0

0

I'm setting up the wholly organized sign up form, I'm trying to sent into information into my MySQL database server. My code not work and can't figuring out pops up message You have been signed up! I've tried several options but none of them work on a server,

<?php
if (array_key_exists('email', $_POST) or array_key_exists('password', $_POST)) {
    $link = mysqli_connect("localhost", "xxxx", "xxxx", "xxxx");
    if (mysqli_connect_error()) {
        die("There was an error connecting to the database");
    }
    if ($_POST['email'] == '') {
        echo "<p>Email address is required.</p>";
    } else if ($_POST['password'] == '') {
        echo "<p>Password is required.</p>";
    } else {
        $query = "SELECT `id` FROM `users` WHERE email = '" . mysqli_real_escape_string($link, $_POST['email']) . "'";
        $result = mysqli_query($link, $query);
        if (mysqli_num_rows($result) > 0) {
            echo "<p>That email address has already been taken.</p>";
        } else {
            $query = "INSERT INTO `users` (`email`, `password`) VALUES ('" . mysqli_real_escape_string($link, $_POST['email']) . "', '" . mysqli_real_escape_string($link, $_POST['password']) . "')";
            if (mysqli_query($link, $query)) {
                echo "<p>You have been signed up!";
            } else {
                echo "<p>There was a problem signing you up - please try again later.</p>";
            }
        }
}
}
?>

When I signed up form only pops up "There was a problem signing you up - please try again later" I want to expect to "you have been signed up" from the result .

here is the problem

nacho
  • 5,280
  • 2
  • 25
  • 34
Bilguun enkhee
  • 31
  • 6
  • Seems to be an error in the SQL - in the `else`, add `echo mysqli_error($link);` to see what the error message is. – MER May 23 '19 at 13:52
  • Also, probably not the best idea to post your mysql credentials on the internets. – MER May 23 '19 at 13:55
  • Lots of things are wrong/outdated in this `mysqli_real_escape_string()` (also unsafe to use without setting a charset) is not the best way to protect against SQL injections see [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) – Raymond Nijland May 23 '19 at 13:56
  • .. Also not hasing the password into the database is also a no go i advice you to read [Safe Password Hashing](https://www.php.net/manual/en/faq.passwords.php) and use blowfish as it is designed to run slow on CPU and GPU so bruteforcing isn't a thing also because of a internal salt hash which makes precalculated rainbow tables also unusable. – Raymond Nijland May 23 '19 at 13:56
  • 1
    Also when you use the tips i've menitioned make sure you write the query like `SELECT password FROM users WHERE user = :username` and use `password_verify()`.. then your code is safe against [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). If you also include the password in the WHERE the SQL can become a target for [timing attacks](https://en.wikipedia.org/wiki/Timing_attack) as the database is designed to return as quick as possible especially when the password is (part) of a multi column Btree index. – Raymond Nijland May 23 '19 at 14:01
  • 1
    @RaymondNijland very good point about timing attacks! – Lelio Faieta May 23 '19 at 14:55

0 Answers0