PHP Form adding NULL rows to my SQL database when making user account

Question

I'm creating a user registration form for my website in PHP and 'POST' the user data to my SQL database. When I made my first two users it posted the user info to my database such as username and email ALONG with a row of NULL for each field. I didn't change anything in my PHP code but now when I go to create a user it adds a new row to the database but all the fields are NULL, and a hash code for password. I don't know why its coming up as NULL. Below I will include my register.php code.

    <?php
#session_start();
#if(isset($_SESSION['User']))
#{
# header("Location: home.php");
#}
include_once 'dbconnect.php';

#if(isset($_POST['submit']))
#
     $uname = $_POST['uname'];
     $email = $_POST['email'];
     $upass = $_POST['upass'];

     $stmt = $dbh->prepare("SELECT COUNT(*) as `emailcount` FROM `User` WHERE email=:email");
     $stmt->execute(array("email" => $_POST['email']));
     $row = $stmt->fetch(PDO::FETCH_ASSOC);

     if ($row['emailcount'] > 0) {
        echo "<script>alert('Email $email already exists in our system. Please try another email')</script>";
     } else {


        $stmt = $dbh->prepare("INSERT INTO User(`uname`, `email`, `upass`) VALUES (:uname, :email, :upass)");

        $stmt->execute(array("uname" => $_POST['uname'], "email" => $_POST['email'], "upass" => md5($_POST['upass'])));
     }


?>

I will also include my HTML form that we are working with here

            <form method='post' action='register.php'>
                <pre>
                <div>
            <label>Name : (letters only)*</label>
<input type="text" name="uname" pattern="[A-Za-z]+" title="only letters" required />
</div>

<div>
<label>E-mail : (xyz@zyx.com)*</label>
<input type="email" name="email" pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,4}$" title="xyz@something.com" required />
</div>


<div>
<label>password : (at least 6 chars)</label>
<input type="password" name="upass" pattern=".{6,}" title="Six or more characters" required />
</div>



<input type='submit' name='submit' value='Sign Up'>
</pre>
</form>

Can you include the output of all variables you're inputting, prior to them being sent to the query? — CmdrSharp, May 04 '16 at 21:35
Im not sure exactly what your asking to see, can you be a bit more specific? — BC0148, May 04 '16 at 21:39
Can you dump the values of the $_POST vars to ensure that they actually contain what you think they do? — CmdrSharp, May 04 '16 at 21:40
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and never store passwords as plain-text or using the terribly weak MD5. — tadman, May 04 '16 at 21:44
You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 04 '16 at 21:44
Can you share your markup for your form? It would seem that you're not testing for anything to be set *before* your run the insert - you just do an insert, a blank one, each time you run the script. — Jay Blanchard, May 04 '16 at 21:47
It's worth noting you test for duplication, then go ahead and insert anyway. — tadman, May 04 '16 at 21:48
You've got no controls in place to check for empty POST variables, or even a failure in statement preparation. Anything could be going wrong there, you need to be checking results of all operations. — miken32, May 04 '16 at 21:50
i apologize for the incorrect code procedures, i received help on this code from my previous post here on stack overflow. — BC0148, May 04 '16 at 21:53
when you say share your markup for your form, do you mean can i show my HTML form ? — BC0148, May 04 '16 at 21:57
@MarcusFrölander what would be the code i need to put to do that dump that you mentioned — BC0148, May 04 '16 at 22:48
Hi, Please do not deface your post after you have taken help from it. It is like cutting down a tree after taking shelter below it. Please allow the other future users to gain from the knowledge. The answerers would have put a lot of effort. Do not put their valuable time to waste. — Bhargav Rao, May 05 '16 at 19:53

score 0 · Answer 1 · answered May 04 '16 at 21:55

0

Are you ever visiting register.php without a post submit? Because if you were to go to that page without doing a submit, the insert will still execute, but your variables will all be null since they are only set when $_POST['submit'] is set.

