0

I want to add a new WordPress user to the table wp_users through HTML form but for some reason, it just doesn't work. What could be wrong? Do I need to insert other inputs? Or maybe to create a different table for this?

This is my HTML code:

 <span class="bottomForm">
            <p style="color:red; font-weight: bold;">
                < חזרה לעגלת הקניות </p> <button class="bottomButton" type="button" onclick="submitForm()"
                    name="save_contact">המשך
                    לאפשרויות משלוח</button>
        </span>

    </form>
    <script type="text/javascript">
        function submitForm() {
            var email = $('input[name=user_email]').val();
            var password = $('input[name=user_pass]').val();
            var formData = {
                email: user_email,
                password: user_pass
            };
            $.ajax({
                url: "http://localhost/quatro/api/submit.php",
                type: 'POST',
                data: formData,
                success: function (response) {

                }
            })

        }
    </script>

My PHP code:

$host = "localhost";
$username = "root";
$password = "";

try {
    $conn = new PDO("mysql:host=$host;dbname=quatro", $user_email, $user_pass);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
    echo "Connection failed: " . $e->getMessage();
}

$response = array('success' => false);

if (isset($_POST['user_email']) && $_POST['user_email'] != '' && isset($_POST['user_pass']) && $_POST['user_pass'] != '') {
    $sql = "INSERT INTO wp_users(user_email user_pass,) VALUES('" . addslashes($_POST['user_email']) . "', '" . addslashes($_POST['user_pass']) . "')";

    if ($conn->query($sql)) {
        $response['success'] = true;
    }
}

echo json_encode($response);```
Ilan Edri
  • 27
  • 3
  • Hello. Why are you using PDO if you're doing this in WordPress? Are you unable to use WPDB class? Also, you are inserting unsanitized values and a raw password value into your database. DO NOT do that. Use https://developer.wordpress.org/reference/functions/wp_insert_user/ – Howard E Mar 27 '22 at 11:23
  • I'm quite a beginner in PHP so I'm not really aware of PDO. So my code should be?: ```$conn = new WPDB("mysql:host=$host;dbname=quatro", $username, $password);``` What about this line? wp_insert_user( array|object|WP_User $userdata ) I want to insert the email and password only. – Ilan Edri Mar 27 '22 at 12:47
  • I think [add slashes is not safe for prevent SQL injection](https://stackoverflow.com/questions/860954/examples-of-sql-injections-through-addslashes). Use `prepare()` statement instead. – vee Mar 27 '22 at 13:46
  • 1
    As it stands right now... This is not for WordPress. It's unclear with how you plan on sending the data to WP. Is the SQL statement part of WP theme, plugin, or what? This is all aside from the original statement that you're opening yourself up to SQL Injection. – Howard E Mar 27 '22 at 13:50

0 Answers0