-2
<?php
$servername = "localhost";
$username = "root";
$password = "";
$db = "youtube";
$conn = new mysqli($servername, $username, $password, $db);

// Check connection
//if ($conn->connect_error) {
// die("Connection failed: " . $conn->connect_error);
//} 
//echo "Connected successfull
if(isset($_POST['Submit']))
{
    if(mysqli_num_rows(mysqli_query($conn," INSERT INTO admin  where 
        Name='".$_POST['Name']."' , Password='".$_POST['Password']."', E- 
        mail='".$_POST['E-mail']."' and  country='".$_POST['country']."'"))>0)
    {
        echo 'signup successfull';  
    }   
    else
    {
        echo 'incorrect username  password';    
    }
}
?>

Welcome <?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo $_POST["email"]; ?>
<?php echo "<br>"?>

Your country is: <?php echo $_POST["country"]; ?>
<?php echo "<br>"?>

Your password is: <?php echo $_POST["pwd"]; ?>
<?php echo "<br>"?>
M. Eriksson
  • 13,450
  • 4
  • 29
  • 40
mubashrah khalid
  • 1
  • 1
    insert into has no where clause – Sugumar Venkatesan Jul 31 '18 at 06:07
  • 1
    **Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of manually building your queries like that. Specially since you're not escaping the user inputs at all! – M. Eriksson Jul 31 '18 at 06:08
  • 1
    **Never store passwords in clear text!**. Only store password hashes! Use PHP's [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) . If you're running a PHP version lower than 5.5 (which I _really_ hope you aren't), you can use the [password_compat library](https://github.com/ircmaxell/password_compat) to get the same functionallity. – M. Eriksson Jul 31 '18 at 06:08
  • 1
    I'm also curious about how you determine that the username and password is invalid just because the insert-query fails... Btw, an `INSERT` doesn't return a result set, which should make `mysqli_num_rows()` fail every single time. I think you should read the manual about those functions. – M. Eriksson Jul 31 '18 at 06:09
  • 1
    You are not performing the most basic error checking on your query. You need to run some diagnostic calls and general debugging techniques. `mysqli_num_rows()` is not the function to call after an `INSERT`, `UPDATE`, or `DELETE` query. – mickmackusa Jul 31 '18 at 06:11
  • Possible duplicate of [Hyphens in column names in MySQL DB](https://stackoverflow.com/questions/885497/hyphens-in-column-names-in-mysql-db) – mickmackusa Jul 31 '18 at 06:16
  • 1
    @MagnusEriksson I think I found a suitable dupe -- even though the query is full of errors. _Too Broad_ and _Why isn't my code working_ would be acceptable too. Perhaps a better duplicate would be like: how to check my query for errors. – mickmackusa Jul 31 '18 at 06:17
  • @mickmackusa - I'm going for _"Why isn't my code working"_ since the question lacks any debugging, error handling, problem statement and simply have too many errors. – M. Eriksson Jul 31 '18 at 06:29

1 Answers1

0

the problem in data inserts query.

$sql = "INSERT INTO admin(name, Password, mail,country)
VALUES ("$_POST['Name']", "$_POST['Password']", "$_POST['E-mail']","$_POST['country']")";

if (mysqli_query($conn, $sql)) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

try this

Krunal Pandya
  • 204
  • 1
  • 2
  • 12
  • You can't just arbitrary change the columns in the query and write "try this". How would that ever work? – M. Eriksson Jul 31 '18 at 06:33
  • **Warning:** This example is _wide open_ to SQL Injections and can _seriously_ compromise your database! – M. Eriksson Jul 31 '18 at 07:11
  • ok, you have any good example for this question so please help him not criticise another solution.this site for helping others. – Krunal Pandya Jul 31 '18 at 07:17
  • If you suggest an extremely insecure solution, we _should_ point that out. When you post a solution, it should be by best practices or the OP (and future visitors) will use this, thinking it's good when, in fact, it opens them up for attacks. It's actually also wrong and won't work since you haven't quoted the values in the query. This would only work if all columns and values were defined as integers. If you _do_ quote the values, then the query would break if any of the values contains a `'` or ends in a back slash. _Never_ use user data directly like that. – M. Eriksson Jul 31 '18 at 08:20
  • You are right why don't you post good solution (which can not affect by any sql injection ) with example. – Krunal Pandya Jul 31 '18 at 08:25
  • If you read the comments under the original question, you will find out why. I've already voted to close this question since it doesn't show that the OP have done any debugging what so ever and contains multiple issues. Anyway, it doesn't matter. Me posting a solution or not doesn't change the fact that this is both insecure and wrong (for multiple reasons). – M. Eriksson Jul 31 '18 at 08:26
  • I think questioner is newbie I think he better know with example not comment. – Krunal Pandya Jul 31 '18 at 08:30
  • Considering all the issues, the OP needs to do some research and learn how to properly debug the code. We would need to rewrite the complete code for the OP. SO isn't a "just fix this for me"-site when there are that many errors. It's for helping out, which we have done in the comments by pointing out the issues together with links about the issues. As I said, it doesn't matter. This answer is still broken . – M. Eriksson Jul 31 '18 at 08:34