php register form not updating database

Question

So when I sign into my website with existing DB credentials, it logs in perfectly, redirects me to a Welcome.php page and where "Login/register" text usually sits, it now displays the username there, similar to this:

welcome (username) Logout.

Now that all works great. But here is my problem:

I have a register script that once submitted, also redirects me to my Welcome.php page upon a successful registration. BUT the "Login/register" text does not change, (essentially meaning no one is logged in) AND when i check my database, there are no new entries.

To confirm - I can fill out my signup sheet and click "Signup", then i'm redirected to a Welcome.php page... but nothing has changed (no new credentials stored in the db and nothing other than a page redirect)

My new_signup.php script is as follows:

<?php
include "scripts/connection.php";

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    $myusername = mysqli_real_escape_string($link,$_POST['Username']);
    $myname = mysqli_real_escape_string($link,$_POST['Name']);
    $mypassword = mysqli_real_escape_string($link,$_POST['Password']);
    $myemail = mysqli_real_escape_string($link,$_POST['Email']);
    $myaddress = mysqli_real_escape_string($link,$_POST['Address']);
    $mypostcode = mysqli_real_escape_string($link,$_POST['Postcode']);

    //Checks the database to see if username exists already
    $query = "SELECT * FROM Customer WHERE Customer_Username = '$myusername'";
    $result = mysqli_query($link, $query);
    $nums = mysqli_num_rows($result);

    //Checks the database to see if email address exists already
    $query2 = "SELECT * FROM Customer WHERE Customer_Email = '$myemail'";
    $result2 = mysqli_query($link, $query2);
    $nums2 = mysqli_num_rows($result2);

    if ($nums >= 1)
        //informs user if username already exists
        echo "Username already exists, click <a href = 'user_login.php'>HERE </a> to try again";

    else if ($nums2 >=1)

        //informs user if email already exists
        echo "Email Address already exists, click <a href = 'user_login.php'>HERE </a> to try again";

    else {

        $insert = 'INSERT INTO Customer 
                    (Customer_Username, Customer_Name, 
                    Customer_Password, Customer_Email, Customer_Address, 
                    Customer_Postcode) 
                    VALUES("'.$myname.'","'.$myusername.'","'.$mypassword.
                    '","'.$myemail.'","'.$myaddress.'","'.$mypostcode.'")';

        mysqli_query($link, $insert);
        mysqli_close($link);

        if($insert) {
            $_SESSION['message'] = "Registration Successful";
            header("Location: /Welcome.php");           
        } else {
             $_SESSION['message'] = "Something went wrong";
        }   

    }
}
?>

So what I need to happen is for a user to sign up, be redirected to the welcome.php page and for credentials to be stored in the DB. There are also checks to see if emails/usernames already exist.

Just to add, my login.php script and the above new_signup.php are separate php files. Not sure if doing it my way is easier than keeping both the login and signup scripts in one file

I have triple checked all of my DB fields are correct along with the form fields too. Happy to provide more details if needed.

Thank you for your time.

UPDATE

I have updated the code to show {} and added in some suggested comments, All i get know when I click signup is a white screen.

<?php
    include "scripts/connection.php";
    error_reporting(E_ALL);
ini_set('display_errors', 1);


    if ($_SERVER["REQUEST_METHOD"] == "POST") {

    $myusername = mysqli_real_escape_string($link,$_POST['Username']);
    $myname = mysqli_real_escape_string($link,$_POST['Name']);
    $mypassword = mysqli_real_escape_string($link,$_POST['Password']);
    $myemail = mysqli_real_escape_string($link,$_POST['Email']);
    $myaddress = mysqli_real_escape_string($link,$_POST['Address']);
    $mypostcode = mysqli_real_escape_string($link,$_POST['Postcode']);

    //Checks the database to see if username exists already
    $query = "SELECT * FROM Customer WHERE Customer_Username = '$myusername'";
    $result = mysqli_query($link, $query);
    $nums = mysqli_num_rows($result);

//Checks the database to see if email address exists already
    $query2 = "SELECT * FROM Customer WHERE Customer_Email = '$myemail'";
    $result2 = mysqli_query($link, $query2);
    $nums2 = mysqli_num_rows($result2);

    if ($nums >= 1) {
            //informs user if username already exists
     echo "Username already exists, click <a href = 'user_login.php'>HERE </a> to try again";

        }

    else if ($nums2 >=1) {
            //informs user if email already exists
    echo "Email Address already exists, click <a href = 'user_login.php'>HERE </a> to try again";

         }else{

    $insert = "INSERT INTO Customer (Customer_Username, Customer_Name, Customer_Password, Customer_Email, Customer_Address, Customer_Postcode) 
    VALUES('$myname', '$myusername', '$mypassword', '$myemail', '$myaddress', '$mypostcode')";

         }

        $insertCheck = mysqli_query($link, $insert);

        if($insertCheck) {

            $_SESSION['message'] = "Registration Successful";

            header("Location: /Welcome.php");  exit();

