i have a problem in sending my form values to mysql database i readed all other topics and i did what they wrote but i didn't get what i want please help me :(
<?php
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "13838383";
$dbname = "users";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
?>
<?php
include("../includes/functions.php");
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="../public/stylesheets/style.css" type="text/css">
<title>Our WebPage</title>
</head>
<body>
<center>
<form action="input.php" method="post">
<fieldset>
<legend>Register</legend>
<span>UserName: </span><br />
<input type="text" name="username" placeholder="USERNAME"><br /><br />
<span>PassWord: </span><br />
<input type="text" name="lastname" placeholder="PASSWORD"><br /><br />
<input type="button" name="submit" value="submit"><br /><br />
<fieldset>
</form>
</center>
<?php
?>
<?php
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$addUserQuery = "INSERT INTO users (username, password) VALUES ({$username}, {$password});";
$added = mysqli_query($connection, $addUserQuery);
if ($added) {
echo '<br>Input data is successful';
} else {
echo '<br>Input data is not valid';
}
}
?>
</body>
</html>
and my problem is i don't know know what should i enter in action attribute in form tag thanks please help
Simply put, your variables aren't quoted, so your query is being turned into this (If someone submitted 1337user as the username, and P#ssw0rd as the password):
INSERT INTO users (username, password) VALUES (1337user, P#ssw0rd);
When it should be:
INSERT INTO users (username, password) VALUES ('1337user', 'P#ssw0rd');
Bind your variables instead: How can I prevent SQL injection in PHP?
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$addUserQuery = mysqli_prepare($connection, "INSERT INTO users (username, password) VALUES (?, ?)");
mysqli_stmt_bind_param($addUserQuery, "ss", $username, $password);
$added = mysqli_stmt_execute($addUserQuery);
if ($added) {
echo '<br>Input data is successful';
} else {
echo '<br>Input data is not valid';
}
}
Related
The problem is; I'm trying to fix the sign-up validation but still, it still saved in our database even if it's empty hopefully someone can provide explicit information as to were wrong in coding.
even if one of input box is empty it is still saved to our database table
<!DOCTYPE html>
<html>`enter code here`
<head>
<title>Sample Registration Form</title>
</head>
<body>
<form action="submit.php" method="POST">
<input type="text" name="userid" placeholder="USER ID"><br>
<input type="text" name="firstname" placeholder="FIRST NAME"><br>
<input type="text" name="lastname" placeholder="LAST NAME"><br>
<input type="text" name="email" placeholder="EMAIL"><br>
<input type="password" name="password" placeholder="PASSWORD"><br>
<button tabindex="submit" name="submit">Sign up</button>
</form>
<a href='login.php'><button type='submit' name='submit'>Proceed to Login</button></a>
</body>
</html>
the code above is the sign-up page
<!DOCTYPE html>
<html>
<head>
<title>Submit </title>
</head>
<body>
<?php
$dbservername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "blogfinal";
$connect = mysqli_connect($dbservername, $dbusername, $dbpassword, $dbname);
if(isset($_POST['submit'])) {
$userid = $_POST['userid'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$checker = array("userid", "firstname", "lastname", "email", "password");
$Error = true;
foreach ($checker as $values) {
if(empty($_POST[$values])) {
echo "Error";
$Error = true;
} else {
$sql = "INSERT INTO userinformation
(userid, firstname, lastname, email, password)
VALUES ('$userid', '$firstname', '$lastname',
'$email', '$password');";
}
if(mysqli_query($connect, $sql)) {
echo "Saved Successfully<br>";
echo "<a href='login.php'><button type='submit' name='submit'>Proceed to Login</button></a>";
} else {
echo "Error Description: " . mysqli_error($connect);
}
}
}
?>
</body>
</html>
the code above is the submit function.
the problem is when we hit the sign-up even if the input-box is empty and it is still functioning and saved to our database, instead of a password, email, user, or first name is required.
[if you leave it empty then proceed to submit it show saved even there's no data on it.][1]
[the image after we hit the submit button.][2]
[hence, if we at least insert 1 data required and proceed to submit it still saved to our database, instead of showing that the other data is required][3]
[1]: https://i.stack.imgur.com/gVc0i.png
[2]: https://i.stack.imgur.com/Aizjl.png
[3]: https://i.stack.imgur.com/A04c0.png
The problem is that you're checking if each value is empty withif(empty($_POST[$values])) within a foreach loop. This if has an else that is running every time.
