This works but How are the values of the variables being put into the db without retrieving them through the $_POST?
Is this something new in php5 or have I just never seen it used this way before?
<!doctype html>
<html>
<head>
<title></title>
</head
<body>
<form action="insert.php" method="post">
First Name: <input type="text" name="fname" /><br>
Last Name: <input type="text" name="lname" /><br>
Username: <input type="text" name="uname" /><br>
<input type="submit" name="submit" value="Register"/><br>
</form>
</body>
</html>
insert.php
<?php
$con=mysqli_connect("","","","");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql="INSERT INTO traders (fname, lname, username)
VALUES
('$fname','$lname','$uname')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added " ;
mysqli_close($con);
?>
because you use here register globals option in php which is now deprecated/removed in new versions of php (mainly because of security issues) which translates $_POST['fName'] into $fName
you should always use $_POST/$_GET instead
read more: http://php.net/manual/en/security.globals.php
No, this is called Register Global and is DEPRECATED long time ago, one should never use this !
When on, register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.
For more information:
http://php.net/manual/en/security.globals.php
Related
My issue is when I go to this page to register (see picture below), the prompt "The email address...." appears right away even though I haven't typed anything yet. How do I remove that? Here's my code below.
<?php
$mysqli = mysqli_connect("localhost", "dbusername", "dbpassword", "dbtable");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
} else {
$sql = "INSERT INTO tablename(firstname, lastname, email, password, age, gender, startdate) VALUES ('".$_POST["firstname"]."', '".$_POST["lastname"]."', '".$_POST["email"]."', PASSWORD('".$_POST["password"]."'), '".$_POST["age"]."', '".$_POST["gender"]."', now())";
$res = mysqli_query($mysqli, $sql);
if ($res === TRUE) {
echo "Your account '".$_POST["email"]."' has just been created. Thank you for joining us!<br/>";
echo "<br/>";
echo "<a href='userlogin.php'>Go to Login</a>";
} else {
echo "The email address '".$_POST["email"]."' is already in use, try again!";
}
mysqli_close($mysqli);
}
?>
<!DOCTYPE html>
<html>
<head>
<title>User Information</title>
<link rel="stylesheet" href="stylesheet.css">
</head>
<body>
<form method="post" action="">
<fieldset> <legend><h3> User Information </h3></legend>
<p><strong>First Name:</strong><br/>
<input type="text" name="firstname"/></p>
<p><strong>Last Name:</strong><br/>
<input type="text" name="lastname"/></p>
<p class="lowercase"><strong>Email:</strong><br/>
<input type="text" name="email"/></p>
<p><strong>Password:</strong><br/>
<input type="password" name="password"/></p>
<p><strong>Age:</strong><br/>
<input type="number" name="age"/></p>
<p><strong>Gender:</strong><br/>
<input type="radio" name="gender" value="male">Male
<input type="radio" name="gender" value="female">Female<br>
<p><input type="submit" name="submit" value="Create Account"/></p>
</fieldset>
</form>
</body>
</html>
The reason for this is your if/else logic.
The first if checks if the connection failed and if it didn't, it goes to the query and there most likely already exists a record, so it goes to the else showing that the record exists.
You need to first check if a record exists, then run the INSERT if it does not exist.
I need to state that your code is open to SQL injection. Use a prepared statement. Plus, don't store plain text passwords, use a safe hashing method.
Here are a few references for you to read:
SQL injection
Prepared statements
How to use password_hash
Check if a record exists:
check if row exists with mysql
Error checking that will serve you well:
Error reporting
MySQLi error
Edit:
You could also place your PHP before your HTML and check to see if the submit button was clicked and then if any inputs are not empty, run the PHP/Query.
Example:
if(isset($_POST['submit'])) {
// Run your code
} else {
// Do something else
}
I'm trying to create a registration page. The page is successfully connected to phpMyAdmin database but it does not echo anything when i click the register button.
