0

Im trying to create a instant messaging service using php, im able to get the website up and running to register users to MySQL database but for the life of me i cant understand why it wont add the users

I have already made the table for the users in phpMyAdmin, also remade them just in case i messed it up but nothing works

This is my main webpage to register new users

<!doctype html>
<html>

<head>
<style>
*{margin:0px; padding:0px;}
#main{ width:200px; margin:24px auto; }
</style>
</head>

<body>
<?Php

        require_once("connection.php") ;
    if(isset($_POST['Register'])){
        $first_name = $_POST['first_name'] ;
        $last_name = $_POST['last_name'] ;
        $user_name = $_POST['user_name'] ;
        $password = $_POST['password'] ;
    if ($first_name !="" and $last_name !="" and $user_name !="" and $password !=""  ){

    $q="INSERT INTO `user` ('id','first_name','last_name','user_name', 'password')
        VALUES('', '".$first_name."', '".$last_name."', '".$user_name."', '".$password."') 
        " ;
        if(mysqli_query($con, $q )){
        header("location:login.php") ; 
        }else{
        echo $q ;
        }

    }else{
        echo "please fill in all the boxes" ;

    }

    }


?>



<div id="main">
<h2 align="center">Registration</h2>
<form method="post">
First Name:<br>
<input type="text" name="first_name" placeholder="First Name" />
<br><br>
Last Name:<br>
<input type="text" name="last_name" placeholder="Last Name" /><br><br>
User Name:<br>
<input type="text" name="user_name" placeholder="User Name" /><br><br>
Password:<br>
<input type="password" name="password" placeholder="Password" /><br><br>
<input type="submit" name"register" value="Register" />


</form>
</div>


</body>

</html>

It is referencing connection.php which is:

<?php

$con =  mysqli_connect("localhost","pmauser","root","chat application") ;

?>

Once all the text has been entered and they click register, the form clears but no message pops up, after that i go to phpMyAdmin and check for users and it comes up empty, what should be happening is that it takes all the information in the textboxes and adds them to the data base.

Cid
  • 14,968
  • 4
  • 30
  • 45
Jon Joestar
  • 9
  • And have you done any debugging at all to try to narrow down where things may be going wrong? – Patrick Q Apr 29 '19 at 14:12
  • PhpMyAdmin **is not** a database. This is a php tool used to manage MySQL Databases, like MySQL Workbench. – Cid Apr 29 '19 at 14:16
  • It is bad practice to allow raw input from the client side to be used within a SQL query as you have done. This opens up your website to SQL Injection attacks. Consider using PHP PDO in order to sanitise SQL input. – Jim Grant Apr 29 '19 at 14:20
  • Stop storing plaintext passwords. Use password_hash. You're wide open to SQL Injection, you should use parameterized statements. – Chris White Apr 29 '19 at 14:20
  • Patrick Q I have tried making different files trying to do the same thing, they all fail. – Jon Joestar Apr 29 '19 at 14:28
  • Regarding the other previous comments, i will make it more secure after i get the bare bones working. thank you all for your input as of now :) – Jon Joestar Apr 29 '19 at 14:29
  • @JonJoestar That doesn't answer what I asked at all. What _specifically_ have you done to try to locate the source of the problem? – Patrick Q Apr 29 '19 at 14:34
  • @PatrickQ to be honest im not really sure what to do, im very to to php and MySQL. – Jon Joestar Apr 29 '19 at 14:43
  • @JonJoestar I'm sorry, but if you can't do some basic debugging, then we're just wasting our time guessing what the problem might be. Simply saying that your code doesn't work isn't a good enough starting point for a question here. Also, there is no point waiting to "get the bare bones working" before implementing prepared statements and bound parameters. Save yourself the headache and do this _now_. There is a chance that it may even fix the problem, depending on what it actually is. – Patrick Q Apr 29 '19 at 14:57
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 29 '19 at 15:32
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 29 '19 at 15:33
  • `Register` != `register` – Jay Blanchard Apr 29 '19 at 15:34

4 Answers4

1

Change name"register" to name"Register"

because your check is like this 

if(isset($_POST['Register'])){

OR

make it as (if you don't want to change your html)

 if(isset($_POST['register'])){

The way you are passing parameters would lead to SQL Injection. Please read about it here.

