-1
<?php 
  $db = mysqli_connect('localhost', 'username', 'password', 'database');
  $username = "";
  $password = "";
  $regcode = "";
  if (isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $regcode = $_POST['regcode'];

    $sql_R = "SELECT * FROM regcode WHERE regcode='$regcode'";
    $sql_R2 = "SELECT * FROM staff WHERE regcode='$regcode'";
    $res_R2 = mysqli_query($db, $sql_R2);
    $res_R = mysqli_query($db, $sql_R);

    if ((mysqli_num_rows($res_R) > 0) && (mysqli_num_rows($res_R2) < 1)){
    $query = "INSERT INTO staff (username, password, regcode)
                  VALUES ('.$username.', '.$password.', '".$regcode."')";
           $results = mysqli_query($db, $query);
           echo file_get_contents("register.html");
           exit();
    }else if(mysqli_num_rows($res_R2) > 0){
    $regcode_error = "Reg.Code already used by someone, please inform administrator for further information.";          
    }else{
    $regcode_error = "Reg.Code doesn't exists, please inform Administrator for further information.";         
    }
  }
?>

Here's what happened: I'm trying to let my system recognize a code called 'regcode' from the database so when it's verified users will able to register their account, user won't be able to register their account IF the regcode is in use in the staff database or when the regcode isn't exist in the regcode database the problem is: - My database didn't add the new info after it's verified. - I've tried the other way such as testing the regcode invalid or being in use, and it works well by displaying the error message.

I'm trying to figure this out like hours, and I still can't get it. I'm new to php btw, thanks for the advice.

Stan E
  • 3,396
  • 20
  • 31
Lawlette_ J
  • 3
  • 1
  • `'.$username.', '.$password.'` are incorrect, either concatenate, or use the variable in double quotes. Don't do both. You are open to SQL injections, parameterize. Don't store plain text passwords. Your tables seem very closely related, perhaps you should just have 1 table and an additional column that distinguishes the user's role. – user3783243 Jun 26 '18 at 14:52
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Jun 26 '18 at 14:57

1 Answers1

0

This line is incorrect

VALUES ('.$username.', '.$password.', '".$regcode."')";

it should be

VALUES ('$username', '$password', '$regcode'";

You were concatenating, incorrectly and where you didnt need to, remember double quoted strings will automatically expand $variables

NOTE: Your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements in either the MYSQLI_ or PDO API's

This would have been easier for you to debug yourself if you included some error checking code. Add 

ini_set('display_errors', 1); 
ini_set('log_errors',1); 
error_reporting(E_ALL); 
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

to the top of your script. This will force any mysqli_ errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149