I'm not that good with PHP but i need to do a user registration form and this is what I haven done so far
<!doctype html>
<html>
<head>
<title>Register</title>
</head>
<body>
<p>Register | Login</p>
<h3>Formulario de registro</h3>
<form action="" method="POST">
Usuario: <input type="text" name="login"><br />
Contrasena: <input type="password" name="password"><br />
Email: <input type="text" name="email"><br />
Sexo: <input type="text" name="sex"><br />
Edad: <input type="text" name="age"><br />
Telefono: <input type="text" name="phone"><br />
Pais: <input type="text" name="country"><br />
Ciudad: <input type="text" name="city"><br />
Direccion: <input type="text" name="address"><br />
<input type="submit" value="Register" name="submit" />
</form>
<?php
if(isset($_POST["submit"])){
if(!empty($_POST['login']) && !empty($_POST['password'])) {
$login=$_POST['login'];
$password=$_POST['password'];
$email=$_POST['email'];
$sex=$_POST['sex'];
$age=$_POST['age'];
$phone=$_POST['phone'];
$country=$_POST['country'];
$city=$_POST['city'];
$address=$_POST['address'];
$con=mysqli_connect('localhost','root','','registro_usuarios') or die(mysql_error());
$sql="SELECT * FROM usuario ";
$result = mysqli_query($con,$sql);
if(mysqli_num_rows($result)>=0)
{
echo "I'm in";
$sql="INSERT INTO usuario (login,password,email,sex,age,phone,country,city,address)
VALUES('$login','$password','$password','$email','$sex','$age','$country','$city','$address')";
$result=mysqli_query($con,$sql);
if($result){
echo "Account Successfully Created";
} else {
echo "Failure!";
}
} else {
echo "That username already exists! Please try again with another.";
}
} else {
echo "All fields are required!";
}
}
?>
</body>
</html>
I can see the message "I'm in" in my screen but I'm also get the "Failure" message because it's not inserting anything into the the database. I have been struggling trying to find the error but nothing so far. The error should be around here
$sql="INSERT INTO usuario (login,password,email,sex,age,phone,country,city,address)
VALUES('$login','$password','$password','$email','$sex','$age','$country','$city','$address')";
$result=mysqli_query($con,$sql);
I have checked all the values from my database in case of a typo just in case you guys wonder and there is no typo.
Thanks
You wrong in sql insert.
your sql :
$sql="INSERT INTO usuario (login,password,email,sex,age,phone,country,city,address) VALUES('$login','$password','$password','$email','$sex','$age','$country','$city','$address')";
$result=mysqli_query($con,$sql);
look at the value row doesn't match with the insert fields. You insert twice $password, and no $phone.
If still error, you can add this to know what wrong with your query:
if(mysqli_query($con,$sql))
{
echo 'Success'.'</br>';
}
else
{
echo 'Fail';
echo "Error Description : ".mysqli_error($con);
}
Related
I am using MacOSx and apache sever on XAMPP
Here is the link to my file - http://localhost:8080/logi/index.php and if I write sqlmap -u http://localhost:8080/logi/index.php?id=1 This error appear: [CRITICAL] all tested parameters do not appear to be injectable.
I want to check my login form for vulnerabilities but I don't understand which parameters I should write, which id or maybe I have to use --data?
