I have 4 inputs and they need to be filled. I made an isset test but it doesn't work. It is always showing true, but all inputs aren't filled and this php is for registering. Can you help me? Sorry for my bad English.
<?php
require('config.php');
Error_reporting(-1);
if (isset ($_POST['submit'])){
$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];
if (isset ($_POST['username']['iname']['email']['pass']['pass1'])){
/*$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];*/
if ($pass1 == $pass){
$username= mysqli_real_escape_string($link, $username);
$iname= mysqli_real_escape_string($link, $iname);
$email= mysqli_real_escape_string($link, $email);
$pass= mysqli_real_escape_string($link, $pass);
$pass1= mysqli_real_escape_string($link, $pass1);
$pass= md5($pass);
$check="SELECT username FROM users WHERE username = '$username'";
$rs = mysqli_query($link,$check);
$checker = mysqli_fetch_assoc($rs);
if ($checker['username'] == $username)
{
echo "Username is already taken";
exit();
}
$insert = "INSERT INTO `users` (`id`, `username`, `iname`, `email`, `pass`) VALUES (NULL, '$username', '$iname', '$email', '$pass')";
$query = mysqli_query ($link, $insert) or die("Query error");
//"INSERT INTO users ('id', 'username', 'iname', 'email', 'pass') VALUES ('NULL, '{$username}', '{$iname}', '{$email}', '{$pass}')"
}else{
echo "Passwords doesnt match";
}
}else{
echo "Fill all areas";
}
}else{
}
?>
I tested all answers in the comments, but none of them works! I don't understand why it doesn't work!
You can use this:
if (isset ($_POST['username'], $_POST['iname'], $_POST['email'], $_POST['pass'], $_POST['pass1'])){
//your code
}
this condition will return true only if all arguments to isset() are set and do not contain null.
Note: Instead of checking only for isset you should check this for empty also.
Like following:
if (isset ($_POST['username'], $_POST['iname'], $_POST['email'], $_POST['pass'], $_POST['pass1']) && !empty($_POST['username']. $_POST['iname']. $_POST['email']. $_POST['pass']. $_POST['pass1'])){
//your code
}
Try using
if (isset ($username, $iname, $email, $pass,$pass1))
instead...
require('config.php');
Error_reporting(-1);
if (isset ($_POST['submit'])){
$username= $_POST['username'];
$iname= $_POST['iname'];
$email= $_POST['email'];
$pass= $_POST['pass'];
$pass1= $_POST['pass1'];
if (!empty($username) and !empty($iname) and !empty($email) and !empty($pass) and !empty($pass1)){
if ($pass1 == $pass){
$username= mysqli_real_escape_string($link, $username);
$iname= mysqli_real_escape_string($link, $iname);
$email= mysqli_real_escape_string($link, $email);
$pass= mysqli_real_escape_string($link, $pass);
$pass1= mysqli_real_escape_string($link, $pass1);
$pass= md5($pass);
$check="SELECT username FROM users WHERE username = '$username'";
$rs = mysqli_query($link,$check);
$checker = mysqli_fetch_assoc($rs);
if ($checker['username'] == $username)
{
echo "Username is already taken";
exit();
}
$insert = "INSERT INTO `users` (`id`, `username`, `iname`, `email`, `pass`) VALUES (NULL, '$username', '$iname', '$email', '$pass')";
$query = mysqli_query ($link, $insert) or die("Query error");
//"INSERT INTO users ('id', 'username', 'iname', 'email', 'pass') VALUES ('NULL, '{$username}', '{$iname}', '{$email}', '{$pass}')"
}else{
echo "Passwords doesnt match";
}
}else{
echo "Fill all areas";
}
}else{
}
Best way to be sure is use it separately:
if(isset($_POST["username"]) and isset($_POST["email"]) and.... )
Related
This is my login verify. Im echoing everything for debugging
<?php
echo $email = $_POST['email'];
echo $password = $_POST['password'];
include 'conn.php';
$sql = $conn->prepare("SELECT id, password FROM user_info WHERE email=?");
$sql->bind_param('s',$email);
$sql->execute();
$result = $sql->get_result();
$row = $result->fetch_assoc();
$sql->close();
echo $hash = $row['password'];
if (password_verify($password, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
$conn->close();
?>
My SignUp page
<?php
include 'conn.php';
$name = $_POST['first_name']." ".$_POST['last_name'];
$email = $_POST['email'];
$password = $_POST['password'];
$gender = $_POST['gender'];
$password = password_hash($password, PASSWORD_DEFAULT);
$sql = $conn->prepare("INSERT INTO `user_info` (`email`, `name`, `password`, `gender`) VALUES (?, ?, ?, ?)");
$sql->bind_param('sssi', $email, $name, $password, $gender);
$sql->execute();
$sql->close();
$conn->close();
?>
Snapshot of my database
Every time it just outputs to password invalid.
