processing php for more than one form in one page

Question

i'm trying to make the sign in and the sign up within the same page in a website i have this form in html

<form name="form1" action="check_login.php" method="post">
<input type="email" id= "email" name="email" required="required" placeholder="Email Address" />
<input type="password" id= "password" name="password" required="required" placeholder="Password"/>
<span><input type="checkbox" class="checkbox">Keep me signed in</span>
<button name="login" type="submit" class="btn btn-default">Login</button>
</form>

and the form

<form name="form2" action="check_login.php" method="post">
<input type="text" id= "fname" name="fname" required="required" placeholder="First Name"/>
<input type="text" id= "mname" name="mname" required="required" placeholder="Middle Name"/>
<input type="text" id= "lname" name="lname" required="required"placeholder="Last Name"/>
<input type="email" id= "email" name="nemail"required="required" placeholder="Email "/>
<input type="password" id= "password" name="npassword"required="required" placeholder="Password"/>
<input type="password" id= "cpassword" name="cpassword"required="required"placeholder="Confirm Password"/>
<select name='gender' class='col-sm-4'>
     <option value='male'>male</option>
     <option value='female'>female</option>
</select>
<div class='col-sm-offset-8'>
<button name="sign_up" type="submit" class="btn btn-default">Sign up</button> </div>
</form>

they are in the same page and both navigate to other page within my website then i have this code in php

if (!empty($_POST['login']))
{
$email = $_POST['email'];
$password = $_POST['password'];
$sql_stmt="select email, password from users where email = '"
        .$email."' and password ='".$password."'";

$result= mysqli_query($connection,$sql_stmt);
if ($result)
{
    header ("location: index.php");
}
 else {
    header ("location: login.php");    
}
}
if(!empty($_POST['sign_up']))
{
$fname=$_POST['fname'];
$mname=$_POST['mname'];
$lname=$_POST['lname'];
$gender=$_POST['gender'];
$nemail=$_POST['nemail'];
$npassword=$_POST['npassword'];
//if email is already stored ?
$signup="INSERT INTO `users`(`first_name`, `middle_name`, `last_name`,"
        . " `gender`, `email`, `password`)"
        . " VALUES ('".$fname."','".$mname."','".$lname."','".$gender.
        "','".$nemail."','".$npassword."')";

$result1=  mysqli_query($connection, $signup);
if ($result1)
{

    header ("location: index.php");
}
 else {
    header ("location: login.php");    
}
}

but the navigation to the index never happen!

**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Oct 12 '16 at 13:15
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Oct 12 '16 at 13:15
From @tadman: WARNING: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. — Jay Blanchard, Oct 12 '16 at 13:15
Then clearly `$result` is `false`. Which means the database query is failing. And there is ***a lot*** wrong with your database queries. At the very least, check for errors from the database. — David, Oct 12 '16 at 13:15
You should check your query and make that correct, if its return true then it goes to index condition. — Raghbendra Nayak, Oct 12 '16 at 13:19
don't use `empty()` for submit buttons, use `isset()`, it's better. — Funk Forty Niner, Oct 12 '16 at 13:20
all I can say for this, is check for errors via php and mysql — Funk Forty Niner, Oct 12 '16 at 13:23

Masivuye Cokile · Answer 1 · 2016-10-13T14:03:45.157

First things first you need to validate your user input before storing in the db and also you need to hash your passwords, you can read more about hashing here and also read the FAQ here

Also read about prepared statements whether u use MySQLi or pdo read here :

 <?php

if (isset($_POST['login'])) {

        $email    = userInput($_POST['email']);
        $password = userInput($_POST['password']); // verify your password you can learn



        $sql_stmt = $connection->prepare("SELECT email,password FROM users where email =? ");
        $sql_stmt->bindValue(1, $email);
        $sql_stmt->execute();
        $results = $sql_stmt->fetchall(PDO::FETCH_ASSOC);

        if (count($results > 0 && password_verify($password, $results['password']))) {
                $_SESSION['username'] = $results['email'];
                header("location:page"); //Login details are correct redirect to page after correct

        } else { //email and password do not match

                //Return your error message
        }

}


if (isset($_POST['sign_up'])) {


        $fname     = userInput($_POST['fname']);
        $mname     = userInput($_POST['mname']);
        $lname     = userInput($_POST['lname']);
        $gender    = userInput($_POST['gender']);
        $nemail    = userInput($_POST['nemail']);
        $npassword = userInput(password_hash($_POST['npassword'], PASSWORD_DEFAULT));



        // check if email already stored/

        $sql_stmt = $connection->prepare("SELECT email from users where email = ?");
        $sql_stmt->bindValue(1, $nemail);
        $sql_stmt->execute();

        $results = $sql_stmt->fetchall(PDO::FETCH_ASSOC);
        if (count($results) > 0) {

                //Email exist print message

        } else {

                //email does not exist register the user

                $sql_stmt = $connection->prepare("INSERT INTO users (first_name, middle_name, last_name,gender, email, password) value(?,?,?,?,?,?) ");
                $sql_stmt->execute(array(
                        1 => $fname,
                        2 => $mname,
                        3 => $last_name,
                        4 => $gender,
                        5 => $nemail,
                        6 => $npassword
                ));


                //Print succcess message;

                header(); // redirect where u want


        }



}


function userInput($data)
{

        $data = trim($data);
        $data = stripcslashes($data);
        $data = htmlspecialchars($data);

        return $data;

}
?>

processing php for more than one form in one page

1 Answers1