<html>
<head>
</head>
<body>
<?php
INCLUDE "connect.php";
INCLUDE "functions.php";
INCLUDE "titlebar.php";
?>
<div id="loginform">
<h1>Register</h1>
<form name="Register" action="register.php" method="post">
<?php
if(isset($POST["submit"])){
$username = $_POST["username"];
$password = md5 ($_POST["password"]);
if(empty($username) or empty($password)){
echo "<p>Fields Empty!</p>";
} else {
mysql_query("INSERT INTO login VALUES('',$username','$password','2','')");
echo "<p>Successfully Registered!</p>";
}
}
?>
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username"/></p><p>
<label for="password">Password: </label>
<input type="password" name="password" id="password"/></p><p>
<input type="submit" name="submit" value="Register" />
</p>
</form>
</div>
</body>
The problem is with the post method.
use $_POST instead of $POST
You have mysql error
Not: $username'
but '$username'
And next time display mysql errors with mysql_error().
At the beginning, I am not sure what isset($_POST['submit'] should return, but as already mentioned in the comments you missed a single quote.
Additionaly i would use:
$password = password_hash($_POST['password'],
md5 is deprecated and thus not safe. If you write a login script you can use password_verify(plainPW, hashPW)
You also need to specify a database and login into it. I recommend to look at the W3 Schools examples they are very in-depth and have good examples.
W3 school mysqli page
also write a die() at the end of your script and do not foregt to close the connection.
In the following code, data from html form is not received by php variables. The code directly executes if-else statement without waiting for input.
<?php
if(mysql_connect("localhost","root","")==false)
{
die ("Connection Failed");
}
mysql_select_db("fb");
$id=$_POST["email"];
$pwd=$_POST["password"];
$sql=mysql_query("SELECT* FROM admin WHERE id='$id' AND pass='$pwd'");
if($sql)
{
die ("Login");
}
else
{
die ("Failed");
}
?>
<!DOCTYPE html>
<html lang='en'>
<head>
<meta charset="UTF-8" />
<title>
HTML Document Structure
</title>
<!--<link rel="stylesheet" type="text/css" href="style.css" />!-->
</head>
<body>
<form method="POST">
<h1>Welcome</h1>
<div class="inset">
<p>
<label for="email">Login</label>
<input type="text" name="email" id="email">
</p>
<p>
<label for="password">PASSWORD</label>
<input type="password" name="password" id="password">
</p>
</div>
<p class="p-container">
<span>Forgot password ?</span>
<input type="submit" name="Login" id="Login" value="Log in">
</p>
</form>
</body>
</html>
I know this code is vulnerable to SQL injection but who care if its an home assignment. :)
The code directly executes if-else statement without waiting for input.
The reason being is that you have your entire code (HTML/PHP/SQL) inside one file with no conditional statement to control it.
Using your submit button's name element with if(isset($_POST['Login'])) will fix that.
Another option would be to use two seperate files. One with your form and the other with the PHP/SQL and setting action="handler.php" for your form's action.
<form method="POST"> is equivalent to <form method="POST" action=""> (self).
<?php
if(mysql_connect("localhost","root","")==false)
{
die ("Connection Failed");
}
mysql_select_db("fb");
$id=$_POST["email"];
$pwd=$_POST["password"];
if(isset($_POST['Login'])){
$sql=mysql_query("SELECT * FROM admin WHERE id='$id' AND pass='$pwd'");
if($sql)
{
die ("Login");
}
else
{
die ("Failed");
}
} // brace for if(isset($_POST['submit']))
?>
The following links will help you later on.
For passwords, CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.
Plus, mysqli with prepared statements, or PDO with prepared statements.
Always use error reporting this will help you to debug code.
Plus, use or die(mysql_error()) to mysql_query() instead of just the way you have it now. It will signal the actual error, should there be any.
The code directly executes if-else statement without waiting for input.
Then tell it to do those action after input.
if($_POST) {
$id=$_POST["email"];
$pwd=$_POST["password"];
$sql=mysql_query("SELECT* FROM admin WHERE id='$id' AND pass='$pwd'");
if($sql)
{
die ("Login");
}
else
{
die ("Failed");
}
}
I know this code is vulnerable to SQL injection but who care if its an home assignment.
Never give up security just because of the nature of the project. You'll fall into a trap, and then it will bite you later on in life. Make sure you secure your application irregardless of the project.
