-2

The expect result is for the data that is submitted through a HTML form, and then the form action is this code below. Proccessing the code below I was expecting it to insert the data from the form into a SQL table called customers. However the data is not being inserted and there is no errors showing on the page.

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);

$uName = $_POST['uname'];
$password = sha1($_POST['upassword']);
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$dob = $_POST['dob'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$postcode = $_POST['postcode'];

echo $uName;
echo $password;

include("dbconn.php");
$sql = "INSERT INTO customers (username, password_hash, customer_foremane, customer_surname, date_of_birth, customer_address1, customer_address2, customer_postcode) VALUES ('$uName', '$password', '$fname', '$lname', '$dob', '$address1', '$address2', '$postcode')";

mysqli_query($conn, $sql);
mysqli_close($conn);

?>

This is the form in which the data is from: 

<div id = "reg_form">
    <form name="register" action="register_customer.php" method="post">
        <p id = "form_text"> Username: </p> <input name="uname" type="text" placeholder="Please enter a user name">
        <p id = "form_text"> Password: </p> <input name="upassword" type="password" placeholder="Please enter a password"><br>
        <p id = "form_text"> First Name: </p> <input name="fname" type="text" placeholder="Please enter your first name"><br>
        <p id = "form_text"> Last Name: </p> <input name="lname" type="text" placeholder="Please enter your last name"><br>
        <p id = "form_text"> Date of Birth: </p> <input name="dob" type="text" placeholder="Please enter your date of birth"><br>
        <p id = "form_text"> Address 1: </p> <input name="address1" type="text" placeholder="Please enter first line of address"><br>
        <p id = "form_text"> Address 2: </p> <input name="address2" type="text" placeholder="Please enter second line of address"><br>
        <p id = "form_text"> Postcode: </p> <input name="postcode" type="text" placeholder="Please enter your postcode"><br>
        <input name="submit" type="submit">
    </form>
</div>

This is the dbconn.php:

<?php
$config = parse_ini_file('config.ini'); 
$conn = mysqli_connect('localhost',$config['username'],
    $config['password'],$config['dbname']);
    echo "Connected to the database";
?>
user9064551
  • 1
  • 1
  • Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: [How to create a Minimal, Complete, and Verifiable example.](https://stackoverflow.com/help/mcve) – Marcello B. Dec 06 '17 at 23:43
  • This code seems to have no problems for me. Can you post also the form and dbconn.php? Also please not that your code is vulnerable to sql injection. – Riccardo Bonafede Dec 06 '17 at 23:47
  • There is the form and dbconn.php – user9064551 Dec 06 '17 at 23:52
  • There is no conditional at dbconn to verify a successful connection. You need to implement prepared statements with placeholders. – mickmackusa Dec 07 '17 at 05:11

1 Answers1

0

you have to use MySqli Prepared Statements for Inserting the query to make it more secure like below:

// prepare and bind Customers Query
$queryCustomers = $conn->prepare("INSERT INTO customers(username, password_hash, customer_foremane, customer_surname, date_of_birth, customer_address1, customer_address2, customer_postcode) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
$queryCustomers->bind_param("ssssssss",$uName,$password,$fname,$lname,$dob,$address1,$address2,$postcode);

// execute Customers Query
$queryCustomers->execute();

// Close Connections
$queryCustomers->close();

To learn more, follow http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Amit Gupta
  • 2,771
  • 2
  • 17
  • 31
  • @your-common-sense Sir some person downvote if I not give exact answer so given complete answer along with instructions to update. – Amit Gupta Dec 07 '17 at 07:33
  • In your answer you made two statements that are entirely wrong. It perfectly justifies such a vote. I removed these statements from your answer. – Your Common Sense Dec 07 '17 at 07:48
  • Thanks Sir. I will slowly learn to post better answer with better understanding. – Amit Gupta Dec 07 '17 at 07:51