0

I'm new in PHP PDO and MYSQL. I make a PHP signup script, and i want you to see if that is the right way or not, and i hope you to give me some advices to improve my script.

This is the code:

<?php

    $dsn = 'mysql:host=localhost;dbname=users';
    $user = 'root';
    $pass = '';

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    try {
        $conn = new PDO($dsn, $user, $pass);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $usernameInput = $_POST['username'];
        $passwordInput = $_POST['password'];
        $nameInput = $_POST['name'];
        $emailInput = $_POST['email'];

        $qUsername = "SELECT * FROM personalinformations WHERE username = '$usernameInput'";
        $dataUserName = $conn->query($qUsername);
        $countRowUsername = $dataUserName->rowCount();

        $qEmail = "SELECT * FROM personalinformations WHERE email = '$emailInput'";
        $dataEmail = $conn->query($qEmail);
        $countRowEmail = $dataEmail->rowCount();

        if($countRowUsername > 0) {

            echo 'Compte Exists';

        } elseif($countRowEmail > 0) {

            echo 'Email Exists';
        } else {

        $qSingup = "INSERT INTO personalinformations (name, username, password, email) VALUES ('$usernameInput', '$passwordInput',
        '$nameInput', '$emailInput')";
        $conn->exec($qSingup);

        echo 'Compte Created';
        }
    }

    catch (PDOException $error) {
        $error->getMessage();
    }

} else {
     echo 'You Cannot Browse the Page Directly';
}

thank you very much

walid
  • 299
  • 2
  • 4
  • 19
  • 1
    Does it not work in some way? If it works, you may want to try doing a code review instead. – Rasclatt May 23 '17 at 18:10
  • You have not prepared your statement so this is still vulnerable but you need to use code review instead – Adam Hull May 23 '17 at 18:14
  • **Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky May 23 '17 at 18:38
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 23 '17 at 18:39
  • Thank you all guys ,, but i want to know the meaning of 'code review'. – walid May 23 '17 at 18:46
  • Alex ,, No I'm using PHP 7 – walid May 23 '17 at 18:48
  • See [codereview.se] and, more importantly, [a guide to CR for SO users](https://codereview.meta.stackexchange.com/a/5778/23788) – Mathieu Guindon May 23 '17 at 18:51
  • I'm voting to close this question as off-topic because if it is working, its place is on codereview.stackexchange.com, if there is a known problem, that should be stated and explained in the question. – Gábor Bakos May 23 '17 at 19:27
  • Possible duplicate of ["INSERT IGNORE" vs "INSERT ... ON DUPLICATE KEY UPDATE"](https://stackoverflow.com/questions/548541/insert-ignore-vs-insert-on-duplicate-key-update) – mickmackusa May 24 '17 at 05:23

0 Answers0