I have a problem inserting information into a sql database.
The user needs to answer a question and submit that.
<!DOCTYPE html>
<html>
<head>
<title>Some title</title>
</head>
<body>
<form action="neg.php" method="post">
<b>Enter a title:</b><br /><input type="text" name"title" /><br />
<input type="submit" value="I !" />
</form>
</body>
</html>
The php page looks like this:
<?php
/* get all input*/
$connection = mysqli_connect("localhost","X","Y","Z") or die("Some error occurred during connection " . mysqli_error($connection));
$sql="INSERT INTO xyz (title)
VALUES
('$_POST[title]')";
if (!mysqli_query($connection,$sql))
{
die('Error: ' . mysqli_error($connection));
}
echo "1 record added";
?>
Can anyone please help me out here? I'm really stuck, tried a million things, but simply do not see what went wrong. I also do not get an error, so I'm unsure what the problem is. Can anyone please help me out here?
Thanks in advance!
EDIT
OP changed INSERT INTO dislike to INSERT INTO xyz from an edit after my submitting this answer, including changing value="I don't want to see this show ever again!" to value="I !"
Original answer from original question:
The reason why your query is not working is because the = is missing in name"title"
Change it to name="title"
You should also consider using prepared statements or PDO.
The method you're using now, is open to SQL injection
I've made it a bit more safer for you doing it the following way:
<?php
/* get all input*/
$connection = mysqli_connect("localhost","X","Y","Z") or die("Some error occurred during connection " . mysqli_error($connection));
$title=mysqli_real_escape_string($connection,$_POST['title']);
$sql="INSERT INTO dislike (title) VALUES ('$title')";
if (!mysqli_query($connection,$sql))
{
die('Error: ' . mysqli_error($connection));
}
echo "1 record added";
?>
HTML rewrite:
<!DOCTYPE html>
<html>
<head>
<title>Dislike series</title>
</head>
<body>
<form action="neg.php" method="post">
<b>Enter a title:</b><br /><input type="text" name="title" /><br />
<input type="submit" value="I don't want to see this show ever again!" />
</form>
</body>
</html>
Here are a few tutorials on prepared statements that you can study and try:
Tutorial one
Tutorial two
Tutorial three
Here are a few tutorials on PDO:
PDO tutorial one
PDO tutorial two
PDO tutorial three
My problem is that when I enter data into my html form and click submit, it calls my php file but it doesn't send the parameters.
I have even tried using working code to test it, and even the working code is not passing through variables. I am unsure as to why this is doing this, bad php install? No idea.
Here it is, if you want to see if it works at least for you. But I am not getting anything passed into my variables on my php file. Thanks for the help.
<html>
<head>
<title>Home</title>
</head>
<body>
<form method="get" action="reg.php">
Firstname: <input type="text" name="firstname">
Lastname: <input type="text" name="lastname">
Age: <input type="text" name="age">
<input type="submit" value="Submit">
</form>
</body>
</html>
And here is the php file:
<?php
echo $_SERVER['REQUEST_METHOD'];
if(isset($_GET['firstname'])){
$firstname = $_GET['firstname'];
}
else{
$firstname = 'null';
}
if(isset($_GET['lastname'])){
$lastname = $_GET['lastname'];
}
else{
$lastname = 'null';
}
if(isset($_GET['age'])){
$age = $_GET['age'];
}
else{
$age = 'null';
}
$con = mysqli_connect("127.0.0.1","root","", "my_db");
$sql="INSERT INTO persons (FirstName, LastName, Age)
VALUES
('$firstname','$lastname','$age')";
$result = mysqli_query($con, $sql);
if ($result)
{
echo "1 record added";
}
else{
echo "Did not work";
}
error_reporting(E_ALL);
mysqli_close($con);
?>
When I look at the error report, it says Undefined Index every time, for each piece of working code I tested. I tested 4 files of working code and neither worked but was proven they did. I am starting to think I have a bad php install or something deeper is the problem. Thanks again.
Three things:
I would recommend you to use POST instead of GET.
Give your input fields an id and it should work.
You need to sanitize your data before writing them into the database.