0

My database validation is working; the 'User' table will not update if there is already a registered user. However, my $error_message variable will not display the the error message string. Here is my code:

HTML/PHP:

// Collect and validate user inputs
if($_SERVER["REQUEST_METHOD"] == "POST") {
  session_start();
  $forename = trim(filter_input(INPUT_POST,"user_forename",FILTER_SANITIZE_STRING));
  $surname = trim(filter_input(INPUT_POST,"user_surname",FILTER_SANITIZE_STRING));
  $gender = trim(filter_input(INPUT_POST,"user_gender",FILTER_SANITIZE_STRING));
  $email = trim(filter_input(INPUT_POST,"user_email",FILTER_SANITIZE_EMAIL));
  $password = trim(filter_input(INPUT_POST,"user_password"));
  $city = trim(filter_input(INPUT_POST,"user_city"));
  $team = trim(filter_input(INPUT_POST,"user_team",FILTER_SANITIZE_STRING));
  $bio = trim(filter_input(INPUT_POST,"user_bio",FILTER_SANITIZE_SPECIAL_CHARS));
  $human = trim(filter_input(INPUT_POST,"user_human",FILTER_SANITIZE_STRING));

  $userExist = mysql_query("SELECT * FROM User WHERE U_Email='$email'");

  if($forename == "" || $surname == "" || $email == "" || $password == ""
 || $city == "" || $team == "" || $bio == "" || $human == "") {
    $error_message = "Please fill in all form fields";
  }

  if (!isset($error_message) && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $error_message = "$email is a not a valid email address";
  }

  if (!isset($error_message) && (mysql_num_rows($userExist) > 0)) {
    $error_message = "$email is already taken!";
  }

  if(!isset($error_message)) {
      $sql = $db->query("INSERT INTO User (U_Forename, U_Surname, U_Gender, U_Email, U_Password, U_City, U_Team, U_Biography)
      VALUES('{$forename}', '{$surname}', '{$gender}', '{$email}', '{$password}', '{$city}', '{$team}', '{$bio}')");

      // header('Location: index.php');
  }
}

  <div class="wrapper">
          <h1>Register, it's free!</h1>
          <div>
            <?php
            if (isset($error_message)) {
              echo "<h2>".$error_message."</h2>";
            }
            ?>
          </div>

No error message will be displayed after the form has been submitted. Moreover, I am not receiving any PHP errors so I am not sure what is the problem.

Any suggestions would be great.

Thanks, James.

James Barrett
  • 2,757
  • 4
  • 25
  • 35
  • please use mysqli instead of mysql. But this is not the reason. – Renjith V R Apr 06 '16 at 12:29
  • and just print all variables. – Renjith V R Apr 06 '16 at 12:31
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Jay Blanchard Apr 06 '16 at 12:32
  • Why are you mixing database API's? – Jay Blanchard Apr 06 '16 at 12:34
  • print the insert statement & run it directly in mysql. It will shows the error if any. – Dipanwita Kundu Apr 06 '16 at 12:48
  • @JayBlanchard I understand there are security bottlenecks, just trying to learn the basics frirst :) – James Barrett Apr 06 '16 at 12:52
  • 1
    I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."*. If you don't have time to do it right the first time, when will you find the time to add it later? ¯\\_(ツ)_/¯ – Jay Blanchard Apr 06 '16 at 12:53
  • @JayBlanchard You are very right! :) – James Barrett Apr 06 '16 at 13:17

1 Answers1

2

Please remember about mysqli and sql injection.

This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used.

mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Note:: that if no connection is open, mysqli_real_escape_string() will return an empty string!

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Injected SQL commands can alter SQL statement and compromise the security of a web application.

 <?php
    /* Attempt MySQL server connection. Assuming you are running MySQL
    server with default setting (user 'root' with no password) */
    $conn = mysqli_connect("localhost", "root", "", "demo");

    // Check connection
    if($conn === false){
        die("ERROR: Could not connect. " . mysqli_connect_error());
    }


  if(isset($_POST['user_forename']) && strlen(trim($_POST['user_forename']) > 0))
{

}
else
{
  $error_message = "Please enter forename";
}

 if(isset($_POST['user_surname']) && strlen(trim($_POST['user_surname']) > 0))
{
  $surname = trim($_POST['user_surname']);
}
else
{
  $error_message = "Please enter surname";
}

if(isset($_POST['user_gender']) && strlen(trim($_POST['user_gender']) > 0))
{
  $gender = trim($_POST['user_gender']);
}
else
{
  $error_message = "Please enter gender"; // if it is an input field.
}


if(isset($_POST['user_email']) && strlen(trim($_POST['user_email']) > 0))
{
  if(filter_var(trim($_POST['user_email']), FILTER_VALIDATE_EMAIL))
 {
   $mail = trim($_POST['user_gender']);
 }
else
{
   $error_message = "Please enter valid email"; 
}
}
else
{
  $error_message = "Please enter email"; 
}

 if(isset($_POST['user_password']) && strlen(trim($_POST['user_password']) > 0))
{
  $password = trim($_POST['user_password']);
}
else
{
  $error_message = "Please enter password";
}

 if(isset($_POST['user_city']) && strlen(trim($_POST['user_city']) > 0))
{
  $city = trim($_POST['user_city']);
}
else
{
  $error_message = "Please enter city";
}

 if(isset($_POST['user_bio']) && strlen(trim($_POST['user_bio']) > 0))
{
  $bio = trim($_POST['user_bio']);
}
else
{
  $error_message = "Please enter Biography";
}


    // Escape user inputs for security
    $forename = mysqli_real_escape_string($conn, $forename);
    $surname = mysqli_real_escape_string($conn, $surname);
    $gender = mysqli_real_escape_string($conn, $gender);
    $email = mysqli_real_escape_string($conn, $email);
    $password = mysqli_real_escape_string($conn, $password);
    $city = mysqli_real_escape_string($conn, $city);
    $team = mysqli_real_escape_string($conn, $team);
    $bio = mysqli_real_escape_string($conn, $bio);


// checking existing email

   if ($emailcheckquery = mysqli_query($conn, "SELECT * FROM User WHERE U_Email='$email'"))
{
  if(mysqli_num_rows($emailcheckquery) > 0)
  {
      $error_message = "email is already taken!";
  }    
}

if(!isset($error_message))
{
   // attempt insert query execution
    $insertsql = "INSERT INTO persons (U_Forename,U_Surname,U_Gender, U_Email,U_Password,U_City,U_Team,U_Biography) VALUES ('$forename', '$surname','$gender',$email,$password,$city,$team,$biography)";
    if(mysqli_query($conn, $sql)){
        echo "Records added successfully.";
    } else{
        echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }
}


    // close connection
    mysqli_close($conn);
    ?>






  <div class="wrapper">
     <h1>Register, it's free!</h1>
        <div>
                <?php
                if (isset($error_message)) {
                  echo "<h2>".$error_message."</h2>";
                }
                ?>
      </div>
   </div>
Renjith V R
  • 2,981
  • 2
  • 22
  • 32