1

very new to this, i am currently trying to create a log in system for my website. i have created a html log in form which i plan to use for users to create accounts. i have created a php page which has my code to connect to the server which is shown below.

when i fill the form i dont get any output. I'm not sure if the php code is in the wrong place (it is as a separate file) or no output is expected. when a form is submitted, the database doesn't seem to change when i submit it manually while testing.

My end goal is to be able to add users to the table called users in my database.

Here is my code for my log in form: 

 <body>

        <h2>Sign Up</h2>

        <p></p>

        <form action="Create_User.php" method="post">
            <div class="imgcontainer">
                <img src="http://fc05.deviantart.net/fs70/f/2012/361/1/6/albert_einstein_by_zuzahin-d5pcbug.jpg" alt="Einstein the lad" class="img" />
            </div>

            <div class="container">
                <label><b>Username</b></label>
                <input type="text" placeholder="Please Enter your desired Username" name="username" required />

                <label><b>Password</b></label>
                <input type="password" placeholder="Please Enter Your Desired Password" name="password" required />

                <label><b>Email Address</b></label>
                <input type="email" placeholder="Please Enter Your Email Address" name="email" required />

                <label><b>Date Of Birth</b></label>
                <input type="date" name="date_of_birth" required />

                <label><b>First Name</b></label>
                <input type="text" placeholder="Please Enter your first name" name="first_name" required />

                <label><b>Surname</b></label>
                <input type="text" placeholder="Please Enter your surname" name="surname" required />

            </div>

            <div class="container" style="background-color: #f1f1f1">
                <button type="submit">Sign Up</button>
                <button class="signinbtn" onclick="location.href='/AccountRelatedPages/SignIn.aspx'">Already have an account? Sign in here</button>
            </div>
        </form>

    </body>

here is the code in my php file:

<?php
$servername = "localhost";
$username = "root";
$password = "rootpass";
$dbname = "synther_physics";


$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$sql = "INSERT INTO users (username, password, email, date_of_birth, first_name, surname)
VALUES ('<?php echo $_POST[$username];', '<?php echo $_POST[$password];', '<?php echo $_POST[$email], <?php echo $_POST[$date_of_birth];, <?php echo $_POST[$first_name], <?php echo $_POST[$surname];')";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

Again very new to all this so im trying my best to get my head around so please bear that in mind.

Thanks.

Improve this question
24
  • your code failed; outright. Error reporting and error checking on the query would have said so. You have many errors. Commented Apr 3, 2017 at 14:55
  • 1
    There are a variety of potential problems here. But the most immediate one is probably that SQL query. Why are you putting PHP code in SQL? As a quick fix remove all of that PHP code in that string and just use the variables you're trying to use. But this is open to SQL injection. So better yet, since you're using mysqli, take a look at a tutorial for using prepared statements with query parameters. Commented Apr 3, 2017 at 14:56
  • 2
    Your code is unsafe to use; especially plain text passwords. Do not put this online. I'd call this a "blessing in disguise" that your code failed. Use a prepared statement and password_hash() / password_verify(). Commented Apr 3, 2017 at 14:56
  • 1
    @DanielTurville Daniel; if you're going to just "test" things out, I highly suggest that you don't start testing using unsafe practices. Plus, you'd only be doing more work / spending more time afterwards in rewriting your code using what I mentioned above. You plan on doing a register/login site; start off on the right foot. Commented Apr 3, 2017 at 15:07
  • 1
    Btw this: '<?php echo $_POST[$username];' in VALUES: - You're already in php, so that's a parse error. Then you have $username; that being undefined, remove the $ from it (and others) and quote them. The trailing semi-colon; that's an "end of statement" character and stops execution to go any further (perfectly valid character but that should not be part of the query). I'm just showing you what starts off wrong here. Commented Apr 3, 2017 at 15:15

1 Answer 1

Reset to default
5

Putting all together from the comments, sql injections, password_hash(). for sql injections protection then u need use prepared statements. I won't say much a lot of important things were said in the comments, hope you went through them all, because I did.

This is how your code should look :

<?php
$servername = "localhost";
$username   = "root";
$password   = "rootpass";
$dbname     = "synther_physics";



//Validate user inputs
$username = $_POST['username'];

$password = $_POST['password'];

$hash = password_hash($password, PASSWORD_DEFAULT);

$email = $_POST['email']; //VALIDATE the email

$dob   = $_POST['date_of_birth'];
$fname = $_POST['first_name'];


$sname = $_POST['surname'];

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$sql = "INSERT INTO users (username, password, email, date_of_birth, first_name, surname)
VALUES (?,?,?,?,?,?)";

$stmt = $conn->prepare($sql);

$stmt->bind_param("ssssss", $username, $hash, $email, $dob, $fname, $sname);

if ($stmt->execute()) {

    echo "New record created successfully";
} else {

    echo "Error : " . $conn->error; // on dev mode only

    // echo "Error, please try again later"; //live environment
}

$conn->close();
?>

Edit :

if your php is on the same file and the html, then to avoid undefined indexes notice, you will need to check if the form was submitted, before processing. what you need to do is to have a name attribute to your form button.

then check if form is submitted.

<?php
$servername = "localhost";
$username   = "root";
$password   = "rootpass";
$dbname     = "synther_physics";



//Validate user inputs
if(isset($_POST['buttonName'])){


$username = $_POST['username'];

$password = $_POST['password'];

$hash = password_hash($password, PASSWORD_DEFAULT);

$email = $_POST['email']; //VALIDATE the email

$dob   = $_POST['date_of_birth'];
$fname = $_POST['first_name'];


$sname = $_POST['surname'];

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$sql = "INSERT INTO users (username, password, email, date_of_birth, first_name, surname)
VALUES ('?,?,?,?,?,?')";

$stmt = $conn->prepare($sql);

$stmt->bind_param("ssssss", $username, $hash, $email, $dob, $fname, $sname);

if ($stmt->execute()) {

    echo "New record created successfully";
} else {

    echo "Error : " . $conn->error; // on dev mode only

    // echo "Error, please try again later"; //live environment
}

$conn->close();
}
?>

Also you need to check if fields are set and not empty.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

thankyou very much for this, however i think i need to make sure that i understand all of the aspects before using it. ill break it down and go through it now. thankyou again.
You welcome, if anything you need clarity on feel free to ask me
@MasivuyeCokile You decided to do a rewrite after all :-) Bit of a sidenote here, since the OP did comment up there on possibly using the entire code in one file. It would be best in either case to check if a submit is set and that any inputs are not left empty. This, as per this comment I left... earlier.
@MasivuyeCokile cool. Another thing though that the OP should be made aware of and included in the answer, is that the password column needs to be 60+ in length. As you may know, the manual says that 255 is a good bet ;-) They have a lot to learn.
@Fred-ii- Totally off topic question hope you dont mind me asking, but ive created this demo 'project' website in asp.net but i am trying to code it like this, when i started i really wasnt sure what all of it meant but i feel like it doesnt really work together, am i correct in saying this or if i am actually doing it properly. my final goal is a revision website where people can log in to take tests and their scores can be saved in the database. will plain html pages work fine if the rest of the website is created using asp?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.