1

I have set up a simple site that allows the user to login and register. I'm using a MySQL database to store the login details in the columns of a table. I will provide more details, but basically, I have gotten the login page to work, it connects to the database properly and either logs in or notifies the user that their login details are invalid. My problem is that the register page won't register users. I'm not extremely good at php but I am decent at it, I was able to make the login page work and I have done research and can't figure out why the register page won't work.

Code I used to create my database:

    CREATE TABLE `users` (
`id` INT NOT NULL auto_increment ,
`username` VARCHAR( 20 ) NOT NULL ,
`password` VARCHAR( 20 ) NOT NULL ,
`fullname` VARCHAR( 20 ) NOT NULL ,
`email` VARCHAR( 20 ) NOT NULL,
`ip` VARCHAR( 20 ) NOT NULL,
PRIMARY KEY ( `id` )
)​

Code I used to connect to the database and register: (It is messy & simple, keep in mind that all I am trying to do is have it inject into the db properly, once I have gotten that down, I can easily add a lot more)

FYI, I changed the actual details for connection to my MySQL server to fake stuff for the purpose of this post. For me I have the real details, and it does successfully connect and the login script works, just not the register script. The issue is not that it won't connect, it's just that it won't inject the user submitted info into the respective columns in the table "users". Also, I cut out the part with the if statements for the submit button being pressed and etc, because again those parets aren't related to the problem.

<?php session_start(); ?>
    <?php
        ob_start();
        //Defining server variables
        $host ="000webhost.com";
        $username ="username1";
        $password ="pass1";
        $db_name = "database1";
        $tbl_name ="users";

        // Connect to server and select databse.
         mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
         mysql_select_db("$db_name")or die("cannot select DB");

        // Define register variables 
         $myusername=$_SESSION['myusername']; 
         $mypassword=$_SESSION['mypassword'];
         $myemail=$_SESSION['myemail'];
         $myname=$_SESSION['myname'];
         $myip=$_SERVER['REMOTE_ADDR'];


         $sql="INSERT INTO users (username,password,fullname,email,ip)VALUES('$myusername','$mypassword','$myname','$myemail','$myip')";
         $_SESSION['registersuccess'] = "Registration success"
         header('location:index.php');
         ob_end_flush();
    ?>
   ?>​

I'm obviously do something wrong because when I run this code on my MySQL query than it injects into the table but when I try use php for it than it doesn't. Not sure what I am doing wrong, that is where I need the help. Thanks in advance, and any help would be very greatly appreciated.

Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
John Thomas
  • 11
  • 3
  • 3
    You are not executing the SQL statement. You have to use `mysql_query` (http://php.net/manual/en/function.mysql-query.php) – Alvaro Flaño Larrondo Jun 15 '15 at 19:09
  • You are missing a semicolon after ````$_SESSION['registersuccess'] = "Registration success"```` Not that it has anything to do with the problem I just noticed it. – Szenis Jun 15 '15 at 19:09
  • 2
    By the way, the PHP mysql library is not longer recommended to use. Use instead PDO or mysqli. – Alvaro Flaño Larrondo Jun 15 '15 at 19:10
  • Also notice the massive red warning on that link @AlvaroFlañoLarrondo referenced.. – CᴴᵁᴮᴮʸNᴵᴺᴶᴬ Jun 15 '15 at 19:10
  • Thank you Szenis, the problem occurs at the $sql line but you are right and I will fix that – John Thomas Jun 15 '15 at 19:11
  • 1
    Also maybe worth mentioning in re. best practices... http://php.net/manual/en/faq.passwords.php – ficuscr Jun 15 '15 at 19:13
  • 1
    You should *not* store the password inside the database! In case your system is compromised all user accounts are wide open and typically you won't even know that your system has been compromised. Actually there is absolutely no reason to store the password in the database. What you should store is a hash of the password. A salted hash created by a secure algorithm. Then, when authenticating someone, your hash the provided password and compare that hash to the stored version. – arkascha Jun 15 '15 at 19:15
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 15 '15 at 19:21
  • [Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html) and [use the proper methods to hash passwords with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html). – Jay Blanchard Jun 15 '15 at 19:21
  • [Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jun 15 '15 at 19:21

3 Answers3

0

I copied the example from the PHP documentation. But rememeber don't use mysql library use mysqli or PDO instead. 

<?php
    $result = mysql_query($sql);
    if (!$result) {
        die('Invalid query: ' . mysql_error());
    }  
    mysql_close();  
?>
Alvaro Flaño Larrondo
  • 5,516
  • 2
  • 27
  • 46
0

1. You should use object oriented MySQL

answer why

main reason: MySQL is deprecated since PHP 5.5.5

$mysqli = new mysqli($host, $username, $password, $db_name);

documentation

2. Wrong query?

INSERT INTO users (username,password,fullname,email,ip)VALUES('$myusername','$mypassword','$myname','$myemail','$myip')

I think, it's caused by missing spaces around VALUES word

Also you forgot to execute the query

3. Print error

You can print Query error by

MySQL (< PHP 5.5.0)

mysql_error()

MySQLi (>= PHP 5)

$mysqli->error
Community
  • 1
  • 1
jmeinlschmidt
  • 1,446
  • 2
  • 14
  • 33
  • Actually mysqli is available for any version of PHP >= 5, not just PHP > 5.5, and I doubt anyone still uses PHP 4. – Mike Jun 15 '15 at 19:21
  • 1
    I would skip mysqli and go for pdo instead, its just nicer, and potentially makes migration simpler, if you switch from mysql – EJTH Jun 15 '15 at 19:21
  • I'm sorry about that version, it was my mistake – jmeinlschmidt Jun 15 '15 at 19:25
0

Fixed end of line and added the query, here is your working code good sir:

<?php 
 session_start();
 ob_start();

 // Connect to server and select databse.
 mysql_connect("000webhost.com", "username1", "pass1")or die("cannot connect"); 
 mysql_select_db("database1")or die("cannot select DB");

 // Define register variables 
 $myusername=$_SESSION['myusername']; 
 $mypassword=$_SESSION['mypassword'];
 $myemail=$_SESSION['myemail'];
 $myname=$_SESSION['myname'];
 $myip=$_SERVER['REMOTE_ADDR'];


 mysql_query("INSERT INTO users (username,password,fullname,email,ip)VALUES('$myusername', '$mypassword', '$myname', '$myemail', '$myip')");
 $_SESSION['registersuccess'] = "Registration success";
 header('location:index.php');
 ob_end_flush();
?>

Please DO NOT forget to sanitize your input first.

Solrac
  • 924
  • 8
  • 23