Here is my code:
<?php
SESSION_START();
require ('connect.php');
//This is the validation for the login
if(isset($_POST['login'])){
$sql="SELECT * FROM members WHERE email=? AND password=?";
$ss=mysqli_prepare($connect,$sql);
$ss->bind_param("ss",$eu,$pe);
$eu=$_POST['email'];
$pe=$_POST['password'];
$ss->execute();
if(!empty($eu) && !empty($pe) && $ss->fetch()>0){
$_SESSION['email']=$_POST['email'];
header('Location:welcome.php');
}
if(empty($eu)){
$eerr="Did you forget your email?";
}elseif(empty($pe)){
$pwerr="Password required";
}elseif($ss->fetch()!==1){
$eerr="That account do not exist";
}
}
//This is the validation for registration
if(isset($_POST['register'])){
$sql="SELECT * FROM members WHERE email=?";
$sss=mysqli_prepare($connect,$sql);
$sss->bind_param("s",$e);
$e=$_POST['remail'];
$pw=$_POST['rpassword'];
$sss->execute();
if(!empty($e) && !empty($pw) && $sss->fetch()<1 && filter_var($e, FILTER_VALIDATE_EMAIL)){
$sql="INSERT INTO members (email,password)VALUES(?,?)";
$sss=mysqli_prepare($connect,$sql);
$sss->bind_param("s",$e);
$pq=$_POST['rpassword'];
$sss->execute();
echo"You have signed up!";
}
if(empty($e)){
$emailerr="Please provide your email adress!";
}elseif(empty($pw)){
$passworderr="Choose a password";
}elseif($sss->fetch()>0){
$emailerr="That account exist";
}elseif(!filter_var($e, FILTER_VALIDATE_EMAIL)){
$emailerr="Invalid email";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Login and Registration</title>
<style>
span{
color:red;
}
</style>
</head>
<body>
Login
<form action="" method="POST">
<input type="text" name="email" placeholder="Email"/><span><?php echo $eerr;?><span><br>
<input type="password" name="password" placeholder="Password"/><span><?php echo $pwerr;?></span><br>
<input type="submit" name="login" value="Login"/>
</form>
<br><br>
Register
<form action="" method="POST">
<input type="text" name="remail" placeholder="Email"><span>*<?php echo $emailerr;?></span><br>
<input type="password" name="rpassword" placeholder="Password"><span>*<?php echo $passworderr;?><span><br>
<input type="submit" name="register" value="Register"/>
</form>
</body>
</html
not returning empty errro in else condition when the username field is empty and inserting data in databse in if condition is working well but when i try to return an error the page goes blank
<?php include "db.php"?>
<?php
if (isset($_POST['submit'])){
global $conn;
$error=array();
$username=$_POST['username'];
if($username==""){
$error="username is empty";
}
if(empty($error)){
$sql="INSERT INTO users (username,password,category)VALUES('$username','$password','$category')";
$res=mysqli_query($conn,$sql);
if($res){
echo "done";
}else{
echo "try again";
}
}else{
return $error;
}
}
?>
<html>
<body>
<fieldset style="width:30%;">
<form action="" method="post" enctype="multipart/form-data">
<label>Username</label>
<input type="text" name="username" placeholder="username" id="username" ><br>
<input type="submit" name="submit" id="submit" value="submit">
</form>
</fieldset>
</body>
</html>
I found so many errors during execution please check the following code.
1) It should be empty($username) instead of $username == '' basically that doesn't matter, it will be work either of the methods
2) you have return $error; which means it will only return print nothing
so you need to use print_r($error) there is no function to return so you can simply print that error on the top of the form.
3) use parameterize query instead of passing variables to query.
if still not working please uncomment that two lines just after php tag and check for the error
one more suggestion I have added for error you can display the errors just after the field like below
Please check for the <span> tag just added after input and style error class as you want like color border etc.
<?php
//error_reporting(-1);
//ini_set('display_errors',true);
include "db.php";
if (isset($_POST['submit'])){
global $conn;
$error=array();
$username=$_POST['username'];
$password=$_POST['password'];
if(empty($username)){
$error['username']="username is empty";
}
if(empty($password)){
$error['password']="password is empty";
}
if(empty($error)){
$sql="INSERT INTO users (username,password,category)VALUES(?, ?, ?)";
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param("sss", $username,$password,$category);
if($stmt->execute())
echo "Done";
else
echo "Try Again!";
}
} else {
//print_r($error);
}
}
?>
<html>
<body>
<fieldset style="width:30%;">
<form action="" method="post" enctype="multipart/form-data">
<label>Username</label>
<input type="text" name="username" placeholder="username" id="username" ><br>
<span class='error'><?=$error['username']?></span></br />
<input type="password" name="password" placeholder="password" id="password" ><br>
<span class='error'><?=$error['password']?></span></br />
<input type="submit" name="submit" id="submit" value="submit">
</form>
</fieldset>
</body>
</html>
Try with this script.
<?php
if (isset($_POST['submit']))
{
global $conn;
$error=array();
$username=$_POST['username'];
if($username == ""){
$error="username is empty";
}else{
$sql="INSERT INTO users (username,password,category)VALUES('$username','$password','$category')";
$res=mysqli_query($conn,$sql);
if($res){
echo "done";
}else{
echo "try again";
}
}
//THIS IS ARRAY SO YOU HAAVE TO PRINT LIKE THIS
print_r( $error);
}
You don't have to need use else statement twice.just check whether error is empty or not and run.
Happy Coding :-)
I've created this registration form and i want to insert a text file like CV in mysql database named st_login including the table named login.In the following code i've only created a form for registration purposes and want to insert also an option allowing the user to insert a text file (CV)into the registration form and this text file to be saved into that database using Php.
