-1

I am a complete php beginner. My trainer dived into it without much explanation.
Other php questions in stackoverflow seems to follow some other syntax, so I'm confused.

Below are config.php and index.php files. Database name is practice in this code. Table name is fbsign. Trainer said values should be inserted into database but when I tried with table, it worked last time. This is driving me crazy for half a day. I don't know what I am doing wrong.

Also, does field name in the database and php code should be the same?

Q update: Yes, I did run the code. It says,'connected but not saved'? PS: I thought SOF is to help people. I wouldn't ask the question if I knew the answer. 

<?php
$con=new mysqli('localhost','root','','practice') or die(mysqli_error()); 

if(!$con) 
{
    echo "not connected";
}
else 
{
    echo "connected";
}
?>

**index.php**


<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>sign up form</title>

</head>
<body>

        <div id="content">
            <h2>Create an account</h2>
            <p>It's free and always will be.</p>

 <form name="signup" method="post" action=" ">
            <table>
                <tr>
                    <td><input type="text" name="fname"  placeholder="first 
                        name" /></td>
                </tr>
                <tr>
                    <td><input type="text" name="sname"  
                        placeholder="surname" /></td>
                </tr>
                <tr>
                    <td><input type="numbers" name="mob" placeholder="mobile 
number or email address" /></td>
                </tr>
                <tr>
                    <td><input type="password" name="pass" placeholder="new 
password" /></td>
                </tr>
                <tr>
                <td> <input type="submit" name="submit" value="Create 
Account"/> </td>
                </tr>

            </table>
          </form>

        </div> <!-- end of content -->
</body>
</html>

<!-- start of php -->

<?php 
include('config.php');
extract($_POST);
if(isset($submit))
{
$query="insert into fbsign values('$fname','$sname','$mob,'$pass')";
if($con->query($query))
{
    echo "data saved";
}
else
{
    echo "not saved";
}
}
?>
contento_coder
  • 11
  • 1
  • 2
    You need a better trainer if this is what they're having you put together. Major SQL injection security holes here. `extract($_POST)`, storing passwords in plain text... your mentor is having you write *horrible* code. – ceejayoz Mar 12 '18 at 02:28
  • ^^^ What they said. But here it is all again just in case you want links that will help you learn how to write better code. – John Conde Mar 12 '18 at 02:30
  • 1
    Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 12 '18 at 02:31
  • 1
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Mar 12 '18 at 02:31

2 Answers2

0

Syntax in the sense that it's the most common practice for formatting, layout and methods?

Possibly.

Is it secure and properly done?

Not at all.

For starters, try using PDO with prepared statements. You also pass raw, untreated user inputs to your data by using extract($_POST), extract() should never be used on user inputs either from a $_GET or $_POST request. Check out this post here for a details on sanatizing user inputs.

Brxxn
  • 110
  • 1
  • 12
0

<?php 
include('config.php');
if(isset($_POST['submit']))
{
    $fname=$_POST['fname'];
    $sname=$_POST['sname'];
    $mob=$_POST['mob'];
    $pass=$_POST['pass'];
    
    $ins="insert into fbsign (fname,sname,mob,pass)values('$fname','$sname','$mob','$pass')";
    $ex=$con->query($ins);
    if($ex)
    {
        echo "successfully inserted::";
    }
    else
    {
        echo "ERROR::";
    }
} 
?>
Mohini
  • 268
  • 3
  • 15