-5

When I entered details like username email password and password confirmation in the signup page it didn't insert into the database. Here is my code:

server.php

<?php
    session_start();

    // initializing variables

    $username = "";
    $email    = "";
    $errors = array(); 

    // connect to the database

    $db = mysqli_connect('127.0.0.1', 'root', '', 'techdrive');

    // REGISTER USER

    if (isset($_POST['signup'])) {

      // receive all input values from the form

      $username = mysqli_real_escape_string($db, $_POST['username']);
      $email = mysqli_real_escape_string($db, $_POST['email']);
      $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
      $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

      // form validation: ensure that the form is correctly filled by adding (array_push()) corresponding error unto $errors array

      if (empty($username)) { array_push($errors, "Username is required"); }
      if (empty($email)) { array_push($errors, "Email is required"); }
      if (empty($password_1)) { array_push($errors, "Password is required"); }
      if ($password_1 != $password_2) {
        array_push($errors, "The two passwords do not match");
      }

      // first check the database to make sure a user does not already exist with the same username and/or email

      $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
      $result = mysqli_query($db, $user_check_query);
      $user = mysqli_fetch_assoc($result);

      if ($user) { // if user exists
        if ($user['username'] === $username) {
          array_push($errors, "Username already exists");
        }

        if ($user['email'] === $email) {
          array_push($errors, "email already exists");
        }
      }

      // Register user if there are no errors in the form
      if (count($errors) == 0) {
        $password = md5($password_1); 

        //encrypt the password before saving in the database

        $query = "INSERT INTO users (username, email, password) 
                  VALUES('$username', '$email', '$password')";
        mysqli_query($db, $query);
        $_SESSION['username'] = $username;
        $_SESSION['success'] = "You are now logged in";
        header('location: ..\index.html');
      }
    }

    // LOGIN USER

    if (isset($_POST['login'])) {
      $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);

      if (empty($username)) {
        array_push($errors, "Username is required");
      }
      if (empty($password)) {
        array_push($errors, "Password is required");
      }

      if (count($errors) == 0) {
        $password = md5($password);
        $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
        $results = mysqli_query($db, $query);
        if (mysqli_num_rows($results) == 1) {
          $_SESSION['username'] = $username;
          $_SESSION['success'] = "You are now logged in";
          header('location: ..\index.html');
        }else {
          array_push($errors, "Wrong username/password combination");
        }
      }
    }

    ?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Aroussi Riahi
  • 1
  • 1
    As long as you use prepared and bound queries, you don't need all that mysqli_real_escape stuff. – Strawberry Aug 19 '19 at 10:57
  • 1
    Do not use MD5 for passwords. Use `password_hash()` – Dharman Aug 19 '19 at 11:00
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Aug 19 '19 at 11:43
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Aug 19 '19 at 11:43

1 Answers1

-2
$dbName = "your database name"; 
$db = mysqli_connect('127.0.0.1', 'root', '', 'techdrive', $dbName);

and then use echo $query; die; In order to check your query.

Nick
  • 138,499
  • 22
  • 57
  • 95
Jamil
  • 19
  • 5