Registration Form with PHP and MySQL

Question

I am learning php and mysql and trying to create a Form with a Registration and Login pages, but I am having trouble getting the registration form to write data to my database. I do not get errors regarding connection to the database, but my tables remain empty when I try to post data. I am getting the error

'Something went wrong while registering. Please try again later.

.

Any help is much appreciated.

<?php
//signup.php
include 'connect.php';

 echo '<h2>Register </h2>';
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
    /*the form hasn't been posted yet, display it
      note that the action="" will cause the form to post to the same page it is on */
    echo '<form method="post" action="">
        Username: <input type="text" name="Username" />
        Password: <input type="password" name="Password">
        Confirm Password: <input type="password" name="Confirm">

        <input type="submit" value="Submit" />
     </form>';

    }
else
{
    /* so, the form has been posted, we'll process the data in three steps:
        1.  Check the data
        2.  Let the user refill the wrong fields (if necessary)
        3.  Save the data 
    */
    $errors = array(); /* declare the array for later use */

    if(isset($_POST['Username']))
    {
        //the user name exists
        //if(!ctype_alnum($_POST['Username']))
        if($_POST['Username'] == ['Username'])  
        {
            $errors[] = 'The username is already in use.';
        }

        }
    else
    {
        $errors[] = 'The username field must not be empty.';
    }

    if(isset($_POST['Password']))
    {
        if($_POST['Password'] != $_POST['Confirm'])
        {
            $errors[] = 'The two passwords did not match.';
        }
    }
    else
    {
        $errors[] = 'The password field cannot be empty.';
    }

    if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
    {
        echo 'Uh-oh.. a couple of fields are not filled in correctly..';
        echo '<ul>';
        foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
        {
            echo '<li>' . $value . '</li>'; /* this generates a nice error list */
        }
        echo '</ul>';
    }
    else
    {
        //the form has been posted without errors, so save it
        //notice the use of mysql_real_escape_string, keep everything safe!
        //also notice the sha1 function which hashes the password
        $sql = "INSERT INTO
                    Users(Username, Password)
                VALUES('" . mysql_real_escape_string($_POST['Username']) . "',
                       '" . md5($_POST['Password']) . "',
                        NOW(),
                        0)";

        $result = mysql_query($sql);
        if(!$result)
        {
            //something went wrong, display the error
            echo 'Something went wrong while registering. Please try again later.';
            //echo mysql_error(); //debugging purposes, uncomment when needed
        }
        else
        {
         header ("location: index.htm"); //redirects to Index Page


        }
    }
}

?>

thank you

Simple: You're NOT checking for errors and Lord only knows what's inside `connect.php`. — Funk Forty Niner, Jun 28 '16 at 12:40
You are telling the script to insert only in Users(Username, Password) but you are also parsing two more values NOW() and 0) — b0ne, Jun 28 '16 at 12:40
Then you have this piece of *"I don't know what..."* `if($_POST['Username'] == ['Username'])` — Funk Forty Niner, Jun 28 '16 at 12:41
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jun 28 '16 at 12:44
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jun 28 '16 at 12:44
You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jun 28 '16 at 12:44
What is the comment in your code referring to, `also notice the sha1 function which hashes the password`? There is no `sha1` being used here.. If you were using `sha1` you can't use `md5` they are not compatible and one version of your passwords wont work. Also as noted escaping isn't enough to `keep everything safe`. — chris85, Jun 28 '16 at 12:50

theTypan · Accepted Answer · 2016-06-28T13:16:35.677

1

Try this. I have added back ticks to the Users table fields

  $username = mysql_real_escape_string($_POST['Username']);
  $password = md5($_POST['Password']);


  $sql= "INSERT INTO  Users(`Username`,`Password`) VALUES('$username',   '$password')";

You are inserting NOW() and 0. 2 extra values

Note the first step in debugging an SQL query is running it in MySQL first. So try running the SQL statement first in MySQL first with dummy values for Username and Password and see if it works

edited Jun 28 '16 at 13:16

answered Jun 28 '16 at 13:02

theTypan

5,471
6
24
29

How can I get the code to check a username exists? Is it better to use mysqli or php? – DarkKnight1203 Jun 29 '16 at 08:23
I would suggest you user mysqli and not mysql from the beginning. To check if a user exists use the mysql statement `SELECT COUNT(user_id) FROM Users WHERE `username`= '$username'` If the result is greater than 0 then a user exists else if result is 0 no user exits. Actually, the correct logic would be if there is a user with that username, then the result should be 1 and not more – theTypan Jun 29 '16 at 09:07
To change tpo mysqli you should change your code to mysqli right from the connection – theTypan Jun 29 '16 at 09:09

Registration Form with PHP and MySQL

1 Answers1