I create a database to save my users information. But I can only see the content of password part, and I can't see other parts content like email, username, first name etc. I put here a screenshot and my php codes thank you all.
<?php
session_start();
$db = mysqli_connect("localhost", "", "", "register_user");
if (isset($_POST["submit"])) {
session_start();
$firstname = mysql_real_escape_string($_POST["firstname"]);
$lastname = mysql_real_escape_string($_POST["lastname"]);
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$password_2 = mysql_real_escape_string($_POST["password_2"]);
$email = mysql_real_escape_string($_POST["email"]);
$email_2 = mysql_real_escape_string($_POST["email_2"]);
if ($password == $password_2) {
$password = md5($password);
$sql = "INSERT INTO user_data(firstname, lastname, username, password, email) VALUES('$firstname', '$lastname', '$username', '$password', '$email')";
mysqli_query($db, $sql);
$_SESSION['message'] = "You logged successfully";
$_SESSION['username'] = $username;
header("location: index.html");
}else {
$_SESSION['message'] = "Passwords don't match";
}
}
?>
If you are using mysqli please use
mysqli_real_escape_string(connection,escapestring);
Hope it helps.
Plus you need not to start the session twice you can use it once
Related
<?php
session_start();
$username = "";
$email = "";
$db = mysqli_connect("localhost", "root", "", "authentication");
if (isset($_POST['register_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$password2 = mysqli_real_escape_string($db, $_POST['password2']);
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
header("Refresh:0");
echo "usrname exists";
}
if ($user['email'] === $email) {
header("Refresh:0");
echo "error";
}
}
if ($password == $password2) {
$password = md5($password);
$sql = "INSERT INTO users
(username, email, password, name, street,
postcode, age , center)
VALUES('$username', '$email', '$password', '$name', '$street',
'$postcode', '$age', '$center')";
mysqli_query($db, $sql);
$_SESSION['message'] = "Account registered";
$_SESSION['username'] = $username;
header("location: login.php");
}else{
$_ERROR= "Something went wrong :/";
}
}
As shown above is some PHP code, the purpose here is to register a user then redirect them to the login page, however after multiple attempts of trying to use validation to see if an email or username already exists, after clicking the register button it still just records the registered details into the database names authentication (Users). I have put 'header ("Refresh") to test if it even reads through the if statement, It does not seem to.
I know md5 is insecure, and I will replace it.
Any advice on what I may have done wrong.
I have used snippets of code from here however I have attempted a few other solutions with no luck.
i cannot figure out why this will not redirect me or tell me any errors, it adds to the database but it does not redirect
<?php
ob_start();
$db = mysqli_connect("localhost", "root", "", "autentificare");
if (isset($_POST['register_btn'])){
session_start();
$username = mysql_real_escape_string($_POST['username']);
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$passwordc = mysql_real_escape_string($_POST['passwordc']);
if ($password == $passwordc){
$password = md5($password);
$sql = "INSERT INTO users(username, email, password) VALUES('$username', '$email', '$password')" ;
mysqli_query($db, $sql);
$_SESSION['message'] = "Succesfully logged in";
$_SESSION['username'] = $username;
header( "location : home.php");
}else{
$_SESSION['message'] = "Passwords do not match";
}
}
ob_end_flush();
?>
You're sending the header, but then letting the script continue to process. Use this:
header( "location : home.php");
exit();
I'm trying to insert values from a register form to the database but I keep getting the message 'User Registration Failed', and I don't know why.
<?php
include("home.html");
require('connect.php');
if (isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$query = "INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')";
$result = mysqli_query($connection, $query);
if($result)
{
$smsg = "User Created Successfully";
}
else
{
$fmsg ="User Registration Failed";
}
}
I have made a registration PHP file that runs through an authentication and connects to my database that I made in phpMyAdmin. The problem is, I can put in the same username without consequence and it adds to the database, so I could put; dogs as the username and then again put the same.
How can I make it so the user is told; that username already exists choose another one.
Here's my php so far;
Also please tell me where to insert it.