        } else {
             $_SESSION['message'] = "Something went wrong";
        }   
    }

?>

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jan 21 '17 at 10:36
My guess: In your login you set something into $_SESSION to indicate logged in. But you are not doing that in the register script — RiggsFolly, Jan 21 '17 at 10:38
*it logs in perfectly, redirects me to a Welcome.php page and where "Login/register" text usually sits*, I don't understand this thing, what's the point of showing *Login/register* text when you've already logged in? If you're able to log in, it means you're already a registered member, and that's why you're able to log in. — Rajdeep Paul, Jan 21 '17 at 10:39
`if($insert)`- this will always be true, dont you mean `if(mysqli_query($link, $insert);` — Mihai, Jan 21 '17 at 10:39
Suggestion: Even if an if contains only one line use the brackets to signify start and finish of the IF or ELSE `{ .. }` — RiggsFolly, Jan 21 '17 at 10:39
Always a good habit to add an `exit;` after a `header('Location: ...');` as the rest of the PHP can still be executed. — Tigger, Jan 21 '17 at 10:42
Sorry guys maybe I should have been slightly more clear, when i log in with an existing credential thats stored in the db, my $_SESSION works fine, disaplying "welcome (username) logout? I click logout and user is logged out, and now it displays "Login/signup" which is what i want. That works fine, my problem is that when i run the above code, all that happens is it loads my welcome.php fine, but nothing has updated in my db,.,, I h ave no idea why Regarding all of your comments: I am implementing {} on all of the if statements now, rookie mistake sorry//. — Tipping44, Jan 21 '17 at 11:01
Your insert query values are delimited with double quotes rather than single, that won't work. — James, Jan 21 '17 at 12:52
@James Do you mean here: $insert = 'INSERT INTO Customer (Customer_Username, Customer_Name, Customer_Password, Customer_Email, Customer_Address, Customer_Postcode) VALUES("'.$myname.'","'.$myusername.'","'.$mypassword.'","'.$myemail.'","'.$myaddress.'","'.$mypostcode.'")'; — Tipping44, Jan 21 '17 at 13:36

score 0 · Answer 1 · answered Jan 21 '17 at 11:13

Little edits and you might want to filter your sql queries to prevent injections:

<?php
session_start();
include "scripts/connection.php";

if ($_SERVER["REQUEST_METHOD"] == "POST") {

    $myusername = mysqli_real_escape_string($link,$_POST['Username']);
    $myname = mysqli_real_escape_string($link,$_POST['Name']);
    $mypassword = mysqli_real_escape_string($link,$_POST['Password']);
    $myemail = mysqli_real_escape_string($link,$_POST['Email']);
    $myaddress = mysqli_real_escape_string($link,$_POST['Address']);
    $mypostcode = mysqli_real_escape_string($link,$_POST['Postcode']);

    //Checks the database to see if username exists already
    $query = "SELECT * FROM Customer WHERE Customer_Username = '$myusername'";
    $result = mysqli_query($link, $query);
    $nums = mysqli_num_rows($result);

    //Checks the database to see if email address exists already
    $query2 = "SELECT * FROM Customer WHERE Customer_Email = '$myemail'";
    $result2 = mysqli_query($link, $query2);
    $nums2 = mysqli_num_rows($result2);

    if ($nums >= 1)
        //informs user if username already exists
        echo "Username already exists, click <a href = 'user_login.php'>HERE </a> to try again";

    else if ($nums2 >=1)

        //informs user if email already exists
        echo "Email Address already exists, click <a href = 'user_login.php'>HERE </a> to try again";

    else {

        $insert = 'INSERT INTO Customer 
                    (Customer_Username, Customer_Name, 
                    Customer_Password, Customer_Email, Customer_Address, 
                    Customer_Postcode) 
                    VALUES("'.$myname.'","'.$myusername.'","'.$mypassword.
                    '","'.$myemail.'","'.$myaddress.'","'.$mypostcode.'")';

        $insertCheck = mysqli_query($link, $insert);
        mysqli_close($link);

        if($insertCheck) {
            $_SESSION['message'] = "Registration Successful";
            header("Location: /Welcome.php");           
        } else {
             $_SESSION['message'] = "Something went wrong";
        }   

    }
}
header("Location: /registerview.php");//-->assuming your registration view

?>

thanks! Tried implimented your answer and im getting a white page now ? — Tipping44, Jan 21 '17 at 11:22

score 0 · Answer 2 · answered Jan 21 '17 at 17:56

0

Change

$insert = 'INSERT INTO ... VALUES ("'.$myname.'", ...

to

$insert = "INSERT INTO ... VALUES ('".$myname."', ...

(switching single for double quotes and vice versa)

answered Jan 21 '17 at 17:56

James

20,957
5
26
41

php register form not updating database

2 Answers2

Linked