0

I have concern with my written code here. The connection is ok when I checked but when my if-statement here runs it goes expectedly from the password=cpassword up to the second if-statement for checking the user if exist and goes it into the else because it is false, but when it reached the third if-statement i don't know why in if($query_run) going to be false.

Therefore, the result the data hasn't added to my database and giving me an alert of ERROR which I declared in that else-statement.

    <?php
    if(isset($_POST['submit_btn']))
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $cpassword = $_POST['cpassword'];
        if($password==$cpassword)
        {
            $query= "select * from user WHERE username ='$username'";
            $query_run = mysqli_query($con,$query);
                if(mysqli_num_rows($query_run)>0)
                {
                // there is already a user with the same username
                    echo '<script type="text/javascript"> alert("user already exist.. Try another username")</script>';
                }
                else
                {
                $query = "insert into user values('$username','$password')";
                $query_run = mysqli_query($con,$query);
                if($query_run)
                {
                    echo '<script type="text/javascript"> alert("User Registered Go to Login page to Log in")</script>';
                }
                else
                {
                    echo '<script type="text/javascript"> alert("Error..")</script>';
                }
            }
        }
        else
        {
                echo '<script type="text/javascript"> alert("Password does not match!")</script>';
        }
    }
?>
halfer
  • 19,824
  • 17
  • 99
  • 186
Refferson Dahan
  • 11
  • 2
  • 2
    Please, use prepared query, you are open to sql injection. – Ivan Bolnikh Jul 29 '17 at 11:15
  • @IvanBolnikh this was not the question. – Michael Hirschler Jul 29 '17 at 11:19
  • 1
    @MichaelHirschler: that does not matter. If someone is doing something unsafe, and you know it is unsafe, it is necessary to speak up. – halfer Jul 29 '17 at 11:46
  • @halfer true, in that case: please also validate $_POST* variables before using them. :-) – Michael Hirschler Jul 29 '17 at 11:50
  • @Refferson Dahan just try to Echo the Query and paste in SQL. – Ravi Mehta Jul 29 '17 at 12:03
  • guys, thank you so much . it really worked . my apology for being a beginner thank you again – Refferson Dahan Jul 29 '17 at 12:08
  • No apologies needed for being a beginner, though it's a bit odd if several people mention your serious security problems and you ignore those messages. Do you _want_ to have security problems? – halfer Jul 29 '17 at 12:47
  • yes i just want to have that said security can somebody teach me how to code this ...actually im still in the part of fixing the connection of database and how i insert some data but ofcourse my next step is that security.. Please can i have some steps for it @halfer – Refferson Dahan Jul 29 '17 at 13:10
  • Security is not something you can have steps for, it requires a fair bit of learning. I would [start here](http://stackoverflow.com/questions/60174) for SQL injection, and then [go here](https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database) for password storage. – halfer Jul 29 '17 at 13:18

2 Answers2

0

Your query is wrong, there is no column specified to insert value in it. Try this with replacing your column name:

$query = "insert into user (column1, column2) values('$username','$password')";

where column1 and column2 will be your username and password column.

Note: You are open to sql injection. So you should use prepared query.

Ankit Singh
  • 1,477
  • 1
  • 13
  • 22
-2

<?php
    if(isset($_POST['submit_btn']))
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $cpassword = $_POST['cpassword'];
        if($password==$cpassword)
        {
            $query= "select * from user WHERE username ='$username'";
            $query_run = mysqli_query($con,$query);
                if(mysqli_num_rows($query_run)>0)
                {
                // there is already a user with the same username
                    echo '<script type="text/javascript"> alert("user already exist.. Try another username")</script>';
                }
                else
                {
                $query = "insert into user (username, password) values('$username','$password')";
                $query_run = mysqli_query($con,$query);
                if($query_run)
                {
                    echo '<script type="text/javascript"> alert("User Registered Go to Login page to Log in")</script>';
                }
                else
                {
                    echo '<script type="text/javascript"> alert("Error..")</script>';
                }
            }
        }
        else
        {
                echo '<script type="text/javascript"> alert("Password does not match!")</script>';
        }
    }
?>
swapnil kambe
  • 125
  • 6
  • Change only $query = "INSERT INTO user (username, password) VALUES ($username, $password)"; – swapnil kambe Jul 29 '17 at 12:14
  • As per the other two answers (one of which has now been deleted by its author), I would like to see a mention of the security errors the OP has in their code. They are at least (1) SQL injection, and (2) plaintext password storage. – halfer Jul 29 '17 at 13:20
  • 1
    How did this solve the question? There is no specific explanation as to what was done. You're forcing people to see what the differences are in the code. – Funk Forty Niner Jul 29 '17 at 13:31