-1

I have a little problem. I have a register form. It works almost perfectly, I can check the value of the input fields, I can check weather do we have the same username in the db, but if everything is OK I cannot send the datas to my db. I use it as administrator/root, so I have the privileges. What is the problem? Please, help!

<?php    
  // declaring variables from input fields
  $email = $_POST['email'];
  $username=$_POST['username'];
  $password=$_POST['password'];
  $password2=$_POST['password2'];


  function registration ($username, $email, $password) {
      //new user registering
      //return true or errormessage

      //connecting to database, YEAH IT WORKS!
      $connection = connecting_to_db();

      //checking unique of username and IT WORKS!
      $result = $connection->query("SELECT * FROM user WHERE username='".$username."'");

      if (!$result) {
        throw new Exception ('We couldnt query. Sorry.');
      }
      if ($result->num_rows>0) {
        throw new Exception ('We have already this username! Choose something else!');
      }
      // if it is OK send it to the DB AND THIS IS NOT WORKING :-(
      $result = $connection->query("INSERT INTO user VALUES'".$username."', shal('".$password."'), '".$email."')");

      // I get alwasy this way and get this message.
      if (!$result) {
        throw new Exception ('We couldnt save your datas in our database. Try it later!');
      }
      return true;
  }

?>
slavoo
  • 5,798
  • 64
  • 37
  • 39
Newbie
  • 1
  • 2
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 19 '17 at 14:41
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 19 '17 at 14:41
  • dd [error reporting](http://stackoverflow.com/questions/845021/how-to-get-useful-error-messages-in-php/845025#845025) to the top of your file(s) _while testing_ right after your opening PHP tag for example ` – RiggsFolly Jun 19 '17 at 14:44
  • I dont actually see anywhere where you call the function – RiggsFolly Jun 19 '17 at 14:45
  • It helps if you actually check for errors instead of just checking to see if it returns a true value. You're not getting any good information that way. – aynber Jun 19 '17 at 14:46
  • @RiggsFolly Thanks the idea, I did that I had a little error from the email checking function (you can't see it because it is in an other file) but the problem is still going on. – Newbie Jun 19 '17 at 14:56

2 Answers2

0

it looks like you have shal(letter L) instead of sha1(# one) in your insert query. print out your result from the query and you should see your issue.

toastytheog
  • 48
  • 3
  • yeah, that's true thanks. You got an UPlike. But unfortulately I still have the issue. – Newbie Jun 19 '17 at 14:54
  • Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Jun 19 '17 at 15:15
-1

Connect the database and the table then get the data

$servername = "localhost";
$username = "root";
$password = "";
Hussain Abbas
  • 1