So even if one of the fields in empty, the query will always execute if there's at least 1 field that is not empty.
You should change the logic to make that even if just one field is empty, then the query doesn't run.
Here's a quick fix:
$Error = false;
// Check if all fields are not empty
foreach ($checker as $values) {
if(empty($_POST[$values])) {
echo "Error";
$Error = true; // If even just one field is empty, the $Error variable will be true
break;
}
}
if(!$Error) { // Check if I got an error
$sql = 'INSERT INTO userinformation,(userid, firstname, lastname, email, password) VALUES ("?", "?", "?", "?", "?");';
$stmt = $connect->prepare($sql)
$stmt->bind_param('sssss', $userid, $firstname, $lastname, $email, $password);
if($stmt->execute())
// The rest of your query
}
Furthermore please refer to the comment by #RiggsFolly to your question as your code has security issues connected to SQL Injection.
I am looking to check the username and password that are entered are equal to the username and password stored in mysql database.
I have used password_hash() to hash the password and stored them into table. But I don't know, how to check if they are the same or not.
HTML
<!DOCTYPE HTML>
<html>
<head>
<style>
.error {color: #FF0000;}
</style>
</head>
<body>
<h2>PHP Form Validation Example</h2>
<p><span class="error">* required field.</span></p>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
Username: <input type="text" name="username">
<span class="error">* <?php echo $usernameErr;?></span>
<br><br>
Password: <input type="password" name="password">
<span class="error">* <?php echo $passwordErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">
</form>
</body>
</html>
PHP
<?php
error_reporting(E_ALL | E_STRICT);
$servername = "localhost";
$serverUsername = "root";
$serverPassword = "";
// Create connection
$conn = mysqli_connect($servername, $serverUsername, $serverPassword);
mysqli_select_db($conn, 'users');
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
if (isset($_POST["submit"])) {
$query = mysqli_prepare($conn, "SELECT * FROM user_logons WHERE Username = ? AND Password = ?");
mysqli_stmt_bind_param ($query , 'ss' , $username , $password);
mysqli_stmt_execute($query);
$username = mysqli_real_escape_string($conn, $_POST["username"]);
$password = password_hash($_POST["password"], PASSWORD_BCRYPT);
mysqli_stmt_close($query);
}
$usernameErr = $passwordErr = "";
mysqli_close($conn);
?>
Also, do I have to escape the password input if it is hashed?
You need to get the input password hashed again and before binding it with your prepare statement. You need to make sure, you are using same encryption method, which was used for storing.
$username = mysqli_real_escape_string($conn, $_POST["username"]);
$password = password_hash($_POST["password"], PASSWORD_BCRYPT);
mysqli_stmt_bind_param ($query , 'ss' , $username , $password);
mysqli_stmt_execute($query);
Edited:
As suggested by #Devon in comment, you could also use password_verify
Trying to simply register, although file is named as Login.html/.php
My HTML form in Login.html :
<!DOCTYPE html>
<html>
<head>
<title>Register/ Login</title>
<link rel="stylesheet" type="text/css" href="Assets/bootstrap.css">
<script src="Assets/jquery.min.js"></script>
<script src="Assets/bootstrap.min.js"></script>
</head>
<body>
<form action="Login.php" method="post">
<fieldset>
<legend>Register:</legend>
Username : <input type="text" name="Username"> <br>
Password : <input type="password" name="Password"> <br>
<input type="submit"><br>
</fieldset>
</form>
</body>
</html>
Have set up the MySQL side of the code and run it as well, it works fine.
