I'm trying to insert data which a user has filled out (register form) I am having issue, with it not inserting the data, and at the same time giving me NO error or reason why, I have checked my logs and everything, nothing seems to be wrong. But my query isn't executed.
/* IN THIS FUNCTION WE REGISTER THE USER, WE CREATE A SALT, INSERT THAT SALT KEY INTO SALTS TABLE, THEN GET THE ID AND USE THAT ID IN PASSYSTEM TABLE WHERE WE STORE THE PASSWORD AND THE SALT ID THE MEMBER DATA IS STORED IN MEMBERS TABLE*/
$data = $_POST;
print_r($data);
$salt = $this->gen_salt();
$password = hash('sha512', $salt.$data['password'].$salt, FALSE);
print $password;
$membersql = "INSERT INTO member (`firstname`,`lastname`,`email`,`gender`) VALUES (:firstname, :lastname, :email, :gender)";
$memberquery = $db->prepare($membersql);
$memberquery->bindParam(':firstname', $data['firstname'], PDO::PARAM_STR);
$memberquery->bindParam(':lastname', $data['lastname'], PDO::PARAM_STR);
$memberquery->bindParam(':email', $data['email'], PDO::PARAM_STR);
$memberquery->bindParam(':gender', $data['gender'], PDO::PARAM_STR);
$memberquery->execute();
Looks like something is wrong with bindparam.
Try it like this:
$membersql = "INSERT INTO member (firstname,lastname,email,gender) VALUES (?, ?, ?, ?)";
$memberquery->execute(array($data['firstname'], $data['lastname'], $data['email'], $data['gender']));
This should work correctly.
Related
This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 1 year ago.
if ($stmt = $connection->prepare('INSERT INTO users (name, id, password, email, city, avatar, about, activation_code) VALUES (?, ?, ?, ?, ?, ?, ?, ?)')) {
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$uniqid = uniqid();
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $password, $email, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
$stmt->execute();
$stmt->store_result();
echo 'Account's created';
} else {
echo 'Error';
}
This part of code doesn't create user in myqsl db. But if I
This code:
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $password, $email, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
Replace with:
$stmt->bind_param('ssssssss', $_POST['name'], $_POST['id'], $email, $password, $_POST['city'], $_POST['avatar'], $_POST['about'], $uniqid);
It create user but in table in email there is password and in password - email.
How I can fix it???
You need to check out what the error reported by MySQL says.
Not having seen your table definition (you really should post that too), I can only guess that the password you use - the hash - being as it is a PK2DBF hash, is too long for the password field.
You probably reserved something like 64 chars for the email and, what do I know, 16 characters for the password. But the password hash is longer. So if you insert the password in the email column it fits, the other way it doesn't.
You should use something like VARCHAR(200) for the password column definition field.
check the sql datatypes of the email and password columns and their respective lengths, the hash generated is probably too long or the email column does not allow certain inputs.
It registers the user successfully. But when I check it on my database, all of the values are 0s. What's the problem?
here's the function code:
public function insertUser($email, $firstName, $lastName, $encryptedPassword, $salt)
{
//SQL language - command to insert data
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (email=?, firstName=?, lastName=?, password=?, salt=?)";
//preparing SQL for execution by checking the validity
$statement = $this->conn->prepare($sql);
//if error
if (!$statement)
{
throw new Exception(($statement->error));
}
//assigning variables instead of '?', after checking the preparation and validity of the SQL command
$statement->bind_param('sssss', $email, $firstName, $lastName, $encryptedPassword, $salt);
//result will store the status/result of the execution of SQL command
$result = $statement->execute();
return $result;
}
The parameters for the function get set with the correct values when called, I tested it
I'm pretty new to PHP. If i correct my function, it doesn't create a new user. It doesn't even print out anything in the browser window. Here's the piece of code that calls this one (maybe it helps you with finding the solution):
$result = $access->insertUser($email, $firstName, $lastName, $encryptedPassword, $salt);
//result is positive
if ($result)
{
//throw back the user details
$return['status'] = '200';
$return['message'] = 'Successfully registered';
$return['email'] = $email;
$return['firstName'] = $firstName;
$return['lastName'] = $lastName;
echo json_encode($return);
$access->disconnect();
}
Your query is wrong.
