* dump code in comments. – Jay Blanchard Feb 29 '16 at 13:33
  • file you're loading is what, `.html` or `.php`? is this running off a webserver with PHP installed? local? hosted? if local, how? as `http://localhost/file.xxx` or `c:///file.xxx`? 2 different animals here. and did you close the form? edit does not contain ``. – Funk Forty Niner Feb 29 '16 at 13:35
  • @Fred-ii- it is register.php form – john Feb 29 '16 at 13:38
  • [*This was a multi-part question...*](http://stackoverflow.com/questions/35699745/my-code-does-not-add-registration-data-into-database#comment59078165_35699745). You answered "one". – Funk Forty Niner Feb 29 '16 at 13:40
  • @Fred-ii- It is running on localhost. Oh! Shit i have seen it was running on c:///file.xxx instead of http://localhost/file.xxx – john Feb 29 '16 at 13:46
  • just as I suspected ^ – Funk Forty Niner Feb 29 '16 at 13:47
  • @Fred-ii- Thank you and how do I use the isset()? from a comment above I have been told that I am using it badly – john Feb 29 '16 at 13:48
  • I'm typing up an answer as we speak... – Funk Forty Niner Feb 29 '16 at 13:52
  • ||||||||||||...Waiting – john Feb 29 '16 at 13:55
  • typing takes time ;-) I don't "drop in code", I explain. it's down there. not much else I can add to it, except to say that make sure your db columns are correct types and lengths etc. best I can do here ;-) – Funk Forty Niner Feb 29 '16 at 14:00

2 Answers2

0
if (password1 == password2){

must be

if ($upass == $pass2 ){

As you don't have such variables in your script. And your INSERT query must be:

$sql = "INSERT INTO users (fullname, telephone, email, role, pass)
            VALUES ('$fullName', '$tphon', '$email', '$role', '$upass')";

assuming that $upass is a string.

mitkosoft
  • 5,262
  • 1
  • 13
  • 31
  • Thanks for seeing that i have corrected and edited the question, but the same thing is still happening! – john Feb 29 '16 at 12:46
  • I have changed that mistake on the '$upass' variable but its not working. – john Feb 29 '16 at 12:53
  • It's still not adding my data into the database and I am getting this code: query($sql) === TRUE) { echo "New record created successfully"; } else { echo "Error: " . $sql . " " . $dbcon->error; } $dbcon->close(); } } ?> . still displaying before the HTML loads – john Feb 29 '16 at 12:57
0

As per seen/discussed in comments:

You were running your file as c:///file.php as opposed to http://localhost/file.php, hence why it was showing you code, rather than parsing it.

Then mysqli_escape_string() that function requires a database connection be passed and as the first parameter:

Consult:

Your session's conditional statement will give you a false positive:

if(isset($_SESSION['user'])!="")

which is interpreted as "if is set session array does not equal to"...

As opposed to "if the session array is set AND does not equal to"...

if(isset($_SESSION['user']) && $_SESSION['user'] != '')

Your edit with the form seems to be missing the closing </form> tag, and is unknown if the element for this conditional statement if(isset($_POST['signup'])) does indeed hold the same name attribute for it.

Plus, the inputs for the following POST arrays, were also not included in your edit for the HTML form:

$upass = $_POST['upass'];
$pass2 = $_POST['pass2'];

Check for errors via PHP, since you're already checking with MySQL.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Footnotes:

You should add exit; after header, otherwise your code may want to continue to execute.

header("Location: index.php");
exit;

Passwords

Use one of the following:

Other links:

Important sidenote about column length:

If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

Same thing goes for using the crypt() function. The column's length needs to be long enough in order to accommodate the hash.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • I have worked on the rest of the problems as per your answer but I dont seem to get an answer on how to use the {mysqli_escape_string()} I have read but I am honestly getting nothing!!! can you atleast help know how it should be? – john Feb 29 '16 at 15:07
  • @john examples: `$var=mysqli_real_escape_string($connection, $_POST['var']);` - `$var=mysqli_real_escape_string($connection, $var);` as per the manual http://php.net/manual/en/mysqli.real-escape-string.php and do that for all the ones you want to escape. – Funk Forty Niner Feb 29 '16 at 15:09
  • Thank you. again @Fred-ii things are finally okay – john Feb 29 '16 at 17:21