After the person logged in to the session, i want to update his bio. Its a small project for about 20 people so I am not worried about sql injection.
There is two pages, the first being the signup/login. and the other one being the profile. i want to update the bio on the profile page. after i click the update button, it redirects to the correct page but ther is no change in the database.
//This is the signup server side
$db = mysqli_connect('localhost', 'root', '', 'pt');
if (isset($_POST['reg_user'])) {
$firstname = mysqli_real_escape_string($db, $_POST['firstname']);
$lastname = mysqli_real_escape_string($db, $_POST['lastname']);
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = $_POST['password_1'];
$password_2 = $_POST['password_2'];
$sex = mysqli_real_escape_string($db, $_POST['sex']);
if ($sex == "Select Sex:") {
array_push($errors, "select male or female");
}
$user_check_query = "SELECT * FROM users WHERE username='$username' OR
email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
if (count($errors) == 0) {
$password = md5($password_1);
$query = "INSERT INTO users (firstname, lastname, username, email,
password, sex, bio)
VALUES('$firstname', '$lastname','$username', '$email', '$password',
'$sex','')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
header('location: profile.php');
}
}
//here is the code on the profile side.
?>
<?php
session_start();
if (isset($_SESSION['username'])) {
if (isset($_POST['update_user'])) {
$bio = mysqli_real_escape_string($db, $_POST['bio']);
$query = "UPDATE users SET bio='$bio' WHERE username=$username";;
header('location: profileclient.php');
}
}
?>
<form method="post" action="profileclient.php">
<div class="input-group">
<input type="text" name="bio">
</div>
<div class="input-group">
<button type="submit" class="button" name="update_user"> update!
</button>
</div>
</form>
Your code has multiple problems. Let me list them out.
Never store passwords in clear text or using MD5/SHA1! Only store password hashes created using PHP's password_hash(), which you can then verify using password_verify(). Take a look at this post: How to use password_hash and learn more about bcrypt & password hashing in PHP
Warning: You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.
Always exit() after header('Location: ...');
It looks like you have forgot to start your session in the sign-up file. Add session_start().
You need to enable error reporting for mysqli. Use mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
Here is your code fixed:
<?php
session_start();
//This is the signup server side
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$db = mysqli_connect('localhost', 'root', '', 'pt');
if (isset($_POST['reg_user'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$email = $_POST['email'];
$password_1 = $_POST['password_1'];
$password_2 = $_POST['password_2'];
$sex = $_POST['sex'];
if ($sex == "Select Sex:") {
array_push($errors, "select male or female");
}
$user_check_query = "SELECT * FROM users WHERE username=? OR email=? LIMIT 1";
$stmt = mysqli_prepare($db, $user_check_query);
mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
if (!$errors) {
$password_hashed = password_hash($password_1, PASSWORD_DEFAULT);
$query = "INSERT INTO users (firstname, lastname, username, email, password, sex, bio)
VALUES(?, ?, ?, ?, ?, ?,'')";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ssssss', $firstname, $lastname, $username, $email, $password_hashed, $sex);
mysqli_stmt_execute($stmt);
$_SESSION['username'] = $username;
exit(header('location: profile.php'));
}
}
//here is the code on the profile side.
?>
<?php
session_start();
if (isset($_SESSION['username'])) {
if (isset($_POST['update_user'])) {
$query = "UPDATE users SET bio=? WHERE username=?";
$stmt = mysqli_prepare($db, $query);
mysqli_stmt_bind_param($stmt, 'ss', $_POST['bio'], $_SESSION['username']);
mysqli_stmt_execute($stmt);
exit(header('location: profileclient.php'));
}
}
?>
<form method="post" action="profileclient.php">
<div class="input-group">
<input type="text" name="bio">
</div>
<div class="input-group">
<button type="submit" class="button" name="update_user"> update!
</button>
</div>
</form>
Try using 'id' attribute in your input tag alongside the 'name' attribute
Try this code in your profile section
<?php
session_start();
if (isset($_SESSION['username'])) {
if (isset($_POST['update_user'])) {
$bio = mysqli->escape_string($_POST['bio']);
$query = "UPDATE users SET bio='$bio' WHERE username='$username'" or die(mysqli_error());
$result = $db->query($query);
header('location: profileclient.php');
}
}
?>
<form method="post" action="profileclient.php">
<div class="input-group">
<input type="text" name="bio" id="name">
</div>
<div class="input-group">
<button type="submit" class="button" name="update_user"> update! </button>
</div>
</form>
Related
I am trying to display the name of a user when they are logged in. My code uses $_SESSIONS to store the name, but since there no input in my login in page, the name doesn't get assign and it ends up being just hello, instead of something like hello, John Smith.