This is my php code:
<html >
<head>
<title></title>
</head>
<body>
<?php
print ("<form action='register.php' method='post'>
<p>Name
<input type='text' name='firstname' />
</p>
<p>Surname
<input type='text' name='lastname' />
</p>
<p>Username
<input type='text' name='username' />
</p>
<p>Password
<input type='password' name='password' />
<p/>
<input type='submit' value='Register'/>
</form>");
extract ($_POST);
if( !($database=mysql_connect("localhost","root",""))||!(mysql_select_db("st_login",$database)) )
print("Could not connect");
if(isset($_POST['firstname'] )&&isset($_POST['lastname'])&&isset($_POST['username'])&&isset($_POST['password']) ){
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$username=$_POST['username'];
$password=$_POST['password'];
$query = "INSERT INTO login (firstname, lastname, username,password) VALUES ('$firstname', '$lastname', '$username','$password')";
}
if ( !empty($firstname)&&!empty($lastname)&&!empty($username) &&!empty($password) )
{
if(!($result=mysql_query($query,$database)))
{
print("Could not execute query");
die (mysql_error());//ose error
}
else echo "You have been registered successfully";
}
else echo "Fill in all the blank fields";
mysql_close($database);
?>
</body>
</html>
My code works perfect with correct data. But when is invalid value in field, it shows an error message with link on page register.php and when I click on this error, it redirects to register form, but there is empty form and all values must be inserted again. I want that valid values are displayed after error and invalid not.
Code:
<html>
<head>
<?php include 'connect.php'; ?>
<?php include 'functions.php'; ?>
<meta charset="UTF-8">
<title>TechnoLab-Registracija</title>
<link rel='stylesheet' href='style.css' type='text/css' />
<?php include 'header.php'; ?>
</head>
<body>
<div id="container">
<div id="left">
<?php include "kategorije.php";?>
</div>
<div id="right">
<?php include "loggedin.php";?>
</div>
<form method="post" id='registerform'>
<br/>
<?php
if(!empty($_POST['username']) && !empty($_POST['password']) )
{
$username = mysqli_real_escape_string($con, $_POST['username']);
$password = md5(mysqli_real_escape_string($con, $_POST['password']));
$email = mysqli_real_escape_string($con, $_POST['email']);
$confirm_email = mysqli_real_escape_string($con, $_POST['confirm_email']);
$ime = mysqli_real_escape_string($con, ucfirst($_POST['ime']));
$prezime = mysqli_real_escape_string($con, ucfirst($_POST['prezime']));
$oib = mysqli_real_escape_string($con, $_POST['oib']);
$ulica = mysqli_real_escape_string($con, $_POST['ulica']);
$mjesto = mysqli_real_escape_string($con, $_POST['mjesto']);
$checkusername = mysqli_query($con, "SELECT * FROM korisnici WHERE Username = '".$username."' OR Oib = '".$oib."'");
if(mysqli_num_rows($checkusername) == 1)
{
echo " <p><a class='one' href=\"register.php\">Unesite drugo korisničko ime!</p>";
exit();
}
$checkusernamelenght = checkusernamelenght($username);
if(!$checkusernamelenght){
echo ' <p><a class="one" href="register.php">Korisničko ime minimalno 4 znaka i ne smije sadržavati razmake između slova!</a></p>';
exit();
}
if (preg_match("/^.*(?=.{6,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $_POST['password']) === 0){
echo ' <p><a class="one" href="register.php">Lozinka mora imati barem 6 znakova i sadržavati mala i velika slova te broj!</a></p>';
exit();
}
$checkemail = mysqli_query($con, "SELECT * FROM korisnici WHERE Email = '".$email."'");
if(mysqli_num_rows($checkemail) == 1)
{
echo " <p><a class='one' href=\"register.php\">Unesite drugu email adresu!</p>";
exit();
}
if ($confirm_email!=$email){
echo " <p><a class='one' href=\"register.php\">Vaše email adrese se ne podudaraju!</a></p>" ;
exit();
}
$validateEmail = validateEmail($email);
if(!$validateEmail){
echo " <p><a class='one' href=\"register.php\">Unesite ispravan format emaila!</a></p>";
exit();
}
$checkOib = checkOib($oib);
if(!$checkOib){
echo " <p><a class='one' href=\"register.php\">Unesite ispravan OIB !</p>";
exit();
}
else{
$registerquery = mysqli_query($con, "INSERT INTO korisnici VALUES('', '$username', '$password', '$email', '$confirm_email', '$ime', '$prezime', '$oib', '$ulica', '$mjesto', 'user')");
if($registerquery)
{
header('location: index');
}
}
}
else
{
?>
<br/>
<div id="reg">
<label for="username">Korisničko ime:</label><input type="text" name="username" required /><br />
<label for="password">Lozinka:</label><input type="password" name="password" maxlength="20" required /><br />
<label for="email">Email:</label><input type="text" name="email" required /><br />
<label for="confirm_email">Potvrdi email:</label><input type="text" name="confirm_email" required /><br />
<label for="ime">Ime:</label><input type="text" name="ime" required /><br />
<label for="prezime">Prezime:</label><input type="text" name="prezime" required /><br />
<label for="oib">OIB:</label><input type="text" name="oib" required /><br />
<label for="ulica">Ulica i kućni broj:</label><input type="text" name="ulica" required /><br />
<label for="mjesto">Mjesto i poštanski broj:</label><input type="text" name="mjesto" required /><br />
<br/>
<input type="submit" name="register" id="register" value="Registracija" />
</div>
</form>
<?php
}
?>
</div>
<?php include "footer.php";?>
</body>
</html>
Is it possible do that only with php or must be javascript or something else?
