-1

When I click on Register I always get both error messages: Registration successful! and Registration failed :/.

I've summarized the errors in this Errors.php file:

<?php if(count($errors) > 0): ?>
    <div class="error">
        <?php foreach ($errors as $error): ?>
        <p><?php echo $error;  ?></p>
        <?php endforeach ?>
    </div>
<?php endif ?>

I can't figure out why mysqli_query($link, $sql) doesn't run properly.

Code

<?php 

    //========================================
    // Default values. Used for error messages
    //========================================

    $Email = "";
    $errors = array();

    //===============
    // MySQL Settings
    //===============    

    define('DB_NAME', 'registration');    
    define('DB_USER', 'root');
    define('DB_PASSWORD', '12345678');
    define('DB_HOST', 'localhost');    

    //====================    
    // Database connection  
    //====================

        //Connect to server
    $link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);    

      // Test if connection succeeded
    if(mysqli_connect_errno()) {
        die("Database connection failed: " . mysqli_connect_error() . 
         " (" . mysqli_connect_errno() . ")"
        );
    }

    //===================================    
    // If the Register button is clicked  
    //===================================

    if(isset($_POST['Register'])) {
        $Email = mysqli_real_escape_string($_POST['Email']);
        $Password = mysqli_real_escape_string($_POST['Password']);    

        //=================================    
        // Error messages if input is wrong  
        //=================================

        if(empty($Email)) {
            array_push($errors, "Email is required");
        }
        if(empty($Password)) {
            array_push($errors, "Password is required");
        }

        //=========================    
        // Send data to MySQL table  
        //=========================

            // Send input form data to MySQL database 
        if(isset($_POST['Register'])){
        $Email = $_POST['Email'];
        $Password = $_POST['Password'];

            // If no error messages appear, then send data to table   
        if(count($errors) == 0){
        $Password = md5($Password);    
        $sql = "INSERT INTO users (Email, Password) VALUES ('{$Email}', '{$Password}')";    
        }
        $result = mysqli_query($link, $sql);
        if ($result) {
        // Success
        echo "Registration successful!";
        } else {
        // Failure
        echo "Registration failed :/";
        }
        }
    }

    ?>
<!DOCTYPE HTML>
<html>
<head>
    <title>Registration</title>
    <link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
    <div class="header">
        <h2>Register</h2>
    </div>    
    <form method="post" action="Register.php">
        <!--Display errror messages here-->
        <?php include('Errors.php'); ?>
        <div class="input-group">
            <label>Email</label>
            <input type="text" name="Email"> 
        </div>
        <div class="input-group">
            <label>Password</label>
            <input type="password" name="Password"> 
        </div>
        <div class="input-group">
            <button type="submit" id="button" name="Register" class="Button">Register</button>
        </div>       
        <p>
        Already a member? <a href="Login.php">Sign in</a>
        </p>
    </form>

</body>
</html>

    <?php
    // Close database connection
    if (isset($link)) {
      mysqli_close($link);
    }
   ?>
Saud
  • 480
  • 1
  • 9
  • 26
  • 2
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 23 '17 at 19:46
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Aug 23 '17 at 19:47
  • 1
    ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** – Jay Blanchard Aug 23 '17 at 19:47
  • When you register, do the new values show up on the database? – Raphael Cunha Aug 23 '17 at 20:15
  • The values don't show up in the database. – Saud Aug 24 '17 at 06:02
  • I appreciate your concerns regarding the lacking security of the password field. This is something I will look into and correct. However, at this point I'm just trying to connect to the database and output values in the table. – Saud Aug 24 '17 at 06:27

1 Answers1

0
     I modified your MySQL query to prepare statement and also you had two isset of submit which is the problem...
    Try this 



     <?php
             //======================================== // Default values. Used for error messages //======================================== $Email = ""; $errors = array();
                 //=============== // MySQL Settings //=============== 
                define('DB_NAME', 'registration'); define('DB_USER', 'root');
                    define('DB_PASSWORD', '12345678'); define('DB_HOST', 'localhost'); //==================== // Database connection //==================== //Connect to server 
                $link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

                    // Test if connection succeeded
 if(mysqli_connect_errno()) { die("Database connection failed: " . mysqli_connect_error() . " (" . mysqli_connect_errno() . ")" ); } //=================================== // If the Register button is clicked //=================================== if(isset($_POST['Register'])) { $Email = $_POST['Email']; $Password = $_POST['Password']; //================================= // Error messages if input is wrong //=================================
                 if(empty($Email)) { 
                array_push($errors, "Email is required"); 
                } elseif(empty($Password)) { 
                array_push($errors, "Password is required"); 
                } //========================= // Send data to MySQL table //========================= // Send input form data to MySQL database 
                else{ 
                $Email = $_POST['Email']; 
                $Password = md5($_POST['Password']); 
                // If no error messages appear, then send data to table 
                $sql = "INSERT INTO users (Email, Password) VALUES (?,?)";
                 $stmt = $link->prepare($sql); 
                $stmt->bind_param('ss',$Email,$Password);
                 $stmt->execute();
                 if ($stmt) { 
                // Success 
                echo "Registration successful!"; 
                } else {
                 // Failure 
                echo "Registration failed :/"; 
                } } } ?>

            //And change the button

             from

            <button type="submit" id="button" name="Register" class="Button">Register</button>

            To


            <input type="submit" id="button" value="Register"  name="Register" class="Button">
Hamis Hamis
  • 84
  • 2
  • 9