I've tried using sql to select the name by matching the email to the email of the logged in user, and storing that in $_SESSION but it still doesn't print name of user.
my server.php
<?php
include_once "inc/user-connection.php";
session_start();
$name = mysqli_real_escape_string($conn, $_POST['name']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$username = mysqli_real_escape_string($conn, $_POST['username']);
if (isset($_POST['admin-sign-in'])) {
if (!empty($email)) {
if (!empty($password)) {
$sql = 'SELECT email, password FROM admin WHERE email = ?';
// preparing the SQL statement
if ($stmt = $conn->prepare($sql)) {
$stmt->bind_param('s', $_POST['email']);
$stmt->execute();
$stmt->store_result(); // Store the result so we can check if the account exists in the database.
// If email exists in sign_up table
if ($stmt->num_rows > 0) {
$stmt->bind_result($email, $password);
$stmt->fetch();
// if password user enters matches the one in the database
if (password_verify($password, $hashed_password)) {
$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($query);
$_SESSION['name'] = $row['name'];
// upon successful login, redirect user to landing apge
header("location: dashboard.php");
die();
} else {
// Incorrect password
header("location: ../html/sign-in-error.html");
die();
}
} else {
// Incorrect username
header("location: ../html/sign-in-error.html");
die();
}
$stmt->close();
}
} else {
header("location: ../html/404-error.html");
die();
}
} else {
header("location: ../html/404-error.html");
die();
}
}
my dashboard.php
<?php
session_start();
?>
<div class="d-block">
<h1 class="lead fw-normal text-muted mb-4 px-lg-10">Hello,
<?php
echo $_SESSION['name'];
?>
</h1>
</div>
You did not select the name and you are fetching it.
$sql = 'SELECT email, password, name FROM admin WHERE email = ?';
or
$sql = 'SELECT * FROM admin WHERE email = ?';
should fix the issue.
Additional: you can remove all your else statements since all of it will give the same result.
<?php
include_once "inc/user-connection.php";
session_start();
$name = $_POST['name'];
$password = $_POST['password'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$email = $_POST['email'];
$username = $_POST['username'];
if (isset($_POST['admin-sign-in'])) {
if (!empty($email)) {
if (!empty($password)) {
$sql = 'SELECT * FROM admin WHERE email = ?';
// preparing the SQL statement
if ($stmt = $conn->prepare($sql)) {
$stmt->bind_param('s', $_POST['email']);
$stmt->execute();
$stmt->store_result(); // Store the result so we can check if the account exists in the database.
// If email exists in sign_up table
if ($stmt->num_rows > 0) {
$stmt->bind_result($email, $password, $name);
$stmt->fetch();
// if password user enters matches the one in the database
if (password_verify($password, $hashed_password)) {
$query = mysqli_query($conn, $sql);
$row = mysqli_fetch_array($query);
$_SESSION['name'] = $row['name'];
// upon successful login, redirect user to landing apge
header("location: dashboard.php");
die();
}
}
$stmt->close();
}
}
}
header("location: ../html/404-error.html");
die();
}
I was following the most popular php tutorial on YouTube on how to create a sign up and log in process using PHP:
https://www.youtube.com/watch?v=LC9GaXkdxF8&t=2216s
I got some issues at first but they were just syntax errors and was able to fix them. When I put in the username, email, password, and retyped password, and clicked sign up, it gave the message that it was successful. The problem was however, when I wen't back to the phpmyadmin database, the new row for the user didn't show up on the table. Now I am thinking this has something to do with phpmyadmin or sql and not the code itself. So the specifics are:
Hosting program: XAMPP
Services turned on: ProFTPD, Apache, MySQL
OS: MacOS
Here are is all the code that I have created by using this tutorial:
signup.inc.php:
<?php
if (isset($_POST['signup-submit'])) {
require 'dbh.inc.php';
$username = $_POST['uid'];
$email = $_POST['mail'];
$password = $_POST['pwd'];
$passwordRepeat = $_POST['pwd-repeat'];
if (empty($username) || empty($email) || empty($password) || empty($passwordRepeat)) {
header("Location: ../signup.php?error=emptyfields&uid=" . $username . "&mail=" . $email);
exit();
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL) && !preg_match("/^[a-zA-Z0-9]*$/", $username)) {
