0

I have a registration form in Unity3d which looks like this:

void CreateAccountGUI()
    {
        GUI.Box(new Rect(320, 120, 400, 380), "Create Account");

        GUI.Label(new Rect(390, 200, 220, 23), "Email");
        CEmail = GUI.TextField(new Rect(390, 225, 220, 23), CEmail);

        GUI.Label(new Rect(390, 255, 220, 23), "Password");
        CPassword = GUI.TextField(new Rect(390, 280, 220, 23), CPassword);

        GUI.Label(new Rect(390, 310, 220, 23), "Confirm Email");
        ConfirmEmail = GUI.TextField(new Rect(390, 340, 220, 23), ConfirmEmail);

        GUI.Label(new Rect(390, 370, 220, 23), "Confirm Password");
        ConfirmPass = GUI.TextField(new Rect(390, 400, 220, 23), ConfirmPass);

        if (GUI.Button(new Rect(370, 460, 120, 25), "Create Account"))
        {
            if (ConfirmPass == CPassword && ConfirmEmail == CEmail)
            {
                StartCoroutine("CreateAccount");
            }
            else
            {
                //StartCoroutine();
            }
        }
        if (GUI.Button(new Rect(520, 460, 120, 25), "Back"))
        {
            currentMenu = "Login";
        }
    }

My coroutine looks like this:

IEnumerator CreateAccount()
    {
        //Sending messages to php script
        Debug.Log("button pressed");
        WWWForm Form = new WWWForm();

        Form.AddField("emailPost", CEmail);
        Form.AddField("passwordPost", CPassword);

        WWW CreateAccountWWW = new WWW(CreateAccountUrl, Form);
        // Wait for the php to send a response
        yield return CreateAccountWWW;
        if (CreateAccountWWW.error != null)
        {
            Debug.LogError("Cannot Connect to Account Creation");
            Debug.Log(CreateAccountWWW.error);
        }
        else
        {
            Debug.Log(CreateAccountWWW.text);
            string CreateAccountReturn = CreateAccountWWW.text;
            if (CreateAccountReturn == "Success")
            {
                Debug.Log("Success: Account created");
                currentMenu = "Login";
            }
        }
    }

my connection PHP file looks like the following: 

<?php
$db_name = "mydata";
$mysql_username = "root";
$mysql_password = "";
$server_name = "localhost";
$conn = mysqli_connect($server_name, $mysql_username, $mysql_password, $db_name);
if($conn){
    echo "Connection Succesful";
}
else{
    echo "Connection Not Succesful";
}
?>

and lastly my PHP to create the new user looks like the following:

<?php
require "conn.php";
$Email = $_POST["emailPost"];
$Password = $_POST["passwordPost"];

if(!$Email || !$Password){
    echo "Empty";
}else{
    $SQL = "SELECT * FROM users WHERE Email = '" . $Email ."'";
    $Result = mysqli_query($conn,$SQL) or die("DB Error");
    $Total = mysqli_num_rows($Result);
    if($Total == 0){
        $insert = "INSERT INTO 'users' ('Email', 'Password') VALUES ('" . $Email . "', MD5('" . $Password . "'))";
        $SQL1 = mysqli_query($conn, $insert);
        echo "Success";
    }else{
        echo "AlreadyUsed"; //if user exists
    }
}

?>

I also have an image of my database:

enter image description here

Everything seems to be working fine as I get the successful triggered everywhere. But the new data just does not enter my users table.

What am I doing wrong ?

arjwolf
  • 181
  • 4
  • 16
  • In addition to using the wrong quotes/ticks for the table, you are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). – aynber Dec 05 '16 at 20:48
  • Not to mention a duplicate of your other question - http://stackoverflow.com/q/40981326/1011527 – Jay Blanchard Dec 05 '16 at 20:49
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 05 '16 at 20:49
  • You should be back ticking table and column names where you have single quotes here: `"INSERT INTO 'users' ('Email', 'Password') ` – Jay Blanchard Dec 05 '16 at 20:50
  • Thank you @JayBlanchard the backticks did the trick – arjwolf Dec 05 '16 at 21:00

0 Answers0