-2

I have a registration page, which is tied to this process.php code below. When I run this code, it returns "Error". Did I make a mistake somewhere?

<?php
require_once ('newmeowconnection.php');
if (isset($_POST['form_input']) && $_POST['form_input'] == 'registration') {
    registerUser();
}
function registerUser() {
    $query = "INSERT INTO users (first_name, last_name, email, password, created_at, updated_at)
    VALUES('{$_POST['first_name']}','{$_POST['last_name']}','{$_POST['email']}', '{$_POST['password']}', NOW(), NOW())";
    $run = mysqli_query($query);
    if ($run) {
        $_SESSION['loggedin'] = TRUE;
        $_SESSION['user'] = $_POST['email'];
        header('Location: http://localhost/homepage.php');
    } else {
        echo 'Error';
    }
}
?>
GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71
Mia
  • 559
  • 4
  • 9
  • 21
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Jun 06 '17 at 19:44
  • 1
    **Never** store plain text passwords. You should use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). – Alex Howansky Jun 06 '17 at 19:44
  • Perhaps instead of just echo'ing `error` you should have it echo something useful like `mysqli_error`. – Jonathan Kuhn Jun 06 '17 at 19:48
  • Start the session before setting the values. Always create base url instead of pasting static url. Should use prepared statements (as Alex told). Better to check [affected rows](http://php.net/manual/en/mysqli.affected-rows.php) instead of checking query result. And you missed connection parameter. – Prateek Jun 06 '17 at 19:51
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. – tadman Jun 06 '17 at 20:00
  • No panic, guys. I am very new to PHP and SQL, and I am simply learning how to make a page as an exercise. I realize that for an actual webpage, the password should be protected! Right now I am just trying to receive input from a user and then access it again. :) – Mia Jun 06 '17 at 20:16

2 Answers2

1

mysqli_query need run on connection object or pass connection to it:

$run = mysqli->query($connection, $query);

or

$run = $connection->query($query);
Mohammad Hamedani
  • 3,304
  • 3
  • 10
  • 22
  • The original code seems to be more more of a procedural style than an OO style, I suggest writing your answer to match the style of the author as the answer makes more sense. – GrumpyCrouton Jun 06 '17 at 19:50
  • When I use that, the page is blank and not even the "error" appears. And of course my database is also not updated. :/ – Mia Jun 06 '17 at 20:24
  • Please add contents of **newmeowconnection.php** file that contains mysqli connection, in your question. My code only shows how to use mysqli query! – Mohammad Hamedani Jun 06 '17 at 23:43
0

The problem is you are using single quotes-inside single-quotes. For instance '{$_POST['first_name']}' is read as {$_POST[ being one thing first_name as a SQL variable and ]} another string.

Try the following

...

$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
$password = $_POST['password'];

$query = "INSERT INTO users (first_name, last_name, email, password, created_at, updated_at) VALUES('{$first_name}','{$last_name}','{$email}', '{$password}', NOW(), NOW())";

...

Pedro Henrique
  • 601
  • 6
  • 17