header("Location: ../signup.php?error=invalidmailuid");
exit();
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header("Location: ../signup.php?error=invalidmail&uid=" . $username);
exit();
}
else if (!preg_match("/^[a-zA-Z0-9]*$/", $username)) {
header("Location: ../signup.php?error=invaliduid&uid=" . $email);
exit();
}
else if ($password !== $passwordRepeat) {
header("Location: ../signup.php?error=passwordcheck&uid=" . $username . "&mail=" . $email);
exit();
}
else {
$sql = "SELECT uidUsers FROM users WHERE uidUsers=?";
$stmt = mysqli_stmt_init($conn);
if(!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../signup.php?error=sqlerror1");
exit();
}
else {
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$resultCheck = mysqli_stmt_num_rows();
if ($resultCheck > 0) {
header("Location: ../signup.php?error=usertaken&mail=" . $email);
exit();
}
else {
$sql = "INSERT INTO users (uidUsers, emailUsers, pwdUsers) VALUES (?, ?, ?)";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../signup.php?error=sqlerror2");
exit();
}
else {
$hashedPwd = password_hash($password, PASSSWORD_DEFAULT);
mysqli_stmt_bind_param($stmt, "sss", $username, $email, $hashedPwd);
mysqli_stmt_execute($stmt);
header("Location: ../signup.php?signup=success");
exit();
}
}
}
}
mysqli_stmt_close($stmt);
mysqli_close($conn);
}
else {
header("Location: ../signup.php");
exit();
}
?>
dbh.inc.php:
<?php
$servername = 'localhost';
$dBUsername = "root";
$dBPassword = "";
$dBName = "loginsystem";
$conn = mysqli_connect($servername, $dBUsername, $dBPassword, $dBName);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
?>
signup.php:
<?php
$title = 'Sign Up';
$content = '
<main>
<div id="log-in-box">
<h2>Sign Up and Create an Account</h2>
<form class="form-signup" action="includes/signup.inc.php" method="post">
<input type="text" name="uid" placeholder="Username">
<input type="text" name="mail" placeholder="E-Mail">
<input type="password" name="pwd" placeholder="Password">
<input type="password" name="pwd-repeat" placeholder="Repeat Password">
<button type="submit" name="signup-submit">Sign Up</button>
</form>
</div>
</main>
';
include("template.php");
?>
The MYSQL code he typed into phpmyadmin while setting the database up (and also instead of being called loginsystemtut for the database name I called it loginsystem):
CREATE TABLE users (
idUsers int(11) AUTO_INCREMENT PRIMARY KEY NOT NULL,
uidUsers TINYTEXT NOT NULL,
emailUsers TINYTEXT NOT NULL,
pwdUsers LONGTEXT NOT NULL
);
and the weird thing is is that I also get this snipet of code showing up while I am in the users table in the database:
SELECT * FROM `users`
The problem has actually been solved. I asked the same question on the r/php subreddit and someone gave me the answer that the guy's code in the video was terrible and told me what to do to fix it. I changed the :
else {
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$resultCheck = mysqli_stmt_num_rows();
if ($resultCheck > 0) {
header("Location: ../signup.php?error=usertaken&mail=" . $email);
exit();
}
else {
$sql = "INSERT INTO users (uidUsers, emailUsers, pwdUsers) VALUES (?, ?, ?)";
$stmt = mysqli_stmt_init($conn);
if (!mysqli_stmt_prepare($stmt, $sql)) {
header("Location: ../signup.php?error=sqlerror2");
exit();
}
else {
$hashedPwd = password_hash($password, PASSSWORD_DEFAULT);
mysqli_stmt_bind_param($stmt, "sss", $username, $email, $hashedPwd);
mysqli_stmt_execute($stmt);
header("Location: ../signup.php?signup=success");
exit();
}
}
to just:
else {
$sql = "INSERT INTO users (uidUsers, emailUsers, pwdUsers) VALUES (?, ?, ?)";
$stmt = $conn->prepare($sql);
$hashedPwd = password_hash($password, PASSWORD_DEFAULT);
$stmt->bind_param("sss", $username, $email, $hashedPwd);
$stmt->execute();
}
because you didn't need to do that with 15 lines of code, when you only needed 5.
I have a script that adds an email address and password to a table. I first search to see if the email address exists in the table. If it does, I give an error message. If it does not, I add the record.
Then, using mysqli_insert_id(), I run another query to update the record I just added, encrypting the password with md5.
But every time I run it, the record is added, but the password does not get updated with the md5 version of the password. I have echo'd the query and it shows that it should be updating the password with the encryption, but it doesn't. Any ideas?