<?php
session_start();
$username = "";
$email = "";
$db = mysqli_connect("localhost", "root", "", "authentication");
if (isset($_POST['register_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$password2 = mysqli_real_escape_string($db, $_POST['password2']);
$user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) {
if ($user['username'] === $username) {
header("Refresh:0");
echo "usrname exists";
}
if ($user['email'] === $email) {
header("Refresh:0");
echo "error";
}
}
if ($password == $password2) {
$password = md5($password);
$sql = "INSERT INTO users
(username, email, password, name, street,
postcode, age , center)
VALUES('$username', '$email', '$password', '$name', '$street',
'$postcode', '$age', '$center')";
mysqli_query($db, $sql);
$_SESSION['message'] = "Account registered";
$_SESSION['username'] = $username;
header("location: login.php");
}else{
$_ERROR= "Something went wrong :/";
}
}
As shown above is some PHP code, the purpose here is to register a user then redirect them to the login page, however after multiple attempts of trying to use validation to see if an email or username already exists, after clicking the register button it still just records the registered details into the database names authentication (Users). I have put 'header ("Refresh") to test if it even reads through the if statement, It does not seem to.
I know md5 is insecure, and I will replace it.
Any advice on what I may have done wrong.
I have used snippets of code from here however I have attempted a few other solutions with no luck.
I know there are questions similar to this but their answers doesn't solve my problem.
My php is running without errors (at least not from the navigator), it even returns me the custom url I set at the end of my script ?register=success but it doesn't send the data to my database(local).
I really don't know what section of my code I should let here because, as I said at the begining, there are not errors from php in the navigator, so I just put all my main php (register.php).
<?php
if (isset($_POST["submit"])){
include_once "dbh_inc.php";
$first = mysqli_real_escape_string($conn, $_POST["first"]);
$last = mysqli_real_escape_string($conn, $_POST["last"]);
$nickname = mysqli_real_escape_string($conn, $_POST["nickname"]);
$password = mysqli_real_escape_string($conn, $_POST["password"]);
$email = mysqli_real_escape_string($conn, $_POST["email"]);
//Birthdate
$birthDay = mysqli_real_escape_string($conn, $_POST["birth-day"]);
$birthMonth = mysqli_real_escape_string($conn, $_POST["birth-month"]);
$birthAge = mysqli_real_escape_string($conn, $_POST["birth-age"]);
$birthDate = $birthDay."-".$birthMonth."-".$birthAge;
$speciality = mysqli_real_escape_string($conn, $_POST["speciality"]);
$gender = mysqli_real_escape_string($conn, $_POST["gender"]);
//Error handlers
//Check for empty fields
if (empty($first) || empty($last) || empty($email) || empty($last) || empty($last) || empty($last)) {
header("Location: ../register.php?register=empty");
exit();
}else{
//Check if input characters are valid
if(!preg_match("/^[a-zA-Z]*$/", $first) || !preg_match("/^[a-zA-Z]*$/", $last)){
header("Location: ../register.php?register=invalid");
exit();
}else{
//Check if email is valid
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header("Location: ../register.php?register=email");
exit();
}else{
//Check if birthdate is valid
if (!checkdate ($birthMonth , $birthDay, $birthAge)) {
header("Location: ../register.php?register=date");
exit();
}else{
//Check if user exists
$sql = "SELECT * FROM users WHERE user_nickname='$nickname'";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
//Entering to the database to check if username exists
