0

I 've been struggling with this one for a couple of days and since this is my first project using PHP it's kinda hard to figure it out by myself.I rewrote my code with the help from other threads but I still can't find the solution.

So, I want to make a simple user registration.I get the user's input from this form , which is included in registration_page.html, the code is this:

<form id="registerForm" action="http://localhost//register.php" method="post">
  <fieldset align="center">
    <legend id="legendText">Register</legend>
    <p>Name:
      <input type="text" name="fname" value="" required autofocus maxlength="16"></p>
    <p>Last name:
      <input type="text" name="lname" value="" required maxlength="16"></p>
    <p>E-mail:
      <input type="email" name="mail" value="" placeholder="@mail.com" maxlength="32" required></p>
    <p>Age:
      <input type="number" name="age" value="" maxlength="2" max="99" maxlength="2" size="2" min="1" required></p>
    <p>Job:
      <input type="text" name="job" value="" maxlength="16" required></p>
      <table align="center" id="registerPwdAndUsrTable" border="1" width="30%">
        <tr>
          <td>
            <p>Username:
              <input type="text" name="username" value="" required  maxlength="16"></p>
          </td>
          <td>
            <p>Password:
              <input type="password" name="password" value="" required  maxlength="16"></p>
          </td>
        </tr>
      </table>
      <input form="registerForm" type="Submit" value="Εγγραφή">
      <input form="registerForm" type="Reset" value="Ακύρωση">
  </fieldset>
</form>

After submitting the form the php script that is called is register.php (as you see in the action=" " my script is handled by the server ). Now,the register.php is:

register.php

<!Doctype html>
<html>
<head>
  <meta charset="utf-8"><!--characters recognised-->
  <title>Register</title>
<style>

body{
  background-image: url(my_images//background_homepage.jpg);
  background-repeat: no-repeat;
  background-size:cover;
}
</style>
</head>
<body>

<?php
  extract( $_POST );//superglobal variable

if( isset($_POST['submit'] ) ) {

  print_r($_POST);

  //Getting the variables from 'registerForm' ++  /* checking if user inputs are set */
  $first_name = (isset($_POST['fname'])) ? $_POST['fname'] : NULL;
  $last_name = (isset($_POST['lname'])) ? $_POST['lname'] : NULL;
  $age = (isset($_POST['age'])) ? $_POST['age'] : NULL;
  $job = (isset($_POST['job'])) ? $_POST['job'] :NULL;
  $email = (isset($_POST['mail'])) ? $_POST['mail'] : NULL;
  $username = (isset($_POST['username'])) ? $_POST['username'] : NULL;
  $password = (isset($_POST['password'])) ? $_POST['password'] : NULL;

//INSERT INTO Query Creation
$sqlQuery = "INSERT INTO registered_user ( age,email,fname,job,lname,password,username )
 VALUES ('$age','$email','$first_name','$job','$last_name','$password','$username')";

//MySQL connection
if( !( $database = mysql_connect( "localhost","root","" ) ) )//server name , a username , password
  die( "Couldn't connect to DB </body></html>" );//if false --> script gets terminated

//Opening database "htmlproject"
if( !mysql_select_db("htmlproject",$database) )//Database to be used , htmlproject
  die( "Couldnt open htmlproject db </body></html>" );

//Query
mysql_query( $sqlQuery, $database);
if( !( $result = mysql_query( $sqlQuery, $database) ) )
{
  print( "failed query! <br />" );
  die( mysql_error() . "</body></html>" );
}else{
  print("success query!");
}//end if

//Free resources
mysql_close( $database );

}//end ifisset
?><!--end php script.To be executed by server-->

<script type="text/javascript">//registration completed
var r=window.confirm("registration completed");
if( r == true){
  document.location.href = "HOMEPAGE.html";
}else{
    document.location.href = "HOMEPAGE.html";
}
</script>