<?php
session_start();
error_reporting(E_ALL);
if (array_key_exists("submit", $_POST)) {
$link = mysqli_connect("localhost", "eits_Admin", "WebSpinner1", "EITS_Sandbox");
if (!$link) {
die("Database connection error");
}
$error = '';
if (!$_POST['email']) {
$error .= "<br/>An email address is required";
}
if (!$_POST['password']) {
$error .= "<br/>A password is required";
}
if ($error != "") {
$error = "There were errors in your form - ".$error;
} else {
$query = "select id from secretdiary
where email = '".mysqli_real_escape_string($link, $_POST['email'])
."' limit 1";
// echo $query;
$result = mysqli_query($link, $query);
if (mysqli_num_rows($result) > 0) {
$error = "That email address is not available.";
} else {
$query = "insert into secretdiary
(email,password)
values ('" . mysqli_real_escape_string($link, $_POST['email'])
. "', '"
. mysqli_real_escape_string($link, $_POST['password']) . "')";
if (!mysqli_query($link, $query)) {
$error = "Could not sign you up at this time. Please try again later.";
} else {
$encPass = md5(md5(mysqli_insert_id($link)) . $_POST['password']);
$query = "update secretdiary
set password = '" . $encPass
. "' where id = " . mysqli_insert_id($link) . " limit 1";
echo $query;
$result = mysqli_query($link,$query);
echo "Sign up successful.";
}
}
}
}
?>
<div id="error"><? echo $error; ?></div>
<form method="post">
<input type="email" name="email" placeholder= "Your Email">
<input type="password" name="password" placeholder="Password">
<input type="checkbox" name="stayLoggedIn" value=1>
<input type="submit" name="submit" value="Sign Up!">
</form>
You've got a lot of lines of code for a relatively simple process. Personally your form error handling such as if it's empty (in this case) can be remedied by adding required at the end of each HTML form input element (This is what I'd do)
Secondly, md5 isn't safe for hashing passwords (you're hashing a password not encrypting it)
Thirdly here's a way to hash the password from the form using Bcrypt which is much better than using md5 hashing. So do whatever error checking you need to do before like counting the usernames and if row > 0 die('username exists) Example of full code at base using PDO
When checking the users login simply use password_verify() function to do so
Tidy code helps people on SO understand what your problem is and is generally nicer to read. I know you may just be looking for something that 'Does the job' But it helps you when debugging and us when you're asking for help.
I'm going to give you a way that is marginally more secure than your one.
index.php
<form method="post" id="regform" action="register.php">
<input type="text" name="username" placeholder="Enter your email Address"required/>
<input type="password" name="password" placeholder="Enter your password" required/>
<input type="submit" class="indexbttn" id="indexbttn" name="enter"value="enter"/>
</form>
connect.php
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "root";
$dbname = "fyp";
try{
$pdo = new PDO("mysql:host=$servername;dbname=$dbname",$dbusername, $dbpassword);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e)
{
print "Error! Unable to connect: " . $e->getMessage() . "<br/>";
die();
}
?>
register.php
<?php
session_start();
require_once ('connect.php');
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['enter'])){
$username = !empty($_POST['username']) ? trim($_POST['username']) : null;
$pass = !empty($_POST['password']) ? trim($_POST['password']) : null;
$check (!filter_var($_POST['username'], FILTER_VALIDATE_EMAIL));
$cnt = "SELECT COUNT(username) AS num FROM users WHERE username = :username";
$stmt = $pdo->prepare($cnt);
$stmt->bindValue(':username', $username);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if($row['num'] > 0){
die('That username already exists!');
}
$passHash = password_hash($pass, PASSWORD_BCRYPT, array("cost" => 12));
$insrt = "INSERT INTO users (username, password) VALUES (:username, :password)";
$stmt = $pdo->prepare($insrt);
$stmt->bindValue(':username', $username);
$stmt->bindValue(':password', $passHash);
$result = $stmt->execute();
if($result){
header( "refresh:5;url=index.php" );
echo 'You will be redirected in 5 seconds. If not, click here.';
}
}
?>
login.php
<?php
session_start();
require("connect.php");
if(isset($_POST['enter'])){
$username = !empty($_POST['username']) ? trim($_POST['username']) : null;
$pass = !empty($_POST['password']) ? trim($_POST['password']) : null;
$rtrv = "SELECT username, password, userid FROM users WHERE username = :username";
$stmt = $pdo->prepare($rtrv);
//Bind value.