if ($resultCheck > 0) {
header("Location: ../register.php?register=usertaked");
exit();
}else{
//Hashing the password
$hashedPwd = password_hash($password, PASSWORD_DEFAULT);
//Insert user registration data into the database
$sql = "INSERT INTO users (user_first, user_last, user_nickname, user_password, user_email, user_birth_date, user_speciality, user_gender) VALUES ('$first', '$last', '$nickname', '$password', '$email', '$birthDate', '$speciality', '$gender')";
mysqli_query($conn, $sql);
header("Location: ../register.php?register=success");
exit();
}
}
}
}
}
}else{
header("Location: ../register.php");
exit();
}
And this is the php where I do the connection with the database (dbh_inc.php):
<?php
$dbServername = "localhost";//because there's running a local server
$dbUsername = "root";
$dbPassword = "";
$dbName = "login_system";
$conn = mysqli_connect($dbServername, $dbUsername, $dbPassword, $dbName) or die ("Conexion fallida");
I create a database to save my users information. But I can only see the content of password part, and I can't see other parts content like email, username, first name etc. I put here a screenshot and my php codes thank you all.
<?php
session_start();
$db = mysqli_connect("localhost", "", "", "register_user");
if (isset($_POST["submit"])) {
session_start();
$firstname = mysql_real_escape_string($_POST["firstname"]);
$lastname = mysql_real_escape_string($_POST["lastname"]);
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$password_2 = mysql_real_escape_string($_POST["password_2"]);
$email = mysql_real_escape_string($_POST["email"]);
$email_2 = mysql_real_escape_string($_POST["email_2"]);
if ($password == $password_2) {
$password = md5($password);
$sql = "INSERT INTO user_data(firstname, lastname, username, password, email) VALUES('$firstname', '$lastname', '$username', '$password', '$email')";
mysqli_query($db, $sql);
$_SESSION['message'] = "You logged successfully";
$_SESSION['username'] = $username;
header("location: index.html");
}else {
$_SESSION['message'] = "Passwords don't match";
}
}
?>
If you are using mysqli please use
mysqli_real_escape_string(connection,escapestring);
Hope it helps.
Plus you need not to start the session twice you can use it once
I have this validation code:
<?php
$con=mysql_connect("localhost","root","");
mysql_select_db("nnx",$con);
$tbl=mysql_query("SELECT * FROM tablename");
while($row=mysql_fetch_array($tbl))
{
$name=$_POST['name'];
$lname=$_POST['lname'];
$add=$_POST['add'];
$age=$_POST['age'];
$contact=$_POST['contact'];
$email=$_POST['email'];
$user=$_POST['user'];
$pass=$_POST['pass'];
if(($name!="")&&($lname!="")&&($add!="")&&($age!="")&&($contact!="")&& ($email!="")&&($user!="")&&($pass!=""))
{
if ($_POST['user']==$row['username'])
{
header("location: /register.php?codeErr2=1");
}
else
{
$value=mysql_query("INSERT INTO tablename(name, lastname, address, age, contact,email, username, password) VALUES ('".$_POST['name']."','".$_POST['lname']."','".$_POST['add']."','".$_POST['age']."','".$_POST['contact']."','".$_POST['email']."','".$_POST['user']."','".$_POST['pass']."')");
}
}
else
{
header("location: /register.php?codeErr=1");
}
}
This validation is for my registration form, If all the fields are filled up it will check if the username that the user enters is already on the database or not, else, it will get an error message. If the username is already on the database, an error message will be outputted else it will proceed to the next page and all values will be inserted on the database. The problem is that whenever I enter the username which was already on the database, it still accepts the username. I can't find anything wrong with my validation code. Can someone help me out what could be the possible problem here? Thank you in advance. :)