The PHP file, Login.php :
<?php
$userErr = $passErr = "";
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "testdb";
$conn = mysqli_connect($servername, $username, $password, $dbname) or die("Connection failed");
$Username = $_POST['Username'];
$Password = $_POST['Password'];
echo("Reached 1. <br>");
$stmt = "INSERT INTO Login (Username, Password) VALUES ('$Username', '$Password')";
$result = mysqli_query($conn, $stmt);
if($result) {
echo("Registered Successfully!");
}
mysqli_close($conn);
?>
When I enter the details and submit, the code for Login.php is displayed, with the url being: (file:///C:/xampp/htdocs/Login.php)
Also, Login.html was run on localhost, i.e., url being:
(http://localhost/Login.html)
I can guess you are browsing your Login.html with
file:///C:/xampp/htdocs/Login.html
But you have to use like this
http://localhost/Login.html
When i press the submit button to insert record, it pulls out no error but when i check the database i find no records submitted too. please what could be wrong with my script. just started with php
<?php
if (isset($_POST['submitted'])){
include('Connections/connect.php');
$term= $_POST['term'];
$details= $_POST['details'];
$sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
$newrecord ="Inserted Successfully";
}
?>
connect.php
<?php
$hostname_speedapp = "localhost";
$database_speedapp = "mydb";
$username_speedapp = "root";
$password_speedapp = "password";
$mydb= mysqli_connect($hostname_mydb, $username_mydb, $password_mydb) or trigger_error(mysql_error(),E_USER_ERROR);
?>
HTML
<form id="form1" name="form1" method="post" action="page1.php">
<p>
<label for="term"></label>
<input type="text" name="term" id="term" />
</p>
<p>
<label for="details"></label>
<input type="text" name="details" id="details" />
</p>
<p>
<input type="submit" name="button" id="button" value="Submit" />
<input name="submitted" type="hidden" value="submitted" />
</p>
</form>
<p>
<?php
$newrecord
?>
There is a lot wrong with your code
Let's take it step by step:
<?php
if (isset($_POST['submitted'])){
include('Connections/connect.php');
$term= $_POST['term'];
$details= $_POST['details'];
You are not escaping here. When I'm a bad man I could destroy your application
Read more about escaping here: How can I prevent SQL injection in PHP?
$sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
You are defining a query here but you do not do anything with this query
read about executing query's on the php documentation page: http://php.net/manual/en/mysqli.query.php
$newrecord ="Inserted Successfully";
You are defining a variable $newrecord here but it does not have a function here. Add echo $newrecord; to echo the value of the variable $newrecord: http://php.net/echo
}
?>
Then you are not using the correct variables in your connect.php
<?php
$hostname_speedapp = "localhost";
$database_speedapp = "mydb";
$username_speedapp = "root";
$password_speedapp = "password";
$mydb= mysqli_connect($hostname_mydb, $username_mydb, $password_mydb) or trigger_error(mysql_error(),E_USER_ERROR);
?>
You are defining $hostname_speedapp and using $hostname_mydb in your mysqli_connect change that to $hostname_speedapp etc.. changing your connection string to:
$mydb= mysqli_connect($hostname_speedapp, $username_speedapp, $password_speedapp)
You are not selecting a database in your connectionstring. You are defining a variable with your database name called: $database_speedapp but you never use it.
Change your connectionstring to: $mydb= mysqli_connect($hostname_speedapp, $username_speedapp, $password_speedapp, $database_speedapp) and you should be good to go
add this
$sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
if (mysqli_query($mydb, $sql))
{
echo "New record created successfully";
}
else
{
echo "Error: " . $sql . "<br>" . mysqli_error($mydb);
}
EDIT 01
$hostname_speedapp = "localhost";
$database_speedapp = "mydb";
$username_speedapp = "root";
$password_speedapp = "password";
$mydb= mysqli_connect($hostname_mydb, $username_mydb, $password_mydb) or trigger_error(mysql_error(),E_USER_ERROR);
and top of page1.php
include("connect.php");
You dont even have an insert query in your script.
