2

so im trying to create a registration form for my website and am using a SQL database using phpmyadmin. I have done a ton of research on how to create the PHP file that will add the User to my database after creating their account. To the best of my knowledge, i have the correct execution and code but when i go to my website, create a user and go to my phpmyadmin to check my database table to see if the user is created..it is not.Below i will include my code for connection php file along with my register.php file. At this point i have no idea as to what is wrong with my code that is not actually POSTing and data to the database after creating an account on my website.

Below is my UPDATED dbconnect.php file which is included in my register.php

    <?php 

/*** mysql hostname ***/
$hostname = 'localhost';
/*** mysql username ***/
$username = '******';
/*** mysql password ***/
$password = '******';



try {
function testdb_connect (){
    $dbh = new PDO("mysql:host=$hostname;dbname=*******", $username, $password);
return ($dbh);
}
$dbh = testdb_connect();
}
catch(PDOException $e) {
    echo $e->getMessage();
}

?>

Here is the UPDATED PHP section of register.php:

      <?php
session_start();
if(isset($_SESSION['User']))
{
 header("Location: home.php");
}
include_once 'dbconnect.php';

if(isset($_POST['submit']))
{
$uname = $_POST['uname'];
$email = $_POST['email'];
$upass = $_POST['upass'];

}
 $stmt = $dbh->prepare("SELECT COUNT(*) as `emailcount` FROM `User` WHERE email=:email");
 $stmt->execute(array("email" => $_POST['email']));
 $row = $stmt->fetch(PDO::FETCH_ASSOC);

if ($row['emailcount'] > 0) {
    echo "<script>alert('Email $email already exists in our system. Please try another email')</script>";
}


    $stmt = $dbh->prepare("INSERT INTO User(`uname`, `email`, `upass`) VALUES (:uname, :email, :upass)");

    $stmt->execute(array("uname" => $_POST['uname'], "email" => $_POST['email'], "upass" => md5($_POST['upass'])));






?>

And here is the UPDATED HTML form which creates the user account and is supposed to POST to my database table:

    <form method='post' action='register.php'>
                <pre>
                <div>
            <label>Name : (letters only)*</label>
<input type="text" name="uname" pattern="[A-Za-z]+" title="only letters" required />
</div>

<div>
<label>E-mail : (xyz@zyx.com)*</label>
<input type="email" name="email" pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}$" title="xyz@something.com" required />
</div>


<div>
<label>password : (at least 6 chars)</label>
<input type="password" name="upass" pattern=".{6,}" title="Six or more characters" required />
</div>



<input type='submit' name='submit' value='Sign Up'>
</pre>
</form>
BC0148
  • 49
  • 11
  • 1
    In your code `$uname`, `$email` and `$umail` are commented? Is it really like that in your code? Also, in your form you use `upass` and you tried to get `$_POST['pass']` – olibiaz May 04 '16 at 04:09

5 Answers5

2

There's a couple of things here that needs to be altered, let's start with your choice of API.

Mixing APIs and addressing prepared statements

This isn't something you can do in PHP. Your connection uses PDO, while your queries used the old and outdated mysql_* functions. I'd recommend you edit your code to reflect the connection rather than change the connection to the deprecated mysqli_*. You should also use prepared statements.

So instead of the line $run = mysql_query($check_email);, you'd do something like this, which will use the API you chose in your connection-code, and take advantage of prepared statements. 

$stmt = $dbh->prepare("SELECT COUNT(*) as `emailcount` FROM `User` WHERE email=:email");
$stmt->execute(array("email" => $_POST['email']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

if ($row['emailcount'] > 0) {
    echo "<script>alert('Email $email already exists in our system. Please try another email')</script>";
}

And your insertion query would look something like this:

$stmt = $dbh->prepare("INSERT INTO User(`uname`, `email`, `upass`) VALUES (:uname, :email, :pass)");
$stmt->execute(array("uname" => $_POST['uname'], "email" => $_POST['email'], "pass" => md5($_POST['upass'])));

Also note that you used name="upass" in your form, but your PHP used $_POST['pass'], which are different, and they need to be the same.

Calling the function for your connection

In your connection file, you put the PDO object inside a function, which is fine, but you need to call it, either after you require the file, or in the connection file itself. 

$dbh = testdb_connect();

EDIT: Per the comments, also discovered another issue with the variable-scope:

You're also facing some issues with variable scope, as you define the variables for your connection outside the function. The function can't see those variables, because they are not defined inside the function, passed as arguments or made global.

I strongly recommend you not use global variables, and instead pass them as arguments or define them inside the function. This example below have been modified to define them inside the function instead. 

<?php 
// Define a function for the PDO object
function testdb_connect() {
    try {
        /*** mysql hostname ***/
        $hostname = 'localhost';
        /*** mysql username ***/
        $username = '--------';
        /*** mysql password ***/
        $password = '------';

        $dbh = new PDO("mysql:host=$hostname;dbname=databasename", $username, $password);
        return $dbh;
    } catch(PDOException $e) {
        echo $e->getMessage();
    }
}

$dbh = testdb_connect(); // call the function, create the connection
?>

The errors you provided in the comments suggests that the object was not created, which should now be fixed with the above code. I also restructured it a bit, putting the try/catch block in a more appropriate place.

