0

I'm creating a sign-up form and following this video.

Registration doesn't work. User data doesn't transfer and appear in phpmyadmin user table. Can you help me please?

<?php
include 'dbh.php';

$first = $_post['first'];
$uid = $_post['uid'];
$pwd = $_post['pwd'];


$sql = "INSERT INTO user (first, uid, pwd) 
VALUES ('$first', '$uid', '$pwd')";

$result = mysqli_query($conn, $sql);

header("Location: contact.html");

and for dbd.php

$conn = mysqli_connect("");

if (!$conn) {
 die("connection failed: ".mysqli_connect_error());
}

Connection seems to be working because it doesnt write error, which used to when i had wrong input there.

Mistalis
  • 17,793
  • 13
  • 73
  • 97
bostonbb
  • 13
  • 1
  • 2
  • 4
    this is stitched with errors and unknowns – Funk Forty Niner Jan 03 '17 at 20:02
  • 4
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 03 '17 at 20:04
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 03 '17 at 20:04
  • 1
    `$_post` != `$_POST`. I also would look for a better tutorial. Tutorials shouldn't just have notes about things to look out for, they should show how to do this properly the first time (parameterized queries). http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – chris85 Jan 03 '17 at 20:10
  • Your script is throwing several error messages but you haven't configured PHP to display error messages. That's something you need to address before you go further because it's hard to code properly without the aid of error messages. The error reporting thumb rule is to show in development and log in production. As a starting point, I suggest you edit the system-wide `php.ini` file in the computer where you develop and tweak the `error_reporting` and `display_errors` directives ([details here](http://stackoverflow.com/a/5680885/13508)). – Álvaro González Jan 04 '17 at 10:06

0 Answers0