$stmt->bindValue(':username', $username);
//Execute.
$stmt->execute();
//Fetch row.
$user = $stmt->fetch(PDO::FETCH_ASSOC);
//If $row is FALSE.
if($user === false){
//Could not find a user with that username!
die('Incorrect username');
}
else{
$validPassword = password_verify($pass, $user['password']);
if($validPassword){
$_SESSION['user_id'] = $user['username'];
$_SESSION['logged_in'] = time();
header( "Location: /protected.php" );
die();
} else{
die('Wrong password!');
}
}
}
?>
<?php
session_start();
$username = "";
$email = "";
$db = mysqli_connect("localhost", "root", "", "authentication");
if (isset($_POST['register_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$password2 = mysqli_real_escape_string($db, $_POST['password2']);
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
header("Refresh:0");
echo "usrname exists";
}
if ($user['email'] === $email) {
header("Refresh:0");
echo "error";
}
}
if ($password == $password2) {
$password = md5($password);
$sql = "INSERT INTO users
(username, email, password, name, street,
postcode, age , center)
VALUES('$username', '$email', '$password', '$name', '$street',
'$postcode', '$age', '$center')";
mysqli_query($db, $sql);
$_SESSION['message'] = "Account registered";
$_SESSION['username'] = $username;
header("location: login.php");
}else{
$_ERROR= "Something went wrong :/";
}
}
As shown above is some PHP code, the purpose here is to register a user then redirect them to the login page, however after multiple attempts of trying to use validation to see if an email or username already exists, after clicking the register button it still just records the registered details into the database names authentication (Users). I have put 'header ("Refresh") to test if it even reads through the if statement, It does not seem to.
I know md5 is insecure, and I will replace it.
Any advice on what I may have done wrong.
I have used snippets of code from here however I have attempted a few other solutions with no luck.
I'm making a login screen for my blog but when it has to validate the hash it fails. I have googled a lot watched here and asked a few class mates but it still fails. When you submit you get the alert
Wrong password or username!
How can I fix this?
this is my login script
<?php
include_once('resources/db.php');
$sql = "SELECT username, password FROM users WHERE username = :username";
$query = $db->prepare($sql);
$query->execute(array(":username" => $_POST['username']));
$user = $query->fetch(PDO::FETCH_ASSOC);
if ( isset( $_POST['submit'] )) {
$username = $_POST['username'];
$password = $_POST['password'];
$hash_password = $user['password'];
if ( password_verify($password, $hash_password)) {
if ($query->rowCount() == 1){
echo "chrisschotman is ingelogd";
} else {
echo "<script type=\"text/javascript\">alert('Wrong username!')</script>";
}
} else {
echo "<script type=\"text/javascript\">alert('Wrong password or username!')</script>";
}
}
?>
this is my login form
<form action="" method="post">
<input type="text" placeholder="username" name="username"maxlength="24"><br>
<input type="password" placeholder="password" name="password" minlength="8"
maxlength="16"><br>
<input type="submit" value="login" name="submit">
</form>
this is my registration script
<?php
include_once('resources/db.php');
// var_dump($_POST);
$query = $db->prepare('insert into users (`username`, `password`, `privileges`) values(?, ?, ?)');
$query =$db->prepare('select * from users');
$query->execute();
?>
//here is the registration form
<?php
if (isset($_POST)) {
include_once('resources/db.php');
$sql = "INSERT INTO users (`username`, `password`) VALUES (:username, :password)";
$query = $db->prepare($sql);
$query->execute(array(
':username' => $_POST['username'],
':password' => password_hash($_POST['password'], PASSWORD_DEFAULT)
));
if ($query) {
echo "Registered succefully";
} else {
echo "Occured and error";
}
}
?>
database structure
database rows
Change the database row to varchar(255)
$sql = "SELECT username, password FROM users WHERE username = :username";
$query = $db->prepare($sql);
$query->execute(array(":username" => $_POST['username']));
$user = $query->fetch(PDO::FETCH_ASSOC);
And try this registration:
<?php
$db = new PDO('mysql:host=localhost;dbname=' . $db_name . ',' . $db_user . ',' . $db_pass);
if (isset($_POST)) {
include_once('resources/db.php');
$sql = "INSERT INTO users (`username`, `password`) VALUES (:username, :password)";
$query = $db->prepare($sql);
$query->execute(array(
':username' => $_POST['username'],
':password' => password_hash($_POST['password'], PASSWORD_DEFAULT)
));
if ($query) {
echo "Registered succefully";
} else {
echo "Occured and error";
}
}