PHP Sign up page

Question

Here's registo.php

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
    <link rel="stylesheet" href="css/login.css">
    <script src="assets/bootstrap/js/bootstrap.min.js"></script>
    <script src="assets/jquery/jquery-3.2.1.js"></script>
    <title>SITIO</title>
</head>
<body>
    <div class="container">
        <div class="logo">
            <img src="images/logo_1.png">
        </div>
        <div class="login-form">
            <form action="includes/signup.php" method="post">
                <div class="form-group">
                    <label name="username" for="lg_username" class="sr-only">Username</label>
                    <input type="text" class="form-control" id="lg_username" name="username" placeholder="username">
                </div>
                <div class="form-group">
                    <label name="password"for="lg_password" class="sr-only">Password</label>
                    <input type="password" class="form-control" id="lg_password" name="password" placeholder="password">
                </div>
                <div class="form-group">
                    <label name="email" for="lg_email" class="sr-only">Email</label>
                    <input type="email" class="form-control" id="lg_email" name="email" placeholder="email">
                </div>
                <div class="form-group">
                <button type="submit" name="signup" class="btn btn-block btn-primary">
                  </button>
               </div>     
            </form>
        </div>
    </div>
</body>
</html>

and signup.php

<?php

if(isset($_POST['signup'])){

    include "db.php";

    $username = $_POST['username'];
    $password = $_POST['password'];
    $email = $_POST['email'];

    //Error handlers
    //Check for empty fields
    if(empty($username) || empty($password) || empty($email)){
        header("Location: ../registo.php?=empty");
        exit();
    }else{
        //Validate the email
        if(!filter_var($email, FILTER_VALIDATE_EMAIL){
            header("Location: ../registo.php?=signup=email");
            exit();
        }else{
            //Check if the user already exists
            $sql = "SELECT * FROM Users WHERE username='$username'";
            $r = $conn->prepare($sql);
            $r->execute();
            $count = $r->rowCount();
            if($count > 0){
                header("Location: ../registo.php?=signup=usertaken");
                exit();
            }else{
                //Hash the password
                $hashedpwd = password_hash($password, PASSWORD_DEFAULT);
                //Inserting the user into the database
                $sql="INSERT INTO Users (username, password, email, isAdmin, company_fk) VALUES ('$username', '$hashedpwd', '$email', '0', '2')";
                $r= $conn->prepare($sql);
                $r->execute();
            }

        }
    }
}else{
    header("Location: ../registo.php?=empty");
    exit();
}

I know I'm still lacking on some basic security checks but no matter how I try to access registo.php I keep getting Error500 on chrome and a blank page on firefox.

The desired result would be for it to load the "registo.php" back if I access it directly (ence the ISSET) or for it to actually add an account to the database.

Taking any advice / suggestions on how to improve it and willing to try anything to make it work since i've been looking at this for a while already and have no idea what is wrong.

Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Feb 14 '18 at 16:20
500 errors are on the server side and in general meaningless, so you'll need to see your server logs to find the exact message which you will then post in your question — j08691, Feb 14 '18 at 16:21
Look up how to enable PHP errors for your environment. You can do it in htaccess files, in the ini files, or in the code, and I'm sure there are other ways. — adprocas, Feb 14 '18 at 16:22
https://stackoverflow.com/questions/2687730/how-can-i-make-php-display-the-error-instead-of-giving-me-500-internal-server-er — adprocas, Feb 14 '18 at 16:23
So would you say there's nothing wrong in the PHP and it's most likely a server side problem ? — Gabriel Silva, Feb 14 '18 at 16:39

Kevin Pimentel · Accepted Answer · 2018-02-14T17:11:22.187

2

You have a missing closing parent here:

if(!filter_var($email, FILTER_VALIDATE_EMAIL){

change to

if(!filter_var($email, FILTER_VALIDATE_EMAIL)){

I highly recommend you use an IDE or linter. I copied and pasted your code into my editor (Sublime Text 3) and detected the error right away. Syntax error will definitely cause that error server side.

edited Feb 14 '18 at 17:11

answered Feb 14 '18 at 17:05

Kevin Pimentel

2,056
3
22
50

PHP Sign up page

1 Answers1