//columns are declared here
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (email=?, firstName=?, lastName=?, password=?, salt=?)";
//you do not need to declare your columns again
Simple change your query to
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (?, ?, ?, ?, ?)";
Also, it appears as though you are storing your password and the salt separately, that tells me you are rolling your own hashing algorithm, there isn't really a need for this. I would remove your salt column, and use password_hash() for your password column.
remove the column=?
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (?, ?, ?, ?, ?)";
the code
column=?
in your value assignment is evalued as boolean condition that return false (0)
I have a register, were people can register with their username, their email and a password. If this gets successfully transmitted to the database, this data will be inserted into a table called users. Now, I need the last ID from the just registered user for a second table that is called users_tokens, where I obviously want to save a token for every specific user. I've tried to solve this by using $mysql->insert_id; but that returns 0 in the table and I am also curious if this is a safe method since through my websites data gets inserted all the time.
My PHP Script:
$key = getToken(32);
$token = bin2hex(openssl_random_pseudo_bytes(64));
$stmt = $mysql->prepare("INSERT INTO users (name, email, password, verification_key, register_date) VALUES(?,?,?,?,?)");
$stmt->bind_param("sssss", $_POST["name"], $_POST["email"], md5($_POST["password"]), $key, $posted_on);
$lastid = $mysql->insert_id;
$u_token = $mysql->prepare("INSERT INTO users_tokens (uid, token) VALUES(?,?)");
$u_token->bind_param("ss", $lastid, $token);
Any suggestions?
You just need to execute your statement before retrieving insert_id, something like this
$stmt = $mysql->prepare("INSERT INTO users (name, email, password, verification_key, register_date) VALUES(?,?,?,?,?)");
$stmt->bind_param("sssss", $_POST["name"], $_POST["email"], md5($_POST["password"]), $key, $posted_on);
$stmt->execute(); //You should check for correct execution
$lastid = $mysql->insert_id;
This is my current statement. Everything was working fine until I added the key
Key is just a generated hash for the user to activate the account.
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,0,$key,time());
When I'm doing this code I'm getting an error.
Cannot pass parameter 5 by reference
Do you know what could be the issue?
Thanks!
Edit Code:
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey,accountCreated) VALUES (?, ?, ?,?,?,?)");
$stmt->bind_param('sssisi', $username, $newPassword, $email,0,$key,$time);
http://i.stack.imgur.com/Th5tl.png
If you use bind_param that 0 needs to be in a variable since bind_param passes by reference.
$somevar=0;
$stmt = $mysqli->prepare("INSERT INTO Account (accountUsername,accountPassword,accountEmail,accountActivate,accountKey) VALUES (?, ?, ?, ?,?,?)");
$stmt->bind_param('sssiss', $username, $newPassword, $email,$somevar,$key,$time);
I just to need make sure I've got the PDO prepare statements correctly, will the following code be secured by SQL Injection?
$data['username'] = $username;
$data['password'] = $password;
$data['salt'] = $this->generate_salt();
$data['email'] = $email;
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, NOW())");
$sth->execute($data);
Yes, your code is safe. It can be shortened however:
$data = array( $username, $password, $this->generate_salt(), $email );
// If you don't want to do anything with the returned value:
$this->db->prepare("
INSERT INTO `user` (username, password, salt, email, created)
VALUES (?, ?, ?, ?, NOW())
")->execute($data);
You could start with an empty array for your $data like
// start with an fresh array for data
$data = array();
// imagine your code here
Your code looks good so far.
EDIT: I missed your NOW() call. Imho you should add it with a bind variable as well, like
// bind date
$data['created'] = date("Y-m-d H:i:s");
// updated prepare statement
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, :created)");