<?php
require('db.php');
// If form submitted, insert values into the database.
if (isset($_POST['username'])) {
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$email = stripslashes($email);
$email = mysql_real_escape_string($email);
$password = stripslashes($password);
$password = mysql_real_escape_string($password);
$trn_date = date("Y-m-d H:i:s");
$query = "INSERT into `users` (username, password, email, trn_date) VALUES ('$username', '".md5($password)."', '$email', '$trn_date')";
$result = mysql_query($query);
if ($result) {
echo "<div class='form'><h3>You are registered successfully.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}
} else {
?>
You should query the database before inserting any record (user) to users table.
Try the code below:
<?php
$username = mysql_real_escape_string( $username ); //Sql injection prevention
$existance = mysql_query("SELECT username FROM users WHERE username = '" . $username . "'");
if( !$existance ){
$query = "INSERT into `users` (username, password, email, trn_date) VALUES ('$username', '".md5($password)."', '$email', '$trn_date')";
$result = mysql_query( $query );
if ( $result ) {
echo "<div class='form'><h3>You are registered successfully.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}
else{
//unsuccessful insertion
}
} else {
//the user existed already, choose another username
}
?>
Create an if-statement where you check if $username exists in the db. If it does, throw an error. If not, continue with the code.
Note
Your code is vulnerable to SQL-injection. Read this post: How can I prevent SQL injection in PHP?
Rewriting my entire answer to a working example. I'm going to assume your post variables are the same as mine: email, password, username
<?php
$errorMessage = "";
function quote_smart($value, $handle) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value, $handle) . "'";
}
return $value;
}
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$email1 = $_POST['email'];
$username1 = $_POST['username'];
$password1 = $_POST['password'];
$email = htmlspecialchars($email);
$password = htmlspecialchars($password);
$username = htmlspecialchars($username);
$connect = mysql_connect("localhost","DBuser", "DBpassword");
if (!$connect) {
die(mysql_error());
}
mysql_select_db("DBName");
$results = mysql_query("SELECT * FROM users WHERE username = '$username'");
while($row = mysql_fetch_array($results)) {
$kudots = $row['username']; }
if ($kudots != ""){
$errorMessage = "Username Already Taken";
$doNothing = 1;
}
$result = mysql_query("SELECT * FROM users WHERE email = '$email'");
while($row2 = mysql_fetch_array($results)) {
$kudots2 = $row2['email']; }
if ($kudots2 != ""){
$errorMessage = "Email Already in use";
$doNothing = 1;
}
//test to see if $errorMessage is blank
//if it is, then we can go ahead with the rest of the code
//if it's not, we can display the error
if ($errorMessage == "") {
$user_name = "DBUsername";
$pass_word = "DBPassword";
$database = "DBName";
$server = "localhost";
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);
if ($db_found) {
$email = quote_smart($email, $db_handle);
$password = quote_smart($password, $db_handle);
$username = quote_smart($username, $db_handle);
if ($username1 == ""){
$errorMessage = "You need a username";
}
if ($password1 == ""){
$errorMessage = $errorMessage . "<br>You need a password.";
}
if (!(isset($_POST['email']))){
$errorMessage = $errorMessage . "<br>You need an email.";
}
$SQL = "SELECT * FROM users WHERE email = $email";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result);
if ($num_rows > 0) {
$errorMessage = "email already exists";
$doNothing = 1;
}
if ($errorMessage == "") {
$SQL = "INSERT INTO users (email, username, password) VALUES ($email, $username, $password)";
$result = mysql_query($SQL);
mysql_close($db_handle);
//=================================================================================
// START THE SESSION AND PUT SOMETHING INTO THE SESSION VARIABLE CALLED login
// SEND USER TO A DIFFERENT PAGE AFTER SIGN UP
//=================================================================================
session_start();
$_SESSION['email'] = "$email1";
$_SESSION['password'] = "$password1";
header ("Location: myaccount.php");
else {
$errorMessage = "Database Not Found";
}
}
OK, now echo $errorMessage right below or above the form, to inform the user that the Email, or Username is taken. I'm pretty sure I have a duplicate function in here for the Email, but this code does work; disregard if somebody says it's vulnerable to SQL injection; this is a working EXAMPLE! If you want to do MySQL real escape string, just Google it. I had to rewrite a couple things because I don't want my full code on a public board, if for some odd reason this doesn't work; send me an eMail(canadezo121#gmail.com) and I'll send you the full page code. (Which WORKS!) This code will probably raise some concerns with other more professional coders, this example gives you a good logical viewpoint of what goes on and how it works. You can adjust it to MySQLi, PDO, etc as you get more familiar with PHP and MySQL.