Danyal Sandeelo
  • 12,196
  • 10
  • 47
  • 78
  • The issue is that the value in the submit input type, defines the text on the button and isn't actually submitted in the form as such (as other values in input boxes). – Jim Grant Apr 29 '19 at 14:41
  • 1
    This isn't about the value @JimGrant, it is about the name. The answer here is correct, but leaves out all of the things your post has about SQ Injection, password hashing, etc. – Jay Blanchard Apr 29 '19 at 15:42
-1

I did notice you assign a value to the input box of register, since the input box is a submit type, value is only for display purposes and not submitted in the form. I've included a hidden input box to do this instead.

Refactoring your code and amending it to prevent SQL injection attacks, you get the following:

HTML Document

<!doctype html>
<html>

    <head>
        <style>
            *{margin:0px; padding:0px;}
            #main{ width:200px; margin:24px auto; }
        </style>
    </head>

<body>

    <?php
        require_once("connection.php");

        if($_POST['register'] == 'Register')
        {
            $first_name = $_POST['first_name'];
            $last_name = $_POST['last_name'];
            $user_name = $_POST['user_name'];
            $password = password_hash($_POST['password'], PASSWORD_DEFAULT);

            if( ($first_name <> "") && ($last_name <> "") && ($user_name <> "") && ($password <> "")  )
            {
                $sql = "INSERT INTO `user` ('id', 'first_name', 'last_name', 'user_name', 'password') VALUES('', ?, ?, ?, ?);";
                if( $pdo->prepare($sql)->execute([$first_name, $last_name, $user_name, $password]) )
                    header("location:login.php"); 
                else
                    echo $sql->debugDumpParams();;
            }
            else
                echo "please fill in all the boxes";
        }
    ?>

    <div id="main">
        <h2 align="center">Registration</h2>

        <form method="post">
            First Name:<br>
            <input type="text" id="first_name" name="first_name" placeholder="First Name" />
            <br><br>
            Last Name:<br>
            <input type="text" id="last_name" name="last_name" placeholder="Last Name" /><br><br>
            User Name:<br>
            <input type="text" id="user_name" name="user_name" placeholder="User Name" /><br><br>
            Password:<br>
            <input type="password" id="password" name="password" placeholder="Password" /><br><br>
            <input type="hidden" id="register" name"register" value="Register" />
            <input type="submit" value="Register" />
        </form>
    </div>

</body>

</html>

Connection PHP file.

$host = '127.0.0.1';
$db   = 'test';
$user = 'root';
$pass = '';
$charset = 'utf8mb4';

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
     $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
     throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
Jim Grant
  • 1,128
  • 2
  • 13
  • 31
-1

I suspect that USER info data is not getting stored in your database because AUTOCOMMIT is switched off. To verify this, run: SELECT @@autocommit; before your insert. If the result is 0, AUTOCOMMIT is indeed switched off. If it is off, your INSERT will not be saved unless you issue a COMMIT after your INSERT. Alteratively, switch on AUTOCOMMIT (for session or entire database) i.e. SET autocommit = 1;

Olá Òké - Ola Oke
  • 74
  • 6
-1

The following works perfect for me. I changed somethings but it works :).

require_once("connection.php") ;
if(isset($_POST['register']))
{
        $first_name = $_POST['first_name'] ;
        $last_name = $_POST['last_name'] ;
        $user_name = $_POST['user_name'] ;
        $password = $_POST['password'] ;
    if (!empty($first_name) and !empty($last_name) and !empty($user_name) and !empty($password))
    {
                $q="INSERT INTO `user` (id,first_name,last_name,user_name, password) VALUES ('', '$first_name', '$last_name', '$user_name', '$password')";
                if(mysqli_query($con, $q )){
                        header("location:login.php");
                }else{ echo "ERROR: Could not execute $q. " . mysqli_error($con);}
     }
}
?>

<div id="main">
<h2 align="center">Registration</h2>
<form method="post">
First Name:<br>
<input type="text" name="first_name" placeholder="First Name" />
<br><br>
Last Name:<br>
<input type="text" name="last_name" placeholder="Last Name" /><br><br>
User Name:<br>
<input type="text" name="user_name" placeholder="User Name" /><br><br>
Password:<br>
<input type="password" name="password" placeholder="Password" /><br><br>
<input type="submit" name="register" value="Register" />

</form>
</div>
</body>
</html>
Xofraz
  • 56
  • 5