You should check for username and die after the redirect:
$tbl=mysql_query("SELECT * FROM tablename WHERE `username` = '".mysql_real_escape_string($_POST['user'])."'");
$row = mysql_fetch_assoc($tbl);
if ($_POST['user'] == $row['username']){
header("location: /register.php?codeErr2=1");
die;
}
You code is SQL injection vulnerable:
$con=mysql_connect("localhost","root","");
mysql_select_db("nnx",$con);
$tbl=mysql_query("SELECT * FROM tablename WHERE `username` = '".mysql_real_escape_string($_POST['user'])."'");
$row = mysql_fetch_assoc($tbl);
if ($_POST['user'] == $row['username']){
header("location: /register.php?codeErr2=1");
die;
}
$name= $_POST['name'];
$lname= $_POST['lname'];
$add = $_POST['add'];
$age = $_POST['age'];
$contact = $_POST['contact'];
$email = $_POST['email'];
$user = $_POST['user'];
$pass = $_POST['pass'];
if(($name!="") && ($lname!="") && ($add!="") && ($age!="") && ($contact!="") && ($email!="") && ($user!="") && ($pass!="")){
$value=mysql_query("INSERT INTO tablename(name, lastname, address, age, contact, email, username, password)
VALUES
('".mysql_real_escape_string($name)."','".mysql_real_escape_string($lname)."','".mysql_real_escape_string($add)."','".mysql_real_escape_string($age)."',
'".mysql_real_escape_string($contact)."','".mysql_real_escape_string($email)."','".mysql_real_escape_string($user)."',
'".mysql_real_escape_string($pass)."')");
} else {
header("location: /register.php?codeErr=1");
die;
}
As a side note you should move to PDO or MySQLi as mysql_* functions are deprecated.
Here is a nice tutorial and here is an example:
$db = new PDO('mysql:host=localhost;dbname=nnx;charset=UTF-8', 'root', '', array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION))
$stmt = $db->prepare("SELECT * FROM `tablename` WHERE `username` = :username");
$stmt->execute(array(':username' => $_POST['user']));
$row_count = $stmt->rowCount();
if($row_count){
header("location: /register.php?codeErr2=1");
die;
}
if(($name!="") && ($lname!="") && ($add!="") && ($age!="") && ($contact!="") && ($email!="") && ($user!="") && ($pass!="")){
$stmt = $db->prepare("INSERT INTO `tablename`(`name`, `lastname`, `address`, `age`, `contact`, `email`, `username`, `password`) VALUES (:name, :lname, :address, :age, :contact, :email, :username, :password)");
$stmt->execute(array(':name' => $_POST['name'], ':lname' => $_POST['lname'], ':address' => $_POST['add'], ':age' => $_POST['age'], ':contact' => $_POST['contact'], ':email' => $_POST['email'], ':username' => $_POST['user'], ':password' => $_POST['pass']));
} else {
header("location: /register.php?codeErr=1");
die;
}
This way your are sql injection free.
<?php
$con=mysql_connect("localhost","root","");
mysql_select_db("nnx",$con);
$name=$_POST['name'];
$lname=$_POST['lname'];
$add=$_POST['add'];
$age=$_POST['age'];
$contact=$_POST['contact'];
$email=$_POST['email'];
$user=$_POST['user'];
$pass=$_POST['pass'];
if(($name!="")&&($lname!="")&&($add!="")&&($age!="")&&($contact!="")&& ($email!="")&&($user!="")&&($pass!=""))
{
$tbl=mysql_query("SELECT * FROM tablename where username = '{$user}'");
$num_rows = mysql_num_rows($tbl);
if($num_rows > 0){
header("location: /register.php?codeErr2=1");
} else {
while($row=mysql_fetch_array($tbl))
{
$value=mysql_query("INSERT INTO tablename(name, lastname, address, age, contact,email, username, password) VALUES ('".$_POST['name']."','".$_POST['lname']."','".$_POST['add']."','".$_POST['age']."','".$_POST['contact']."','".$_POST['email']."','".$_POST['user']."','".$_POST['pass']."')");
}
}
} else {
header("location: /register.php?codeErr=1");
}
?>