Unknown issue with PHP registration form

Question

I'm trying to make a PHP login system, and I can't figure out what's causing it to not work.

Below is the PHP code from the register page. When executed, it fails to create a new user account.

<?php

if(isset($_POST['submit_btn']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    $cpassword = $_POST['cpassword'];

    if($_password==$_cpassword)
    {
        $query= "SELECT * FROM user WHERE username='$username'";

        $query_run = mysqli_query($con,$query);

        if(mysqli_num_rows($query_run)>0)
        {
            echo '<script type="text/javascript">alert("This Username Already exists.. Please try another username!")</script>';
        }
        {
            $query= "insert into user values('$username','$password')";
            $query_run = mysqli_query($con,$query);

            if($query_run)
            {
                echo '<script type="text/javascript">alert("User registered. Please login")</script>';
            }
            else
            {
                '<script type="text/javascript">alert("Error!")</script>';
            }
        }
    }
}

?>

**Your code is vulnerable to SQL injection and will be hacked** even if [you are escaping inputs!](https://stackoverflow.com/a/5741264/2595450) Use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. Check: [How can I prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Spoody, May 16 '18 at 17:46
**Please do not store plain text passwords** nor hash it with weak algorithms, use the [password functions](http://php.net/manual/en/faq.passwords.php) provided by PHP. Check: [How do you use bcrypt for hashing passwords in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) — Spoody, May 16 '18 at 17:46
Please **DONT** fix your code as you get answers. It makes possible valid answers look like nonsense — RiggsFolly, May 16 '18 at 17:50
Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. — RiggsFolly, May 16 '18 at 18:03

score 3 · Answer 1 · answered May 16 '18 at 17:41

3

The problem is here

if($_password==$_cpassword)

You'd defined these variables:

$password = $_POST['password'];
$cpassword = $_POST['cpassword'];

So, use $password and $cpassword instead

if($password == $cpassword)
...

By the way, your code is vulnerable to SQL injection attack. Use prepared statements.

answered May 16 '18 at 17:41

Felippe Duarte

14,901
2
25
29

thanks for pointing that out. That was not the only problem i guess because it is still not working. And thanks i'll fix vulnerabilities after i get this working. – Assisted Suicide May 16 '18 at 17:47
Felippe You might like to add the missing `ELSE` to your answer look for 2 consecutive lines `}{` Does not seem worth me adding another answer with just that in – RiggsFolly May 16 '18 at 17:52
@RiggsFolly I added the missing else, and that did not seem to fix it yet. – Assisted Suicide May 16 '18 at 17:56
The insert statement is valid? What columns do you have in user table? – Felippe Duarte May 16 '18 at 18:01

Unknown issue with PHP registration form

1 Answers1