-4

I'm having this problem where I have a registration form and I am using PHP and MySQL. The problem is that even when all the data is valid it wont enter the information into the database. I know the database is connected because I can use it with the login part of my website. I think it is the problem with the email and username cross check against the database but I am not sure. Is the positioning of the curly braces or alot more complex?

<?php
  include_once('db.php');

  $name = mysql_real_escape_string( $_POST["name"] );
  $username = mysql_real_escape_string( ($_POST["username"]) );
  $password = mysql_real_escape_string( md5 ($_POST["password"]) );
  $repeatpassword = mysql_real_escape_string( $_POST['repeatpassword'] );
  $email = mysql_real_escape_string( $_POST["email"] );
  $confirmemail = mysql_real_escape_string( $_POST['confirmemail'] );

  // the below if statement is for when the user does NOT have JS enabled in            their browser
  if(empty($name) || empty($username) || empty($password) || empty($email)){
    echo "(*) indicate that the fields are mandatory.";
    exit();
  }

  if($email == $confirmemail){
    exit();
  }else{
    echo "Your Email address does not match.";
  }

  if($email == $repeatpassword){
    exit();
  }else{
    echo "Your Passwords do not match.";
    exit();
}

  $res = mysql_query("SELECT username FROM users WHERE username='$username'");
  $row = mysql_fetch_row($res);
  $res1 = mysql_query("SELECT email FROM users WHERE email='$email'");
  $row1 = mysql_fetch_row($res1);

  if( $row > 0 ){
    echo nl2br("The username $username is already in use");
  }else{

        if( $row1 > 0 ){
            echo nl2br("the email address $email is already in use");
        }else{

        $sql = "INSERT INTO users VALUES('','$name',  '$username', '$password', '$email')";

        if( mysql_query($sql) ){
            echo "Inserted Successfully";
        }else{
        echo "Insertion Failed";
        }
    }  
}

?>
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
Tyler Wills
  • 1
  • 1
  • wrong query you didn't specify column names – Pardeep Poria May 06 '16 at 15:26
  • You don't have to specify column names, though it is very much recommended. – Jonnix May 06 '16 at 15:27
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 06 '16 at 15:29
  • 4
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 06 '16 at 15:29
  • 2
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 06 '16 at 15:29
  • `if($email == $confirmemail){ exit();...`, `if($email == $repeatpassword) { exit();...`. What? – Jonnix May 06 '16 at 15:31

1 Answers1

0
if($email == $confirmemail) {
    exit();
}
else {
    echo "Your Email address does not match.";
}

So what you're doing in the above code is "if email and confirmation email are the same, stop the script execution else print out 'Your Email address does not match.' and continue execution".

if  ($email == $repeatpassword) {
  exit();
}
else {
  echo "Your Passwords do not match.";
  exit();
}

And here you are saying if "email and repeatpassword are the same (???), stop script execution else print out 'Your Passwords do not match.' and also stop script execution".

So because of this logic obviously you never reach the code to insert data to database.

TheDrot
  • 4,246
  • 1
  • 16
  • 26
  • omg, never noticed that, thanks, got so ingrossed in finding the problem, lost sight of it haha, thanks though. – Tyler Wills May 06 '16 at 16:28