Unable to change a form element using single page PHP coding

Question

I am a newbie and I am trying to make a signUp form using php and bootstrap. I have chosen the 'emailAddress' of the users as my primary key in my mysql database table named 'user_accounts'. What I desire is if the Email of the user is unique, it should add their record to the database(which is working absolutely fantastic) but if the user enters an email already existing in the database, it should not add their record in the database, bring them back on the same page and changing the 'form-group' to 'form-group has-danger' element(as in bootstrap) giving them the message to change thier email and signUp again. It is not adding the record of repeated email in the database as the email field is the primary key but it is not showing the 'form-group has-danger' on submitting, thus not giving the error message. Here is my code -

<body>
  <div class="container">     
    <center>
      <form class="signUpForm" method="post">
        <h1 class="signUpH1"><strong>Sign Up!</strong></h1>
        <hr>
        <fieldset>
          <div class="form-group">
            <label for="fullName">Full Name</label>
            <input type="text" class="form-control" name="fullName"  placeholder="Enter name">
          </div>
          <?php
            $_REQUEST[$status];
            if ($status == 'changeEmail') {
              # code...
              echo "<div class='form-group has-danger'>
                      <label for='emailAddress'>Email address</label>
                      <input type='email' class='form-control is-invalid' name='emailAddress' placeholder='Enter email'>
                      <div class='invalid-feedback'>Sorry, an account with that Email already exists! Try another.</div>
                    </div>";
             }
             else {
               # code...
               echo "<div class='form-group'>
                       <label for='emailAddress'>Email address</label>
                       <input type='email' class='form-control' name='emailAddress' aria-describedby='emailHelp' placeholder='Enter email'>
                       <small id='emailHelp' class='form-text text-muted'>We'll never share your email with anyone else.</small>
                      </div>";
              }
            ?>
            <div class="form-group">
              <label for="password">Password</label>
              <input type="password" class="form-control" name="password" placeholder="Enter Password">
            </div>
            <button type="submit" class="btn btn-primary" name="signUp">Submit</button>
        </fieldset>
      </form>
    </center>
  </div>

  <?php 
    if (isset($_REQUEST['signUp'])) {
      $fullName = $_REQUEST['fullName'];
      $emailAddress = $_REQUEST['emailAddress'];
      $password = $_REQUEST['password'];

      $link = mysql_connect("localhost","root","");
      mysql_select_db("practiceDatabase",$link);
      mysql_query("insert into user_accounts values ('".$fullName."','".$emailAddress."','".$password."')");
      $n = mysql_affected_rows();
      if ($n == 0) {
        # code...
        $status = 'changeEmail';
        return $status;
      }

      mysql_close($link);
    }
   ?>
 </body>

Any Help much appreciated! Thanks!

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Apr 17 '18 at 16:42
Don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use [**mysqli**](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). — Alex Howansky, Apr 17 '18 at 16:42
**Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Apr 17 '18 at 16:43
Thank you so much for your suggestions. I'll surely try to correct my mistakes! :-) — Yogit, Apr 18 '18 at 15:29

score 0 · Answer 1 · answered Apr 17 '18 at 17:19

Please note, you should take the comments above and implement them, using PDO. Here is reworked code utilizing PDO.

<body>
  <div class="container">     
    .....
  </div>

  <?php 
    if (isset($_REQUEST['signUp'])) {
      $fullName = $_REQUEST['fullName'];
      $emailAddress = $_REQUEST['emailAddress'];
      $password = $_REQUEST['password'];

      $link = mysql_connect("localhost","root","");
      mysql_select_db("practiceDatabase",$link);

      // First you should check and see if the email already exists
      $sql = "SELECT * FROM user_accounts WHERE email_address = :email_address";
      $params = array(":email_address"=>$emailAddress);

      $db = $conn->prepare($sql);
      $db->execute($params);

      if($db->rowCount() > 0) {
           // This means that there is already a row with this email, and is an error.  
      } else {
          $sql = "INSERT INTO user_accounts VALUES (....)";
          $params = .....;
          $insertDb = $conn->prepare($sql);
          $insertDb->execute($params);
      }
?>
 </body>

Hey, I'll definitely try to work this code out and check if it resolves my problem. Thank you so much for your help :) — Yogit, Apr 18 '18 at 15:34

Unable to change a form element using single page PHP coding

1 Answers1