-1

If I want to add content to the table using "INSERT INTO", I don't get an error message and the table is not filled. I'm new with PHP. explanations would be nice. The database runs on XAMPP.

I don't know what to try. I've already used another table, but it doesn't work. The user should have full access to the table. The names also match.

<?php
$username = $_POST["username"];
$passwort = $_POST["passwort"];
$mail = $_POST["mail"];
$passwort2 = $_POST["passwort2"];
$pass = sha1($passwort);
$db = mysqli_connect("localhost", "phptest1", "o84XM5wxo65QBjkF", "phptest1");
if($passwort == $passwort2) {
    echo "Password is correct.";
    $db = "INSERT INTO user (Username, Mail, Password) VALUES ('$username', '$mail', '$pass')";
} else if(!($passwort == $passwot2)) {
    echo "Password is not correct";
} ?>
aynber
  • 22,380
  • 8
  • 50
  • 63
Cyberpunk7711
  • 127
  • 1
  • 10
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Apr 30 '19 at 16:13
  • SHA1 is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. – Alex Howansky Apr 30 '19 at 16:14
  • 1
    You never actually insert the data, you just create the query string. – aynber Apr 30 '19 at 16:15
  • 2
    Note you're not actually *running* the SQL command, you're just setting a variable. – Alex Howansky Apr 30 '19 at 16:15
  • 1
    These poor users must get so overwhelmed when they come here with code from one of the numerous crappy tutorial sites out there and just get told all the bad things that tutorial showed them. – Chris White Apr 30 '19 at 16:18
  • You have a typo in your else if statement ($passwot2 instead of $passwort2) – kgrg Apr 30 '19 at 18:02

1 Answers1

0

The variable $db actually contains information about the connection. You cannot insert a query into your database the way you are trying to

You can use $db (in your case) in order to check whether the connection has been correctly established or not and then if everything works correctly you can user mysqli_query() to inject the query into your database.

You can do it like so:

    <?php

    if(isset($_POST['submit'])){ //You have to check if your submit button is pressed
       $username = $_POST["username"];
       $passwort = $_POST["passwort"];
       $mail = $_POST["mail"];
       $passwort2 = $_POST["passwort2"];
       $pass = sha1($passwort);
       $db = mysqli_connect("localhost", "phptest1", "o84XM5wxo65QBjkF", "phptest1");


       if(!$db){
          die('Connection could not be established! Check provided information');
       }

       if($passwort == $passwort2) {
          echo "Password is correct.Inserting query now";
          $query = "INSERT INTO user (Username, Mail, Password) VALUES ('$username', '$mail', '$pass')";
          $result = mysqli_query($db, $query); //keep $result for debugging purposes.
       } else {
        die("Password is not correct");
       } //no need for else if as there are only 2 conditions.


       if(!$result){ //check if query was successful.
          die('Query Error');
       }
       echo "Query Updated successfully";

    }
?>

This code is really simplistic and for testing purposes only.

I just wanted to show you the way you can send queries to your database. You better use other encryption techniques i.e. crypt() and of course functions like mysqli_real_escape_string() when retrieving data from users, in order to avoid potential injection attacks.

Check this post for more info about preventing injections.

Hope that helps.

CptGeo
  • 56
  • 1
  • 5