</body>
</html>

So my problem is that the INSERT INTO registered_user... doesn't work.I don't get an entry to my database, nothing. I am using XAMPP and the table is this:

registered_user table SQL script

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Yiannr
  • 1,110
  • 2
  • 8
  • 20
  • Please post your code here so it is preserved for future vistors to SO. – Jay Blanchard Jun 23 '16 at 18:24
  • Are you passing a username and password to your sql database? I see it's excluded in your script, but maybe just for posting here? What error is it giving you? Are any of those die messages showing? You will also need to make sure the user you're connecting with has sufficient privileges to read/write to db. – Dan Weber Jun 23 '16 at 18:24
  • 2
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 23 '16 at 18:25
  • 3
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 23 '16 at 18:25
  • 2
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 23 '16 at 18:26
  • I get no errors ,the php script is running until it's finished and it the end it redirects to HOMEPAGE.html.The issue is that the "fields" are not registered,I get no entry in my database. – Yiannr Jun 23 '16 at 18:28
  • 2
    **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. This has many dangerous [SQL injection vulnerabilities](http://bobby-tables.com/) since you didn’t [properly escape values](http://bobby-tables.com/php). This code allows *anyone* to get *anything* from your site. **DO NOT** write your own authentication system. Any [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with an [authentication system](https://laravel.com/docs/5.2/authentication) built-in. – tadman Jun 23 '16 at 18:29
  • ¯\\_(ツ)_/¯ ^^ this. @tadman is a really smart guy, you should listen to him. – Jay Blanchard Jun 23 '16 at 18:30
  • @JayBlanchard Thanks for the props. I'm just trying to help. – tadman Jun 23 '16 at 18:31
  • I think yours is one of the best repeatable comments here @tadman. – Jay Blanchard Jun 23 '16 at 18:32
  • 1
    @JayBlanchard I'm slowly wearing out my V key by pasting that on to so many answers, but it's got to be said. This stuff is crazy hard to get perfectly correct, and anything less than that exposes your users to huge risks. Code like this is why the [hall of shame](http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/) keeps getting bigger on a daily basis, so don't think I'm over-reacting here. Thanks for helping with warnings and advice. Every bit counts! – tadman Jun 23 '16 at 18:34
  • I'd bet a dollar there are errors galore in the web server's error log. – Jay Blanchard Jun 23 '16 at 18:39
  • To all of you concerned about the safety and the security , I have no intension to make this app//wesbsite public or available to anyone apart from me.This is my first try with php and MySQL but I have to thank you for your safety and security advises. – Yiannr Jun 23 '16 at 18:40
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Jun 23 '16 at 18:42
  • @JayBlanchard you are absolutely right. – Yiannr Jun 23 '16 at 18:47
  • Though I do agree teachers should be touching on security issues early, I think it is still okay to do stuff like this when you are first learning on your own local machine. As long as the instructor and the student both understand that this code should never reach the light of day. It's important for students to understand the basic flow of something like this and get it working the first time around. Then the second run through, they can focus on writing it the RIGHT way. If you try doing it all at once, a new student is going to get overwhelmed and not know where to start debugging. – kunruh Jun 23 '16 at 18:51

1 Answers1

4

You never, ever define 'submit'. You don't have a form element with that name. Therefore this:

if( isset($_POST['submit'] ) ) {

will fail every time. You're not outputting any error messages, have you checked your error logs? You're making an assumption the queries are working. Add error reporting to the top of your file(s) right after your opening <?php tag error_reporting(E_ALL); ini_set('display_errors', 1); Add error checking, such as or die(mysql_error()) to your queries. Or you can find the issues in your current error logs. Error checking will reveal $_POST['submit'] is undefined.

In addition:

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!

Please stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really pretty easy.

Never store plain text passwords! Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • 1
    Just to clarify for John here, you need to add `name="submit"` attribute to your Submit input. I know this answer is probably sufficient for most people to understand that, but it sounds like you are fairly new to submitting forms so I just wanted make sure it's clear. Though you do specify `type="submit"`, it also needs a name to be referenced within the `$_POST` array. – kunruh Jun 23 '16 at 19:00
  • This was the error that prevented my entries to be submitted. – Yiannr Jun 24 '16 at 10:14