1

I setup this signup form for my website. People enter their username, email and password and then it uses php to add it to my database. But I keep getting this error when I run my code. My html file is on my AWS server as well as this PHP file, so I believe there must be an error in my code. I am still very new to PHP.

HTML:

<form method="get" action="signup_form.php">
    <input style="width: 300px; display: block; margin-left: auto; margin-right: auto;" type="text" name="signup_name" placeholder="Screen Name">
    <br>
    <input style="width: 300px; display: block; margin-left: auto; margin-right: auto;" type="text" name="signup_mail" placeholder="Your E-mail">
    <br>
    <input style="width: 300px; display: block; margin-left: auto; margin-right: auto;" type="password" name="signup_password" id = "password" placeholder="Create Password" required>
    <br>
    <input style="width: 300px; display: block; margin-left: auto; margin-right: auto;" type="password" name="confirm_password" id = "confirm_password" placeholder="Repeat Password" required>
    <br>
    <br>
    <button onclick="validatePassword()" class="button" style="display: block; margin-left: auto; margin-right: auto;" type="submit" name="submit_login">
        SUBMIT
    </button>


</form>

and here is my PHP code:

<?php
$signup_name = filter_input(INPUT_GET, 'signup_name');
$signup_mail = filter_input(INPUT_GET, 'signup_mail');
$signup_password = filter_input(INPUT_GET, 'signup_password');

if (!empty($signup_name)){
if (!empty($signup_mail)){
    $host = "wildwea.......onaws.com";
    $dbusername = "a....in";
    $dbpassword = ".Bi....4.";
    $dbname = "innodb";
 // Create connection
    $conn = new mysqli ($host, $dbusername, $dbpassword, $dbname);
    if (mysqli_connect_error()){
        die('Connect Error ('. mysqli_connect_errno() .') '
            . mysqli_connect_error());
    }
    else{

        $sql = "SELECT EXISTS (SELECT 1 FROM Users WHERE Email = $signup_mail);"
        if ($sql = 0){

            $sql = "INSERT INTO Users (Username, Email, Pword)
            values ('$signup_name', '$signup_mail',md5('$signup_password'))";

            if ($conn->query($sql)){
                echo "New record is inserted sucessfully";
            }
            else{
                echo "Error: ". $sql ."
                ". $conn->error;
            }
            $conn->close();
        } else {
            echo "User already in database";
        }
    }
}
else{
    echo "Password should not be empty";
    die();
}
}
else{
    echo "Username should not be empty";
    die();
}
?>

If you want to see the error here is the link to the sign up page: http://thewildwear.com/signup.html

EatSleepCode
  • 452
  • 7
  • 21
  • 4
    You should add the error to your question as plaintext. – GrumpyCrouton Jun 13 '19 at 16:48
  • 4
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jun 13 '19 at 16:48
  • 3
    MD5 is considered broken for security purposes and is not sufficient for password hashing. Use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php) instead. – Alex Howansky Jun 13 '19 at 16:48
  • You should post those values. – Don't Panic Jun 13 '19 at 16:53
  • That's just a 500 server error. It is very generic and doesn't tell you anything. Log in to your hosting account and check the logs. Also, turn on error reporting: http://stackoverflow.com/q/5438060/296555 and http://stackoverflow.com/q/14578243/296555. – waterloomatt Jun 13 '19 at 17:00
  • Missing semi-colon at the end: `$sql = "SELECT EXISTS (SELECT 1 FROM Users WHERE Email = $signup_mail);"`. Assignment Vs. comparison: `if ($sql = 0){...`. Invalid SQL `SELECT EXISTS...` but you're not actually issuing a query there anyways. + Sending credentials over GET request is a no-no too. – waterloomatt Jun 13 '19 at 17:02
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Jun 13 '19 at 17:25
  • I'm watching a Laravel tutorial rn! :D – EatSleepCode Jun 13 '19 at 18:26

1 Answers1

0

We can't see your specific error (looks like there might be multiple) so we won't be able to help you out there. But I could make a suggestion about how to structure your script.

Caveat - this really isn't a good approach for anything but the smallest of applications or for learning.

The main idea is that there is only 1 script and it has processing and display sections. It will only go into the processing section when the form is actually submitted.

If there are any validation errors, it will fall through to the display section and list out the errors and the form.

If there are no validation errors, it will save to the DB and redirect to some other page.

As you develop bigger (and better) applications, you might find that this type of coding will quickly become unwieldy - you're mixing validation, SQL, views/display, etc. all in a single script. They will become more complex and before long you'll have a big ball of spaghetti. Once you hit this point, start looking into frameworks.

But for now, keep on going. Good luck. 

<?php

// A list of validation errors. Initialize to an empty list.
$errors = [];

/****************************/
/******** PROCESSING ********/
/****************************/
// The form was submitted
if ($_SERVER['REQUEST_METHOD'] === 'POST') {

    // Values submitted from form
    $name = $_POST['signup_name'];
    $email = $_POST['signup_mail'];
    $password = $_POST['signup_password'];

    // Validation
    if (empty($name)) {
        $errors[] = 'Please enter your name';
    }

    if (empty($email)) {
        $errors[] = 'Please enter your email';
    }

    // ... check if email already exists in your DB.

    // ... more validation here

    // There are no validation errors, process the form.
    if (empty($errors)) {
        // At this point, you now have a valid form. Just save it to the DB.

        // Redirect to somewhere
    }
}

/****************************/
/********** DISPLAY *********/
/****************************/
if (count($errors) > 0) : ?>
    <ul>
        <?php foreach ($errors as $error): ?>
            <li><?php echo $error; ?></li>
        <?php endforeach; ?>
    </ul>
<?php endif; ?>

<!-- Use "post" and remove action and it will post to itself. -->
<form method="post">
    <!-- ... -->
waterloomatt
  • 3,662
  • 1
  • 19
  • 25