-2

I made sure all the names are the same as in the database but it doesn't add the elements to my database. What might be the problem?

 <div class="form_div" required>
        <p class="form_label">Not a customer? Signup Here!</p>
        <form method="Post" action="Register.php" required>
          <p><input type="text" name="name" placeholder="Name and Last Name" required></p>
          <p><input type="text" name="Email" placeholder="Email Address" required></p>
          <p><input type="text" name="Phone" placeholder="Your Phone Number" required></p>
          <p><input type="password" name="password" placeholder="**********" required></p>
          <p><input type="submit" name="submit" value="SIGNUP"> </p>
<?php 
      //Fill out the following fields to be able to register. 
if(isset($_POST['submit'])) {
  $nameandlast= $_POST['name']; 
  $Email= $_POST['Email'];
  $Phone= $_POST['Phone'];
  $password= $_POST['password'];
      //Inserts customer details into the customer table in the SQL database so they can schedule appointments and login later. If the registration have been added successfully, display a success message.
  $query = "INSERT INTO customers (name, email, phone, pass) VALUES ('{$nameandlast}','{$Email}','{$Phone}','{$password}');";
  runQuery($query);
  echo "You have been successfully registered";

// If the customer is succesfully registered, redirect him so he can log in. 
  header('Location: Login.php');

}
?>
Yamar Mbaye
  • 1
  • 1
  • What does `runQuery` do? You are open to SQL injections. Passwords should be hashed. It looks like your code just assumes the query works then redirects the user to a login page, the redirection won't work though because you have already sent output. – chris85 Dec 01 '17 at 18:13
  • You need to filter your inputs! and then use prepared statements to insert user data into your db. Nothing is safe, always check/test! see https://www.w3schools.com/php/php_mysql_prepared_statements.asp to get started, – Chad Dec 01 '17 at 18:40

2 Answers2

1

I am not sure what runQuery() does but I changed the way your script connects to your database. I also made sure SQL injections are no longer possible and your users will no longer get send to the next page if the query failed. Also. When you redirect your user to a new page, echo's will no longer be visable. you could store the message in a cookie and call it on the next page. Make sure to unset the cookie after you triggered the message. 

<?php 

$mysqli = new mysqli("127.0.0.1", "root", "password", "database");

if(isset($_POST['submit'])) {
  $nameandlast= mysqli_real_escape_string($mysqli, $_POST['name']); 
  $Email= mysqli_real_escape_string($mysqli, $_POST['Email']); 
  $Phone= mysqli_real_escape_string($mysqli, $_POST['Phone']); 
  $password= mysqli_real_escape_string($mysqli, $_POST['password']); 


  $success = mysqli_query($mysqli, "INSERT INTO customers (name, email, phone, pass) VALUES ('$nameandlast','$Email','$Phone','$password')");

  if ($success) {

    header('Location: Login.php');

  }      
}
?>

to clean up your code you could also loop every post like so and turn it into variables: 

foreach ($_POST as $key => $value) {
  $$key = mysqli_real_escape_string($mysqli, $value);
}

make sure the name of the form field matches the variables in your query.

Niels
  • 1,005
  • 1
  • 8
  • 18
-1

remove the brackets "()" while inserting values .then you didnt make connection with the data base .please refer this link for data base connection https://www.w3schools.com/php/php_mysql_connect.asp runquery is not a library function to execute query. you have get sanitize the input in php to avoid SQL injection.

for example ,this my code used to register new user.

    <?php
$servername="localhost";
$username="root";
$password="admin";
$db="userreg";
$con=new mysqli($servername,$username,$password,$db);//this line make //connection with the database
if ($con->connect_error) {
    die("Connection failed: " . $con->connect_error);
}

$dob=mysqli_real_escape_string($con,$_POST['dbt']);//this //mysqli_real_escape_string sanitizes input for better security use prepared //staements
$uame=mysqli_real_escape_string($con,$_POST['uname']);
$finame=mysqli_real_escape_string($con,$_POST['fname']);
$laname=mysqli_real_escape_string($con,$_POST['lname']);
$paname=mysqli_real_escape_string($con,$_POST['pword']);
$pname=hash("sha1",$paname);
$maid=mysqli_real_escape_string($con,$_POST['mid']);
$sql = "INSERT INTO user (firstname,lastname,username,password,email,dob)";


$sql .=  "VALUES ('$finame','$laname','$uame','$pname','$maid','$dob');";
$check="SELECT * FROM user WHERE username='$uame';";
$chk=$con->query($check);
if($chk->num_rows >0)
{
    echo "<div class=container> <div  class='alert alert-danger'><strong>username already exist , try using another name</strong>";

}
else
if ($con->query( $sql))//this line executes query {



    echo "<div class='alert alert-success'><strong>New regitration successful</strong>";
    session_start();
    $_SESSION['login_user']=$uame;
    $_SESSION['pass']=$pname;


    echo "<a href='home.php'><button class='btn btn-success' >ok</button></a></div>";

} else {
    echo "<p>Error: " . $sql . "<br>" . mysqli_error($con)."</p>";
}

    ?>
jasinth premkumar
  • 1,430
  • 1
  • 12
  • 22