-1

I'm new to php.I'm trying to build a signup webpage in which if email entered doesn't exist it should insert the values entered.The code works fine and it returns successful when a new mail is entered.But the problem is when I check my database the new values are not inserted.Is there any mistake in my code? Thanks in advance.

<?php
session_start();
if(isset($_POST['signup'])){
include_once("db.php");

$email=strip_tags($_POST['emailid']);
$username=strip_tags($_POST['username']);
$password=strip_tags($_POST['password']);

if($email==NULL || $username== NULL || $password==NULL){

   print "Missing one of the fields";
}
else{

$email=stripslashes($email);
$username=stripslashes($username);
$password=stripslashes($password);

$email=mysqli_real_escape_string($db,$email);
$username=mysqli_real_escape_string($db,$username);
$password=mysqli_real_escape_string($db,$password);

$query = "SELECT * FROM user WHERE email='$email'";
$result = mysqli_query($db,$query);

if($result && mysqli_num_rows($result) > 0 )
{
echo "Account already exists.Please login";
}
else{
$sql="INSERT INTO user (ID,email,username,password) VALUES   
(NULL,'$email','$username','$password')";
if($sql)
{
echo "Account created successfully.";

}
else
{
echo "Error";

}
}
}
}
?>
  • 2
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 27 '16 at 18:00
  • 1
    Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 27 '16 at 18:00
  • 1
    I was like who the heck is `Little Bobby` lol good one @JayBlanchard – yardie Apr 27 '16 at 18:08
  • Thanks @JayBlanchard.I will surely use it in my next webpages.This is my first time coding in php and I'm learning more efficient ways to do it. –  Apr 27 '16 at 18:15
  • 2
    Please don't wait! I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Apr 27 '16 at 18:16
  • 1
    wow !! you are really motivating me !! I will right away search for it and do it now itself.Thanks again! –  Apr 27 '16 at 18:19

3 Answers3

1

You are not executing the insert query, it should look like:

$sql="INSERT INTO user (ID,email,username,password) VALUES   
(NULL,'$email','$username','$password')";
$sql= mysqli_query($db,$sql); ///You are missing this
yardie
  • 1,583
  • 1
  • 14
  • 29
0

Change from:

$sql="INSERT INTO user (ID,email,username,password) VALUES   
(NULL,'$email','$username','$password')";
if($sql)
{
echo "Account created successfully.";
}

To:

$sql="INSERT INTO user (ID,email,username,password) VALUES   
(NULL,'$email','$username','$password')";
if(mysqli_query($db,$sql))
{
echo "Account created successfully.";
}

You need to execute the 2nd query ($sql)

Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
0
$sql="INSERT INTO user (email,username,password) VALUES   
('$email','$username','$password')";
if(mysqli_query($db,$sql))
{
    echo "Account created successfully.";
}

  • Remove the null INSERT value it's not needed and should be auto generated if auto-incremental index.

  • execute the $sql statement a a MySQLi_query and then use the result of that in the IF statement.

Bonus: Use mysqli_error($db) to feed you back errors you will encounter, such as:

mysqli_query($db,$sql) or die("error: ".mysqli_error($db));
Martin
  • 22,212
  • 11
  • 70
  • 132