Your submit-button

This is mainly why nothing happened. Your submit-button has no name, attribute, but two values instead. Which means that the line if(isset($_POST['submit'])) will never be true, because there is no input-element with that name.

Instead of 

<input type='submit' value='submit' value='Sign Up'>

it should look like 

<input type='submit' name='submit' value='Sign Up'>

False positives with isset

The line if(isset($_SESSION['User'])!="") would give you a false positive, as an isset() returns a boolean (true/false), which will never be equal to an empty string.

It should be if (isset($_SESSION['User'])) {, which will redirect the user only if he is signed in.

Additional notes

With the changes above, your checks for empty email/password should be slightly changed, as we will no longer need the lines you commented out (as those use the old mysql_real_escape_string() and we'll be using PDO instead, so they are not defined): 

if (empty($_POST['uname'])) {
    echo "<script>alert('Please Enter Your name')</script>";
    exit();
}
if (empty($_POST['email '])) {
    echo "<script>alert('Please Enter Your Email')</script>";
    exit();
}

  • Your password-hashing is md5, which is discouraged to use with passwords. You should look into using a function such as password_hash() instead.

  • Enable error_reporting(E_ALL); when troubleshooting

Additional reading-material

Community
  • 1
  • 1
Qirel
  • 25,449
  • 7
  • 45
  • 62
  • Thank you so much for such a thorough comment and assistance. I have taken all of your advice and changed my code around to fit what you suggested. Although now i am getting two errors when i load my register.php page which i wasnt getting before. And yet..still the form doesnt POST to my database after creating an account. The error i get is the following: – BC0148 May 04 '16 at 16:29
  • SQLSTATE[28000] [1045] Access denied for user 'nobody'@'localhost' (using password: NO) Fatal error: Call to a member function prepare() on a non-object in /home/adelphistudys/public_html/register.php on line 23 – BC0148 May 04 '16 at 16:29
  • If you dont mind just looking at my original post i edited all the code to fit the new updated one so you can see what i have changed since the original version. – BC0148 May 04 '16 at 16:38
  • @BC0148 I've updated my answer, specifically under "*Calling the function for your connection*", have a read at that :-) – Qirel May 04 '16 at 16:40
  • Also, just noticed in your update, your `if ($row['emailcount'] > 0) {` is somewhat too early in the code - it needs to be after the query has been executed (below `$row = $stmt->fecth();`). -- and `if(mysql_query($sql)){` is no longer needed, and will cause warnings/errors, you can just remove that. – Qirel May 04 '16 at 16:42
  • thank you, i have edited my dbconnect.php file to be exactly as you have updated it to be. and that section of register.php now looks like this } $stmt = $dbh->prepare("SELECT COUNT(*) as `emailcount` FROM `User` WHERE email=:email"); $stmt->execute(array("email" => $_POST['email'])); $row = $stmt->fecth(); if ($row['emailcount'] > 0) { echo ""; } – BC0148 May 04 '16 at 16:52
  • But now i am getting this error : Fatal error: Call to undefined method PDOStatement::fecth() in /home/adelphistudys/public_html/register.php on line 24 – BC0148 May 04 '16 at 16:52
  • Haha, sorry, I've miss-spelled the word :P And you can add a constant to that value, so make it `$row = $stmt->fetch(PDO::FETCH_ASSOC);` instead :-) – Qirel May 04 '16 at 16:58
  • YES! thank you so much its working now. I was able to create a user. It also created a NULL uname and NULL email also. Why would that be – BC0148 May 04 '16 at 17:36
  • Because you tried using variables which aren't defined, like I mentioned in the answer above. You have commented out the lines which defines them -- but if you un-comment them you will get warnings too, because you're using `mysql_real_escape_string` on them. You can instead just replace those commented lines with `$uname = $_POST['uname'];` – Qirel May 04 '16 at 17:38
  • if i replace those commented lines with that, when i go to make a user it doesnt create any user it just creates a NULL all across the row on the table. Before it was creating the NULL and the actual username. What went wrong here >. – BC0148 May 04 '16 at 17:55
  • I will edit my original post to reflect the php part of register.php that i have changed – BC0148 May 04 '16 at 17:56
  • @BC0148 The `if(isset($_POST['submit']))` should be wrapped about all the queries, because now you will insert even if there is no data submitted, leading to NULL being inserted. – Qirel May 06 '16 at 21:46
1

You need to uncomment this:

$uname = mysql_real_escape_string($_POST['uname']);
$email = mysql_real_escape_string($_POST['email']);
$upass = md5(mysql_real_escape_string($_POST['pass']));
Pupil
  • 23,834
  • 6
  • 44
  • 66
-1

check post value of password field....& update it by $upass = md5(mysql_real_escape_string($_POST['upass']));

Dipanwita Kundu
  • 1,637
  • 1
  • 9
  • 14
-1

possible error apart form commented lines

1: is databasename your database name

2: PHP version > 5.5.0

3: input field has an escaped character and db setting dosnt accept NULL as value

dont use mysql_real_escape_string***
Ghostff
  • 1,407
  • 3
  • 18
  • 30
-2

<input type="password" name="upass" pattern=".{6,}" title="Six or more characters" required/>

Since the name of input type password is 'upass', then you should assign 'upass' to your $upass variable. or change the name of input type to 'pass'.

It should be like this after submitting form

$upass = md5(mysql_real_escape_string($_POST['upass']));
W Gunvant
  • 111
  • 4