0

This is my Register Page

<?php

session_start();

//include db_connect.php file for database connection
 require 'db_connect.php';
 


if($_SERVER['REQUEST_METHOD'] == "POST"){


  //get values from form
  $fullName = $_POST['fullName'];
  $email = $_POST['email'];
  $phone = $_POST['phone'];
  $dob = $_POST['dob'];
  $Haddress = $_POST['Haddress'];
  $Daddress = $_POST['Daddress'];
  $password = $_POST['password'];
  $rePassword = $_POST['rePassword'];


  

    //hash password and store in a new variable
    $password = md5($password); 

    //Hash rePassword and store in a new variable
    $rePassword = md5($rePassword);


   //check if password and repassword are same

  if($password != $rePassword){
    //create a js alert to say password and repassword are not same
     echo '<script>alert("Password and Re-Password are not same")</script>';

     //redirect to registration page
      header("location: login.php");
 }


    //send query if email,fullname,password,repassword are not empty
    $sql = "INSERT INTO `register_user` (`username`, `email`, `Passwords`, `DOB`, `HAddress_lane`, `D_address_lane`) VALUES (' $fullName', '$email', '$password', '$dob','$Haddress', '$Daddress')";

    if($conn->query($sql)) {

      //create a js alert to say successfully registered
      echo '<script>alert("Successfully Registered")</script>';
    }
    else{
      //create a js alert to say error
      echo '<script>alert("Error")</script>';
    }
}
 
?>

This is the login Page for it

<?php
//destroy previous session
unset($_SESSION['username']);
unset($_SESSION['userid']);
session_start();
//include db_connect.php file for database connection
 require 'db_connect.php';

 if($_SERVER['REQUEST_METHOD'] == "POST"){

    $username = $_POST['username'];
    $password = $_POST['password'];


    //!check hashed password inside the database is same with the password user entered
    $password = md5($password);

    //send query if to validate username and password

    $sql = "SELECT * FROM `register_user` WHERE `username` = ' $username' and `Passwords` = '$password' ";




    $result = $conn->query($sql);

    //output a query result

    if($result->num_rows > 0){
        //create a js alert to say successfully registered
        echo '<script>alert("Successfully Logged In")</script>';

        //session to login user
        $_SESSION['loggedin'] = true;
        $_SESSION['username'] = $username;

        //get user id from user id
        $sql = "SELECT User_id FROM `register_user` WHERE `username` = ' $username'";;

        //run the query and print output using script
        $result = mysqli_query($conn, $sql);

        //get the value os result array and store it in a variable
        $result = mysqli_fetch_array($result);

        //store the resluts in session names userid
        $_SESSION['userid'] = $result[0];

        //redirect to dashboard in emp-dashbord file
        header("location: ../emp-dashbord/dashboard.php");



    }
    else{
        //create a js alert to say error
        echo '<script>alert("Invalid Username or Password")</script>';
    }   


    

 }
?>

This is the code I used to catch data from registration page and submit it to database and other one(login) is the page which is to verify and logged used into the system I need to know that is there anything needed to be updated.

real_escape_string($_POST['firstname']);

also i need to know how to use this thing for sql injection.

kaweesha marasinghe
  • 11
  • 2
  • Just use prepared statements for your database interaction. Also, password_hash must be used instead of md5() – Your Common Sense Jun 10 '23 at 06:16
  • More to the point: **use query parameters.** Using prepared statements is required to use query parameters, but using prepare alone won't help if you continue to concatenate variables into your SQL strings, in the unsafe way you are doing. – Bill Karwin Jun 11 '23 at 13:28

0 Answers0