$hostname_speedapp = "localhost";
$database_speedapp = "mydb";
$username_speedapp = "root";
$password_speedapp = "password";
$mydb= mysqli_connect($hostname_mydb, $username_mydb, $password_mydb) or trigger_error(mysql_error(),E_USER_ERROR);
$sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
if (mysqli_query($mydb, $sql)) {
$newrecord ="Inserted Successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($mydb);
}
mysqli_close($mydb);
use this:
` $sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
$result=mysqli_query($mydb,$sql);`
Connect.php
<?php
$hostname_speedapp = "localhost";
$database_speedapp = "mydb";
$username_speedapp = "root";
$password_speedapp = "password";
$mydb= mysqli_connect($hostname_speedapp, $username_speedapp, $password_speedapp,$database_speedapp) or trigger_error(mysql_error(),E_USER_ERROR);
?>
page1.php
if (isset($_POST['submit'])){
include('Connections/connect.php');
$term= $_POST['term'];
$details= $_POST['details'];
$sql = "INSERT INTO people (term,details) VALUES ('".$term."' , '".$details."')";
if ($mydb->query($sql) === TRUE) { //can use connected database $mydb
$newrecord = "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $mydb->error;
}
}
?>
<form id="form1" name="form1" method="post" action="">
<p>
<label for="term"></label>
<input type="text" name="term" id="term" />
</p>
<p>
<label for="details"></label>
<input type="text" name="details" id="details" />
</p>
<p>
<input type="submit" name="button" id="button" value="Submit" />
</p>
</form>
<p>
<?php
if(isset($newrecord)){
echo "<h3>$newrecord</h3>";
}
?>
I think you need to quote the submitted data values in your sql query:
Change the following:
$sql = "INSERT INTO people (term,details) VALUES ($term,$details)";
to
$sql = "INSERT INTO people (term,details) VALUES ('$term','$details')";
For learning purposes, I am creating a password manager on my local system. However there is a problem when it comes to inserting data into the database and I'm not sure why it isn't working.
My entire document can be the found below.
<?php
$user = 'root';
$pass = '';
$db = 'accounts';
$server = 'localhost';
$db_handle = mysql_connect($server, $user, $pass);
if (!$db_handle) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
$db_found = mysql_select_db($db, $db_handle);
if ($db_found) {
if (isset($_POST['type'])) {
$getOrSet = $_POST['type'];
$site = $_POST['site'];
$login = $_POST['login'];
if ($getOrSet == 'get') {
$pass = mysql_fetch_assoc(mysql_query("SELECT password FROM manager WHERE site = '$site' AND username = '$login'"))['password'];
} else if ($getOrSet == 'set') {
$url = $_POST['url'];
$pass = $_POST['pass'];
mysql_query("INSERT INTO manager (site, url, username, password) VALUES ('$site', '$url', '$login' '$pass')");
}
}
} else {
echo "Unable to select database: " . mysql_error();
}
mysql_close($db_handle);
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
<style>
#left,#right{width:50%;margin:0;padding:0;float:left;text-align:center}
form{width:300px;margin:0 auto}
label{width:300px;display:block;line-height:1.65em}
input{float:right}
#pass{width:300px}
#pass>span{float:right}
</style>
</head>
<body>
<h1>Password Manager</h1>
<div id="left">
<h2>Get Password</h2>
<form action="index.php" method="post">
<label>Site: <input type="text" name="site" /></label>
<label>Email/Username: <input type="text" name="login" /></label>
<input type="hidden" name="type" value="get" />
<?php if(isset($_POST['type'])){if ($getOrSet == 'get') {echo "<span id=\"pass\">Password: <span>$pass</span></span>";}} ?>
<input type="submit" value="Submit" />
</form>
</div>
<div id="right">
<h2>Set Password</h2>
<form action="index.php" method="post">
<label>Site: <input type="text" name="site" /></label>
<label>URL: <input type="text" name="url" /></label>
<label>Email/Username: <input type="text" name="login" /></label>
<label>Password: <input type="password" name="pass" /></label>
<input type="hidden" name="type" value="set" />
<input type="submit" value="Submit" />
</form>
</div>
</body>
</html>
Can someone please tell me why this code doesn't work?
mysql_query("INSERT INTO manager (site, url, username, password) VALUES ('$site', '$url', '$login' '$pass')");
use escapes before insert like
$site = mysql_real_escape_string($site);
$url = mysql_real_escape_string($url);
$login = mysql_real_escape_string($login);
$pass = mysql_real_escape_string($pass);
// now insert
mysql_query("INSERT INTO manager (site, url, username, password) VALUES ('$site', '$url', '$login', '$pass')");
Note : mysql_* is deprecated. use mysqli_* or PDO
The problem is that there is a missing , after '$login' so
mysql_query("INSERT INTO manager (site, url, username, password) VALUES ('$site', '$url', '$login' '$pass')");
should have been
mysql_query("INSERT INTO manager (site, url, username, password) VALUES ('$site', '$url', '$login', '$pass')")