0

I have set up a signup page. I created a form in order to transfer the data into Mysql database. The connection is successful but it cannot transfer any data to MySQL.

Here is my connection.

Connect.php

<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "Forum";

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} 
echo "<p>Connected successfully</p>";
?>

You can see the connection is ok.

Here is my signup page.

signup.php

<?php
session_start();
include 'connect.php';
include 'header.php';


if($_SERVER['REQUEST_METHOD'] != 'POST')
{
echo'<div id="content">
<h3>註冊</h3>
<form method="post" action="">
<table>
<tr>
<td>使用者名稱:</td> 
<td><input type="text" name="user_name"/></td>
</tr>
<tr>
<td>密碼:</td>
<td><input type="password" name="user_pass"></td>
<tr>
<td>打多次密碼:</td> 
<td><input type="password" name="user_pass_check"></td>
<tr>
<td>電郵:</td> 
<td><input type="email" name="user_email"></td>
</tr>
<tr>
<td>
<input type="submit" value="開波"/>
</td>
<td>
</td>
<tr>
</form>
</table>
</div>';
}
else
{

$errors = array(); 

if(isset($_POST['user_name']))
{
    //the user name exists
    if(!ctype_alnum($_POST['user_name']))
    {
        $errors[] = '使用者名稱只可以用字母同號碼';
    }
    if(strlen($_POST['user_name']) > 30)
    {
        $errors[] = '使用者名稱不可長過30字';
    }
}
else
{
    $errors[] = '要輸入使用者名稱';
}


if(isset($_POST['user_pass']))
{
    if($_POST['user_pass'] != $_POST['user_pass_check'])
    {
        $errors[] = '兩個密碼唔一樣';
    }
}
else
{
    $errors[] = '要輸入密碼';
}

if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/
{
    echo'<div id="content">';
    echo '咦! 有D野唔岩喎!';
    echo '<ul>';
    foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */
    {
        echo '<li>' . $value . '</li>'; /* this generates a nice error list */
    }
    echo '</ul>';
      echo'</div>';
}
else
{
    //the form has been posted without, so save it
    //notice the use of mysql_real_escape_string, keep everything safe!
    //also notice the sha1 function which hashes the password
    $sql = "INSERT INTO users(user_name, user_pass, user_email ,user_date, user_level)
            VALUES('" . mysql_real_escape_string($_POST['user_name']) . "',
                   '" . sha1($_POST['user_pass']) . "',
                   '" . mysql_real_escape_string($_POST['user_email']) . "',
                    NOW(),
                    0)";

    $result = mysql_query($sql);


    if(!$result)
    {
        //something went wrong, display the error
        echo'<div id="content">';
        echo 'Something went wrong while registering. Please try again later.';
        echo'</div>';
        //echo mysql_error(); //debugging purposes, uncomment when needed
    }
    else
    {
        echo'<div id="content">';
        echo '歡迎加入新香港, 你依家可以<a href="signin.php">登入</a> ';
        echo'</div>';
    }
}
}

?>

Here is my database, there is no data inserted. However, no error is displayed No error statement is shown so that i cannot detect the problem

Herman Kwok
  • 5
  • 5
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 05 '18 at 13:19
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 05 '18 at 13:19
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Feb 05 '18 at 13:20
  • Thanks everyone. but can anyone expain to me why mysqli can prevent from SQL injection Attacks? – Herman Kwok Feb 06 '18 at 07:23
  • Because mysqli can use prepared statements and that is what protects you from SQL injection attacks. – Jay Blanchard Feb 06 '18 at 12:38

0 Answers0