I've searched on forum and tried with this and similar code but it doesn't work.
<input type="text" name="login" value="<?php if(isset($_POST['login'])){ echo $_POST['login'];}?>">
I appreciate any help!
The $_POST['<value>'] doesn't work because of the redirect, it "drops" the $_POST data.
One way to achieve the desired functionality is to use $_SESSION when the form has been submitted you can store the values in the $_SESSION, or you might prefer to only store them if there's a error.)
You can store/save the values in $_SESSION like so:
$_SESSION['name'] = $_POST['name'];
And then simply check for the $_SESSION['<value>'] instead of the $_POST['<value>'].
<input type="text" name="login" value="<?php if(isset($_SESSION['login'])){ echo $_SESSION['login'];}?>">
You'd have to remember to start the session at the top of each page you want to use sessions on.
session_start();
One thing to be aware of is that you should unset the session values after you are done with them, so you avoid old data being reused.
There are plenty of ways you can use $_SESSION to achieve what you want so it's all about finding the way that suits you best.
You can read more about sessions here
best way is to create session array for complete data and if it is not empty show it in your fields. other method is to pass that post array back to your view when redirecting after invalid values.
hope you will understand.
If you just want the register.php script to fill the fields, simply send the needed info to this script:
$param = "?user=".urlencode($_POST['user']);
$param .= "&email=".urlencode($_POST['user']);
//...concat all needed param here
echo " <p><a class='one' href=\"register.php".$param."\">Unesite drugo korisničko ime!</p>";
Then in your register.php script, just read the $_GET['...'] values to populate your form. don't forget to urldecode() them.
Note: For obvious security reasons, DO NOT pass the password in the GET parameters (nor store it in a $_SESSION variable).
I am trying to make Sign Up Now! area for a restaurant website and want to insert data of new members in the members_t table of database members with all running on localhost. I am using PHP and HTML for the purpose. Moreover, I am doing form validation using javaScript in a separate file which is working perfectly!
Code for PHP:
<?php
$user="root";
$password="";
$database="members";
$con = mysql_connect('localhost',$user,$password);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($database, $con) or die( "Unable to select database");
if(isset($_POST['sign_up']) && !empty($_POST['sign_up']))
{
$sql = "INSERT INTO members_t('Name', 'Email', 'Password', 'Phone', 'Address', 'Sex', 'More') VALUES('".$_POST['username']."','".$_POST['email']."','".$_POST['passid_1']."','".$_POST['zip']."','".$_POST['address']."','".$_POST['sex']."','".$_POST['desc']."');";
$resultDI = mysql_query($sql, $con) or die(mysql_error());
mysql_close($con);
echo "Successfolly run database query!";
}
else
{
echo("Failed to update database!!!");
}
?>
Code for HTML:
<html>
<body>
<h2 class="letter_spacing">Not a Member?<span><br>Sign Up Now:</br></span></h2>
<form id = "register" name="registration" method = "post" onSubmit="return formValidation();">
<ul>
<li><label for="username">* Full Name:</label></li>
<li><input type="text" name="username" size="50" /></li>
<li><label for="email">* Email:</label></li>
<li><input type="text" name="email" size="50" /></li>
<li><label for="passid_1">* Desired Password:</label></li>
<li><input type="password" name="passid_1" size="12" /></li>
<li><label for="passid_2">* Re-Enter Password:</label></li>
<li><input type="password" name="passid_2" size="12" /></li>
<li><label for="zip">* Contact Number:</label></li>
<li><input type="text" name="zip" /></li>
<li><label for="address">* Address:</label></li>
<li><input type="text" name="address" size="50" /></li>
<li><label id="gender">* Sex:</label></li>
<li><input type="radio" name="msex" value="Male" /><span>Male</span></li>
<li><input type="radio" name="fsex" value="Female" /><span>Female</span></li>
<li><label for="desc">Anything More:</label></li>
<li><textarea name="desc" id="desc" cols="40" rows="4"></textarea></li>
<li><label for="note" ><h6>Note: All feilds marked with * are necessary</h6></label></li>
<li><input class="button1" type="submit" name="sign_up" value="Sign Up!" /></li>
</ul>
</form>
</body>
</html>
I have tried to keep the code in a separate file called insert.php and added the action field to the HTML form tag yet of no use.