1 you must verify if the username all ready exists in database (Select)
2 if not exists after you can insert the new user
I have 4 inputs and they need to be filled. I made an isset test but it doesn't work. It is always showing true, but all inputs aren't filled and this php is for registering. Can you help me? Sorry for my bad English.
<?php
require('config.php');
Error_reporting(-1);
if (isset ($_POST['submit'])){
$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];
if (isset ($_POST['username']['iname']['email']['pass']['pass1'])){
/*$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];*/
if ($pass1 == $pass){
$username= mysqli_real_escape_string($link, $username);
$iname= mysqli_real_escape_string($link, $iname);
$email= mysqli_real_escape_string($link, $email);
$pass= mysqli_real_escape_string($link, $pass);
$pass1= mysqli_real_escape_string($link, $pass1);
$pass= md5($pass);
$check="SELECT username FROM users WHERE username = '$username'";
$rs = mysqli_query($link,$check);
$checker = mysqli_fetch_assoc($rs);
if ($checker['username'] == $username)
{
echo "Username is already taken";
exit();
}
$insert = "INSERT INTO `users` (`id`, `username`, `iname`, `email`, `pass`) VALUES (NULL, '$username', '$iname', '$email', '$pass')";
$query = mysqli_query ($link, $insert) or die("Query error");
//"INSERT INTO users ('id', 'username', 'iname', 'email', 'pass') VALUES ('NULL, '{$username}', '{$iname}', '{$email}', '{$pass}')"
}else{
echo "Passwords doesnt match";
}
}else{
echo "Fill all areas";
}
}else{
}
?>
I tested all answers in the comments, but none of them works! I don't understand why it doesn't work!
You can use this:
if (isset ($_POST['username'], $_POST['iname'], $_POST['email'], $_POST['pass'], $_POST['pass1'])){
//your code
}
this condition will return true only if all arguments to isset() are set and do not contain null.
Note: Instead of checking only for isset you should check this for empty also.
Like following:
if (isset ($_POST['username'], $_POST['iname'], $_POST['email'], $_POST['pass'], $_POST['pass1']) && !empty($_POST['username']. $_POST['iname']. $_POST['email']. $_POST['pass']. $_POST['pass1'])){
//your code
}
Try using
if (isset ($username, $iname, $email, $pass,$pass1))
instead...
require('config.php');
Error_reporting(-1);
if (isset ($_POST['submit'])){
$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];
if (!empty($username) and !empty($iname) and !empty($email) and !empty($pass) and !empty($pass1)){
if ($pass1 == $pass){
$username= mysqli_real_escape_string($link, $username);
$iname= mysqli_real_escape_string($link, $iname);
$email= mysqli_real_escape_string($link, $email);
$pass= mysqli_real_escape_string($link, $pass);
$pass1= mysqli_real_escape_string($link, $pass1);
$pass= md5($pass);
$check="SELECT username FROM users WHERE username = '$username'";
$rs = mysqli_query($link,$check);
$checker = mysqli_fetch_assoc($rs);
if ($checker['username'] == $username)
{
echo "Username is already taken";
exit();
}
$insert = "INSERT INTO `users` (`id`, `username`, `iname`, `email`, `pass`) VALUES (NULL, '$username', '$iname', '$email', '$pass')";
$query = mysqli_query ($link, $insert) or die("Query error");
//"INSERT INTO users ('id', 'username', 'iname', 'email', 'pass') VALUES ('NULL, '{$username}', '{$iname}', '{$email}', '{$pass}')"
}else{
echo "Passwords doesnt match";
}
}else{
echo "Fill all areas";
}
}else{
}
Best way to be sure is use it separately:
if(isset($_POST["username"]) and isset($_POST["email"]) and.... )