0

From real_escape_string code is showing as text not running on browser, even dreamweaver showing no error please help if any alternative then please tell me. trying to create a subscribe php form with validation of email is correct both passwords are same, uploaded file avatar is png, jpg, gif. this is code

<?php
/* form.php */
    session_start();
    $_SESSION['message'] = '';
    $mysqli = new mysqli("localhost", "root", "mypass123", "accounts_complete");


if ($_SERVER['REQUEST_METHOD'] == 'POST'){

    if ($_POST['password'] == $_POST['confirmpassword']) {
    $username = $mysqli->real_escape_string($_POST['username']);
    $email = $mysqli->real_escape_string($_POST['email']);
    $password = md5($_POST['password']); //md5 hash password security
    $avatar_path = $mysqli-real_escape_string('image/'.$_FILES['avatar']['name']);

    //make sure this file type is image
    if (preg_match("!image!",$_FILES['avatar']['type'])) {


        //copy image to image/folder
        if (copy($_FILES['avatar']['temp_name'], $avatar_path)) {

        $_SESSION['username'] = $username;
        $_SESSION['avatar'] = $avatar_path;

        $sql = "INSERT INTO users (username, email, password, avatar) "
            . "VALUES ('$username', '$email', '$password', '$avatar_path')";

            //if the query is successfull, redirect to welcome.php page, done!

            if ($mysqli->query($sql) === true) {
               $_SESSION['message'] = 'Registration succesfull! Added $username to the database!';

                }
            else {
                $_SESSION['message'] = "User could not be added to the database!";
            }
    }
        else {
            $_SESSION['message'] = "File upload failed!";
        }
    }
        else {
            $_SESSION['message'] = "Please only upload GIF, JPG, or PNG images!";
        }
}
        else {
            $_SESSION['message'] = "Two passowrd do not match!";
        }
}

?>
Pranit Shinde
  • 43
  • 5
  • 4
    ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 19 '17 at 13:17
  • 4
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 19 '17 at 13:18
  • 1
    Are you running this from a web server? – Jay Blanchard Oct 19 '17 at 13:18
  • 1
    `$avatar_path = $mysqli-real_escape_string('image/'.$_FILES['avatar']['name']);` you missed a `>` should be `$avatar_path = $mysqli->real_escape_string('image/'.$_FILES['avatar']['name']);` – Raymond Nijland Oct 19 '17 at 13:21

0 Answers0