JS/PHP form to mysql

Question

I am trying to get data from a js form using php to mysql database to register new users to my university project website. I am quite new and I tried to work out what is going on but could not get it to work. Everything seems to be working but the data does not get sent to the database.

<?php

// initializing variables
$username = "";
$password = "";
$title = "";
$firstname = "";
$lastname = "";
$gender = "";
$address = "";
$postcode = "";
$email = "";
$telephone = "";
$errors = array(); 
$_SESSION['success'] = "";

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'cmetmarketplace');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);
  $password2 = mysqli_real_escape_string($db, $_POST['password2']);
  $title = mysqli_real_escape_string($db, $_POST['title']);
  $firstname = mysqli_real_escape_string($db, $_POST['firstname']);
  $lastname = mysqli_real_escape_string($db, $_POST['lastname']);
  $gender = mysqli_real_escape_string($db, $_POST['gender']);
  $address = mysqli_real_escape_string($db, $_POST['address']);
  $postcode = mysqli_real_escape_string($db, $_POST['postcode']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $telephone = mysqli_real_escape_string($db, $_POST['telephone']);



  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($password)) { array_push($errors, "Password is required"); }
  if (empty($title)) { array_push($errors, "Title is required"); }
  if (empty($firstname)) { array_push($errors, "First name is required"); }
  if (empty($lastname)) { array_push($errors, "Last name is required"); }
  if (empty($gender)) { array_push($errors, "Gender is required"); }
  if (empty($address)) { array_push($errors, "Address is required"); }
  if (empty($postcode)) { array_push($errors, "Postcode is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($telephone)) { array_push($errors, "Telephone number is required"); }
  if ($password != $password2) {
    array_push($errors, "The two passwords do not match");
  }


  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO users (username, password, title, first_name, last_name, gender, address, postcode, email, telephone) 
              VALUES('$username', '$password', '$title', '$firstname', '$lastname', '$gender', '$address', '$postcode', '$email', '$telephone')";
    mysqli_query($db, $query);
  }
}

You should ideally be using [prepared statements and parameterized queries](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) to better prevent SQL injections.. As [mysqli_real_escape_string()](https://www.php.net/manual/en/mysqli.real-escape-string.php) can be unsafe to use, especially without setting a default character set like the manual suggests using in the **Security Caution** — Raymond Nijland, Apr 16 '19 at 13:53
Also md5 should also not be used annymore for passwords especially unsalten because large [rainbow tables](https://en.wikipedia.org/wiki/Rainbow_table) exists nowadays and also md5 is very fast on GPU's making it very fast to bruteforce (using OpenCL or Cuda) the correct password from the md5 hash with or without salt. i advice you to read [Safe Password Hashing](https://www.php.net/manual/en/faq.passwords.php) and use Blowfish, because it generates a different hash for each run even is the data the same rainbow tables can't be made, also Blowfish run very slow on GPU's — Raymond Nijland, Apr 16 '19 at 14:02
You're hashing a variable, $password_1, that doesn't exist. That's not the problem here however. I'd also suggest validating the incoming input prior to escaping it (ignoring the point that you should really be using Prepared Statements as previously noted). — Chris White, Apr 16 '19 at 15:06

score 0 · Answer 1 · answered Apr 16 '19 at 13:50

0

If there are no errors, I would recommend to make something like that:

if( mysqli_query($db, $query) {
    //SUCCESS
} else {
    printf("Error: %s\n", $mysqli->error);
}

That should help with debugging problem.

Can not say what is wrong right now as we would have to see print of arrays etc.

Otherwise, check what is the error.

answered Apr 16 '19 at 13:50

Grzegorz Lasak

96
4

1

This should have been a question comment as it does not attempt to answer the topicstarters question. – Raymond Nijland Apr 16 '19 at 13:57
I wish I could make it as a comment - I need more than 50 points of reputation. If needed, I can remove that answer. – Grzegorz Lasak Apr 16 '19 at 14:02
*"I wish I could make it as a comment - I need more than 50 points of reputation"* Yes i know it's a wierd requirement. – Raymond Nijland Apr 16 '19 at 14:06

JS/PHP form to mysql

1 Answers1