-1

I have recently taken upon the challenge to make a full-blown website with a frontend and backend. After I learned quite a bit of PHP and MySQL, I started to program a small sign-up PHP script that interacts with my database to make a row for that person's info. After trying it for the first time, I had 3 big errors each related to the 3 variables I'm trying to put in the table. I've thought about it so much but I can't figure out what's wrong. Here is the code and a picture of the error

user2864740
  • 60,010
  • 15
  • 145
  • 220
Mason Fuller
  • 1
  • 5
  • 2
    please add text for code not images see https://meta.stackoverflow.com/questions/285551/why-not-upload-images-of-code-on-so-when-asking-a-question – nbk May 24 '20 at 20:50
  • 5
    Please be carefull with this code. It is vulnerable to SQL injection, because you're not using prepared statements – Sander Bakker May 24 '20 at 20:51
  • Nothing is relevant to the errors except the GET usage (read error/warning messages closely, and pay attention to reported lines). Perhaps the information was POST’ed instead? Note the relevant focus of the “current problem” in the changed title. It would be beneficial to practice _searching_ for error messages as well. – user2864740 May 24 '20 at 20:56
  • its just a personal learning project so I'm not too scared of SQL injection. And for some reason whenever I tried to paste the code in, it would have no line breaks or anything and it would just be really hard to read. – Mason Fuller May 24 '20 at 20:58
  • Also, I know for a fact that the information was a GET request and not a POST. So it's not that. – Mason Fuller May 24 '20 at 20:59
  • 1
    that is nit the point the point is to ake it right from the start, so that sql injection never occurs. – nbk May 24 '20 at 21:00
  • 1
    As you can see in the error message. The error is because the `$_GET['username']` var doesn't exist. You can execute `var_dump($_GET)` or `print_r($_GET)` to see all available values. You might not send (or sending with a different name) the `username` var to the page of your snippet. – JesusValera May 24 '20 at 21:01
  • Even ignoring the mitigation of SQL injection (which really shouldn’t be ignored..), SQL placeholders are easier and more consistent to use, and often result in more readable queries as the shape and data are separated. The current string concatenation code is needlessly complicated. 0.02 – user2864740 May 24 '20 at 21:03

2 Answers2

1

$_GET, as you might know, is sent and retrieved as part of the URL.

Only problem is, if you go to the page without any $_GET variables sent in the URL, PHP will assume it's been defined when it hasn't, therefore giving you the error.

To answer your question, you'd have to check the request before using said values.

You can do so like this:

if (isset($_GET['username'], $_GET['password'], $_GET['email'])) {
    //Sign user up here
} else {
    //show the rest of the page
}

This checks if the value has been defined in the $_GET request. If you want to make sure there is a value attached to say, $_GET['username'], you can do so like this:

if (isset($_GET['username']) && !empty($_GET['username'])) {
    //Sign user up here
}

On a side note, I'd recommend not sending the user's info in the clear like this.

If you do try to register any user information in the future, make sure to read up on proper password security.

ChadDuck
  • 29
  • 4
-1

Remove backtip from table login-info

Mfoto94
  • 47
  • 5
  • 2
    The back-tick is an [identifier quote](https://dev.mysql.com/doc/refman/8.0/en/identifiers.html) and is valid syntax for mysql, additionally unrelated to the error messages that are indicated on line 10, 11, and 12 that correspond with the line numbers in the code screenshot. – Will B. May 24 '20 at 21:10