If that is the case, try this instead:

if(isset($_POST['submit']))
{
     $uname = $_POST['uname'];
     $email = $_POST['email'];
     $upass = $_POST['upass'];

     $stmt = $dbh->prepare("SELECT COUNT(*) as `emailcount` FROM `User` WHERE email=:email");
     $stmt->execute(array("email" => $_POST['email']));
     $row = $stmt->fetch(PDO::FETCH_ASSOC);

     if ($row['emailcount'] > 0) {
        echo "<script>alert('Email $email already exists in our system. Please try another email')</script>";
     } else {


        $stmt = $dbh->prepare("INSERT INTO User(`uname`, `email`, `upass`) VALUES (:uname, :email, :upass)");

        $stmt->execute(array("uname" => $_POST['uname'], "email" => $_POST['email'], "upass" => md5($_POST['upass'])));
     }
}

answered May 04 '16 at 21:55

kunruh

874
1
8
17

the reason why i have post 'submit' is because submit is the name of my HTML button to submit the form – BC0148 May 04 '16 at 22:07
1

@BC0148 I understand, I but how you described your issue made it sound like there was some way that you were visiting that page other than through your form submission. As in, if you were just to type in your browser `http://mywebite.com/register.php`, it would see that there was no `$_POST['submit']` set. Therefore, those three variables would not be set. BUT the way you had it set up, it would still execute everything below that while still trying to use `$uname`, `$email`, and `$upass` which aren't sent unless you got to that page via the form submit redirect. Does that make sense? – kunruh May 04 '16 at 22:13
ahhh maybe thats the problem then..because actually i am visiting the page just by typing in www.xxx/register.php . – BC0148 May 04 '16 at 22:17
i also think i misunderstoof the submit isset method.. i thought that was just relating the php code to the submit button on that registration form on register.php. I didnt know it meant that those variables would only be set if that page was accessed by a submit redirect – BC0148 May 04 '16 at 22:18
So do i need to alter my code in order it for not to post NULL's when accessing the page by typing the url into the browser – BC0148 May 04 '16 at 22:24
@BC0148 Correct. When you use the submit button on your form, the browser looks at what type of request you want to make. Since your form specifies POST, it will make a POST HTTP request. When you visit a page by typing into your browser, you are making a GET request. Checkout: http://www.w3schools.com/tags/ref_httpmethods.asp – kunruh May 04 '16 at 22:25
@BC0148 The code I posted should fix that. Basically, when you type the url into the browser to go to that page, it will check if that 'submit' index is set in the POST fields. And since it won't be in this case, it just skips everything else. That's why I put all the database stuff inside one big conditional block. – kunruh May 04 '16 at 22:27
the code you posted did not fix that, in fact the code you posted actually made it post nothing to database after hitting the submit button on the register.php page.. p.s, i accessed the register.php page by typing the URL into my browser – BC0148 May 04 '16 at 22:32
@BC0148 It's pretty tough to debug without knowing the full cycle of the registration process on your site. I would start by adding var_dumps in parts of your registration page in order to see what parts are getting executed and what aren't. Also, maybe try commenting out the `header` redirect part for now. I don't know where you are setting the `User` session so its possible you are trying to register but always get redirected back to `home.php` because you have that session variable set. – kunruh May 04 '16 at 22:48
okay i commented that out . how do i do that var_dumps can you tell me the right code to do that. im new to that – BC0148 May 04 '16 at 22:55
also, i just updated my code up top so you could see how it looks like now . still creating null rows though – BC0148 May 04 '16 at 22:59
Update, just did a var_dump($uname); var_dump($email); var_dump($upass); in my register.php and when i go to register.php at the top of the page i see it print ' NULL NULL NULL' so that tells me why its placing NULL in my table. The question is why are those values NULL? – BC0148 May 04 '16 at 23:04
any ideas ? @kunruh – BC0148 May 05 '16 at 00:43
@BC0148 You commented out the if statement at the top. That's why you are getting nulls again. Without that if statement checking for the $_POST['submit'] being checked, every time you visit that page it is going to insert. And the only time those POST variables actually have values other than NULL is when you hit the page via clicking the submit button. – kunruh May 05 '16 at 06:11
So after I uncomment that out, and want to make the values not be null even after just accessing this page via url typing. What needs to be altered to make that work – BC0148 May 05 '16 at 13:43

PHP Form adding NULL rows to my SQL database when making user account

1 Answers1