0

when it try to submit the form content to the database i get the following error : {"code":"MethodNotAllowedError","message":"POST is not allowed"}

I am using Dreamweaver cc 2017 and xampp v3.2.2 to run Apache and Mysql on windows 10.

html form :

  <form action="register.php" id="form1" name="form1" method="post">

and register.php content is :

<?php
$hostname_conn = "localhost";
$database_conn = "hotels";
$username_conn = "root";
$password_conn = "";
$conn = mysqli_connect($hostname_conn, $username_conn, $password_conn) or trigger_error(mysqli_error(),E_USER_ERROR); 

$db=mysqli_select_db($conn,$database_conn);
$q1= "insert into users(username,email,password,number)values('$_POST[textfield]','$_POST[email]','$_POST[password]','$_POST[number]')";
$q2=mysqli_query($conn,$q1);

if(mysqli_query($conn,$q1))
 {
    $msg = 'User information saved successfully.';
 }
 else
 {
    $msg = 'Error: We encountered an error while inserting the new record.';
 }
echo $msg;
mysqli_close($conn);
?>

</body>
</html>
Boo
  • 3
  • 1
  • 3
  • 2
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 25 '17 at 19:28
  • 1
    **Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. – Alex Howansky Apr 25 '17 at 19:28
  • Look at https://www.w3schools.com/php/php_mysql_prepared_statements.asp – b2ok Apr 25 '17 at 19:58

2 Answers2

1

using PDO: 

        $servername = "localhost";
        $username = "root";
        $password = "";
        $dbname = "hotels";
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
        $stmt = $conn->prepare("INSERT INTO users (username, email, password, number) 
        VALUES (:username, :email, :password, :number)");
        $stmt->bindParam(':username', $username);
        $stmt->bindParam(':email', $email);
        $stmt->bindParam(':password', $password);
        $stmt->bindParam(':number', $number);
        $username = $_POST['textfield'];
        $email = $_POST['email'];
        $password = $_POST['password'];
        $number = $_POST['number'];
        $stmt->execute();
MackProgramsAlot
  • 583
  • 1
  • 3
  • 16
0

The problem is for syntax. Anyway you should to use good practices. Check this post How can I prevent SQL injection in PHP?

$username = $_POST["textfield"]; //unsafe
$username = mysql_real_escape_string($username); //safe

$email = mysql_real_escape_string($_POST["email"]);
$password = mysql_real_escape_string($_POST["password"]);
$number = mysql_real_escape_string($_POST["number"]);

$db=mysqli_select_db($conn,$database_conn);
$q1= "insert into users(username,email,password,number)values('".$username ."','".$email."','".$password."','".$number."')";
$q2=mysqli_query($conn,$q1);
Community
  • 1
  • 1
Christian Carrillo
  • 414
  • 3
  • 8