I am never able to insert data into the database. It seems the PHP code never goes into the
if(isset($_POST['sign_up']) && !empty($_POST['sign_up']))
block.
Try this:
<form id="register" action="" method="post" name="registration" onSubmit="return formValidation();">
<input type="text" name="username" size="50" />
<input type="text" name="email" size="50" />
<input type="password" name="passid_1" size="12" />
<input type="password" name="passid_2" size="12" />
<input type="text" name="zip" />
<input type="text" name="address" size="50" />
<input type="radio" name="sex" value="Male" /><span>Male</span>
<input type="radio" name="sex" value="Female" /><span>Female</span>
<textarea name="desc" id="desc" cols="40" rows="4"></textarea>
<input class="button1" type="submit" name="sign_up" value="Sign Up!" />
</form>
<?php
if (isset($_POST['sign_up']) && !empty($_POST['sign_up'])) {
// escape all submitted data before inserting into database
foreach ($_POST as $key => $value) {
$_POST[$key] = mysql_real_escape_string(strip_tags($value));
}
$result = mysql_query("
INSERT INTO members_t (Name, Email, Password, Phone, Address, Sex, More)
VALUES ('{$_POST['username']}', '{$_POST['email']}', '{$_POST['passid_1']}', '{$_POST['zip']}', '{$_POST['address']}', '{$_POST['sex']}', '{$_POST['desc']}')
") or die(mysql_error());
if (mysql_affected_rows() == 1) {
echo "Successfully run database query!";
} else {
echo("Failed to update database!!!");
}
}
?>
Note that name of the radio buttons should be the same "sex" not "msex" and "fsex" as in your code. And I have added the action attribute in the form tag plus some other modifications you can easily notice.
First of all, i have cleaned up the code a little so it looks nice and smooth. Then i have removed the !empty part you made, cant see the reason why you want to verify that it actually is empty when you already used isset.
HTML:
<?php
$hostname = "";
$user = "root";
$password = "";
$database = "members";
$desc = $_POST['desc'];
$con = mysql_connect($hostname, $user, $password);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db($database, $con) or die( "Unable to select database");
if(isset($_POST['sign_up']))
{
if(isset($_POST['username'])){
$username = $_POST['username'];
}
else {
echo "The username is not set"; die;
}
if(isset($_POST['email'])){
$email = $_POST['email'];
}
else {
echo "The email is not set"; die;
}
if(isset($_POST['zip'])){
$zip = $_POST['zip'];
}
else {
echo "The zip code is not set"; die;
}
if(isset($_POST['address'])){
$address = $_POST['address'];
}
else {
echo "The gender is not set"; die;
}
if(isset($_POST['sex'])){
$sex = $_POST['sex'];
}
else {
echo "The gender is not set"; die;
}
if(isset($_POST['passid_1'])){
$passid = $_POST['passid_1'];
}
else {
echo "The password is not set"; die;
}
if(isset($_POST['passid_2'])){
$passid2 = $_POST['passid_2'];
}
else {
echo "The re-entered password is not set"; die;
}
if($passwid == $passid2){
$correctpid = $passwid;
}
else {
echo "The passwords do not match"; die;
}
$sql = "INSERT INTO members_t('Name', 'Email', 'Password', 'Phone', 'Address', 'Sex', 'More') VALUES('$username', '$email','$correctpid', '$zip', '$address', '$sex', '$desc');";
mysql_query($sql) or die(mysql_error());
mysql_close($con);
echo "Successfolly run database query!";
}
else
{
echo("Failed to update database!!!");
}
?>
I have made the php code to check if all the fields are filled with data. If not the site die and gives them a error message. It kills the website before it can set anything into the database.
-- I made some more changes to the code after comments, thanks btw.