0

I have two tables, reservation and users. I want the column username and password to be also inserted in users table when the user filled the form. My query for reservation table is working but not in users table.

Php code:

if(isset($_POST['submit'])){


    $sql="INSERT INTO reservation 
    VALUES (null,
    '".$_POST['type']."',
    '".$_POST['title']."',
    '".$_POST['fname']."',
    '".$_POST['lname']."',
    '".$_POST['contact']."',
    '".$_POST['username']."'
    ,'".$_POST['password']."',
    '".$_POST['email']."',
    '".$_POST['address']."',
    '".$_POST['checkin']."',
    '".$_POST['checkout']."');";

    $sql .= "INSERT INTO users 
    VALUES (null,'".$_POST['username']."','".$_POST['password']."','client');";

    mysqli_multi_query($conn,$sql);

    mysqli_close($conn);
    header("Location: login.php");



}
Bubbles
  • 3
  • 2
  • 3
    Ugh, don't concatenate queries like this. This is severely unsafe, and you'll pull your hair out looking for missing quotes, etc. Use prepared statements instead - http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – WillardSolutions Dec 08 '17 at 14:56
  • 1
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Dec 08 '17 at 14:59
  • 2
    **Never store plain text passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. – GrumpyCrouton Dec 08 '17 at 15:00
  • 2
    ...and shouldn't you add the user first and add the user id to the reservation table instead of storing the user info two places? Data shouldn't be duplicated. Keep the reservation data in its own table and the user data in its own table. That's after you've fixed those security issues people already pointed out. – M. Eriksson Dec 08 '17 at 15:00

1 Answers1

0

you should validate the submission of data before redirect to the next page i'm trying your code so i create two tables : user {id,username,password,email} and local {id,label,description} and it works for me 

<?php


$host = "localhost";

$user = "root";

$password = "";

$database = "dbtestsub";

$conn = new mysqli($host, $user, $password, $database);

if ($conn->connect_errno) {

    echo "Failed to connect to MySQL: " . $mysqli->connect_error;

}
/*
$sql="INSERT INTO reservation 
VALUES (null,
'".$_POST['type']."',
'".$_POST['title']."',
'".$_POST['fname']."',
'".$_POST['lname']."',
'".$_POST['contact']."',
'".$_POST['username']."'
,'".$_POST['password']."',
'".$_POST['email']."',
'".$_POST['address']."',
'".$_POST['checkin']."',
'".$_POST['checkout']."');"; */
/*

$sql .= "INSERT INTO users 
VALUES (null,'".$_POST['username']."','".$_POST['password']."','client');"; */

$sql = "INSERT INTO user 
    VALUES (null,'" . new_user . "','" . yeah_bro . "','" . useremail . "');";

$sql .= "INSERT INTO local 
    VALUES (null,'" . local1 . "','" . descp1 . "');";

mysqli_multi_query($conn, $sql);

mysqli_close($conn);

//      header("Location: login.php");

so tell if there any error to check that

Frameman
  • 111
  • 1
  • 9