registration form could not save into database

Question

The user detail could not save in the database.when the user enters their details, the information is not showing the database. What is the problem and how do I go about it. I need you guys to help check it.

 <?php  
        error_reporting(0);
        session_start();
        include 'connect.php';
        $firstname = $_POST['firstname'];
        $lastname = $_POST['lastname'];
        $address = $_POST['address'];
        $phone = $_POST['phone'];
        $email = $_POST['email'];
        $password = $_POST['password'];
        $retype_password = $_POST['retype_password'];
        $sql = "INSERT INTO 'user_registration' (firstname, lastname, address, phone, email, password) VALUES ('$firstname',
        '$lastname', '$address', '$phone', '$email', '$password')";
        If ($_POST ['submit']) {
            if (mysqli_query($dbcon, $sql)){

               echo "Regsiter successfully";
            }
            else {

                $error = '<br><div class="info">Sorry, your account could not be created at the moment. Please try again or contact the site admin to report this error if the problem persist. Thanks.</div><br>';
            }

        }

    ?>



<!doctype html>
<html class="no-js" lang="en">

    <head>
        <meta charset="utf-8">
        <meta http-equiv="x-ua-compatible" content="ie=edge">
        <title>Alex Ticketing System</title>
        <meta name="description" content="">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <link rel="apple-touch-icon" href="apple-touch-icon.png">
        <!-- Place favicon.ico in the root directory -->
        <link rel="stylesheet" href="css/vendor.css">
        <!-- Theme initialization -->
        <script>
            var themeSettings = (localStorage.getItem('themeSettings')) ? JSON.parse(localStorage.getItem('themeSettings')) :
            {};
            var themeName = themeSettings.themeName || '';
            if (themeName)
            {
                document.write('<link rel="stylesheet" id="theme-style" href="css/app-' + themeName + '.css">');
            }
            else
            {
                document.write('<link rel="stylesheet" id="theme-style" href="css/app.css">');
            }
        </script>
    </head>


    <body>
        <div class="auth">
            <div class="auth-container">                    
                <div class="card">
                    <header class="auth-header">
                        <h1 class="auth-title">
                            <div class="logo"> <span class="l l1"></span> <span class="l l2"></span> <span class="l l3"></span> <span class="l l4"></span> <span class="l l5"></span> </div> Alex Ticketing System </h1>
                    </header>
                    <div class="auth-content">
                        <p class="text-xs-center">REGISTRATION</p>
                        <form id="signup-form" action="index.php" method="POST" novalidate="">

                            <div class="form-group"> <label for="firstname">Name</label>
                                <div class="row">
                                    <div class="col-sm-6"> <input type="text" class="form-control underlined" name="firstname" id="firstname" placeholder="Enter firstname" required=""> </div>
                                    <div class="col-sm-6"> <input type="text" class="form-control underlined" name="lastname" id="lastname" placeholder="Enter lastname" required=""> </div>
                                </div>
                            </div>

                             <div class="form-group"> <label for="address">Address</label> <input type="textarea" class="form-control underlined" name="address" id="address" placeholder="Enter your address" required=""> </div>

                              <div class="form-group"> <label for="phone">Phone</label> <input type="text" class="form-control underlined" name="phone" id="phone" placeholder="Enter your phone" required=""> </div>

                            <div class="form-group"> <label for="email">Email</label> <input type="email" class="form-control underlined" name="email" id="email" placeholder="Enter email address" required="" > </div>

                            <div class="form-group"> <label for="password">Password</label>
                                <div class="row">
                                    <div class="col-sm-6"> <input type="password" class="form-control underlined" name="password" id="password" placeholder="Enter password" required=""> </div>
                                    <div class="col-sm-6"> <input type="password" class="form-control underlined" name="retype_password" id="retype_password" placeholder="Re-type password" required=""> </div>
                                </div>

                            </div>

                            <div class="form-group"> <button type="submit" name = "submit" class="btn btn-block btn-primary">Sign Up</button> </div>

                            <div class="form-group">
                                <p class="text-muted text-xs-center">Already have an account? <a href="login.php">Login!</a></p>
                            </div>
                        </form>

                    </div>
                </div>
            </div>
        </div>
        <!-- Reference block for JS -->
        <div class="ref" id="ref">
            <div class="color-primary"></div>
            <div class="chart">
                <div class="color-primary"></div>
                <div class="color-secondary"></div>
            </div>
        </div>
        <script src="js/vendor.js"></script>
        <script src="js/app.js"></script>
    </body>

</html>

T

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Jul 17 '17 at 15:07
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 17 '17 at 15:07
Haven't looked all the way through the code yet, but your code is VERY susceptible to SQL injection. You'd best parameterize that INSERT query before launching this into the wild. Imagine if someone said their firstname is `';DROP TABLE user_registration; --` It looks like @Fred -ii- found the issue. You have stuck single quotes around your table name in your `INSERT` statement. You are treating the table as a string and that is nonsense in the database. — JNevill, Jul 17 '17 at 15:07
Whatever you do, *do not* go live with this code. It will expose you and your users to a lot of problems. — Jay Blanchard, Jul 17 '17 at 15:09
the `else { $error ... }` did not help you here. `mysqli_error($dbcon)` would have in being tacked on to it. — Funk Forty Niner, Jul 17 '17 at 15:11

registration form could not save into database

0 Answers0