0

I have two fields in my form email & password.

I am trying to make a registration from a single form

conditions are if your is registered he will be logged in, if not he will get registered.

Unable to get echo response

   <?php 

include_once('connection.php');
include_once('functions.php');

$username = $_GET['username'];
$password = $_GET['password'];
$response=array();

// Check if that username is already exists.
$find_user = mysqli_query($conDB,"SELECT * FROM `users_info` WHERE `username` = '".$username."'");
if (mysqli_num_rows($find_user) != 0) $error[] = "That username is already  exist.";

if (empty($error)){

$hashed_password = sha1($password);

  // Check if submitted info is correct or not.
 $check = mysqli_query($conDB,"SELECT * FROM `users_info` WHERE `username` = '".$username."' AND `password` = '".$hashed_password."'");

 if (mysqli_num_rows($check) == 1) {

$code="login_success";
array_push($response,array("code"=>$code,"email"=>$username));
echo json_encode($response);

  } else if (empty($error)){

    $result = mysqli_query($conDB," INSERT INTO `users_info` (
    `username`,
    `password`
    ) VALUES (
    '".$username."',
    '".$hashed_password."'
    )");

    if(confirm_query($result)) {
    redirect('login.php?signup=1');
    }



} else {
$error[] = "Incorrect username or password.";
  }

}

?>
Nolan
  • 1
  • 1
  • 3
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Dec 21 '16 at 12:06
  • 3
    ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 21 '16 at 12:06
  • One more thing, you are defining errors an array so Its good to check in if statement count($error) > 0 instead of empty($error) ... – Naveed Ramzan Dec 21 '16 at 12:11
  • You need to add `print_r($error);` in the event you have an error. In addition you need to check your queries for errors or look in the error logs. – Jay Blanchard Dec 21 '16 at 12:11
  • If `$username`is in the DB you will never enter the `if`. – chris85 Dec 21 '16 at 12:11

0 Answers0