So I'm trying to create this form and every time I try to create a dummy user it creates an empy one in the database.
Here's the php code create.php:
<?php
session_start();
include ('connection.php');
$username = $_POST['usernamesignup'];
$email = $_POST['emailsignup'];
$password = $_POST['passwordsignup'];
mysql_query("INSERT INTO users (usernamesignup, passwordsignup, emailsignup)
VALUES ('$username', '$password', '$email')")or die (mysql_error());
header('Location: login.html');
mysql_close($db);
?>
And here's the part of the form Login.html:
<form action="create.php" autocomplete="on">
<h1> Sign up </h1>
<p><label for="usernamesignup" class="uname" data-icon="u">Your username</label>
<input id="usernamesignup" name="usernamesignup" required="required" type="text" placeholder="mysuperusername690" /></p>
<p><label for="emailsignup" class="youmail" data-icon="e" > Your email</label>
<input id="emailsignup" name="emailsignup" required="required" type="email" placeholder="mysupermail#mail.com"/></p>
<p><label for="passwordsignup" class="youpasswd" data-icon="p">Your password </label>
<input id="passwordsignup" name="passwordsignup" required="required" type="password" placeholder="eg. X8df!90EO"/></p>
<p><label for="passwordsignup_confirm" class="youpasswd" data-icon="p">Please confirm your password </label>
<input id="passwordsignup_confirm" name="passwordsignup_confirm" required="required" type="password" placeholder="eg. X8df!90EO"/></p>
<p class="signin button"><input type="submit" value="Sign up"/></p>
<p class="change_link">Already a member? Go and log in </p>
</form>
Any help would be greatly appreciated.
EDIT: The adding of method:"post" did the trick. Thank you very much to all of you for your fast response and the very valid advises on security and on how I should change to a more current form instead of what I used here.
You need to specify the form method to POST in your case. Try
<form action="create.php" autocomplete="on" method="POST">
You have to check if the values sent by your form are not null or with an empty string. And please be very careful your code is vulnerable to sql injections and hash your password in sha512 or something like that.
have a look to this function : http://php.net/manual/en/function.empty.php
and try to add this in your form :
<form action="create.php" autocomplete="on" method="post">
try adding this to your form tag
method='post'
Default method for form is GET, and you're trying to get your values from POST, so they're empty...
You should do:
$password = $_GET['password'];
// etc.
Or, if you don't know:
$password = $_REQUEST['password'];
// etc.
I recommend you to use a mysqli class. I've used this one myself in smaller projects: https://github.com/ajillion/PHP-MySQLi-Database-Class
You're missing "form validation" in your code. This prevents empty and malicious form submits if you integrate validation properly into your forms and backend code
A simple example of how to make sure data was entered in the specific fields, try this:
<?php
if (empty($_POST['usernamesignup']), empty($_POST['...']))
{
echo 'Not all required data was submitted';
}
else
{
// Process the form, all data was received
}
4. Have you considered using a php framework? Try something like Codeigniter or Laravel if you want something more advanced and usable.
Please consider including <form action="create.php" autocomplete="on" method="POST">
Please I beg you, Don't store raw password in database just use an encryption method.
And use PDO instead of mysql_*
see here: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
Related
I'm trying to build email subscribtion form but it don't work for me. After click it redirects to next page but there is no data input in database. Also also it redirects after "Continue" even inputs values is blank.
Form in HTML:
<form action="https://www.next-page.com" method="post">
<input type="text" name="name" placeholder="Your name" id="name"/>
<input type="text" name="email" placeholder="E-mail" id="email"/>
<label for="tac">
<input type="checkbox" id="tac"/>
<span class="concheck">I have read and agree to the <a class="tac">terms and conditions</a></span>
<span class="please">Please, agree our terms and conditions</span>
</label>
<button class="continue" type="submit" name="submit"><span>+</span> Continue</button>
<button class="carga"><img src="img/loading.gif"/></button>
</form>
PHP in HTML:
<?php
require_once "db.php";
if(isset($_REQUEST['submit']))
{
mysqli_query($con, "INSERT INTO database (name, email) VALUES ('".$_POST["name"]."', '".$_POST["email"]."')");
$_POST["name"];
$_POST["email"];
header("Location: https://www.next-page.com");
}
?>
DB.php
<?php
$con = mysqli_connect("localhost","username","password","databasename");
mysqli_set_charset($con,"utf8");
?>
If you have this two codes into one file for example like index.php then you should remove https://www.next-page.com from action
<form action="/" method="post">
I think it should work.
And also there should be
if(isset($_POST['submit']))
action should go for the PHP that will validate, so create a new PHP script that will validate it, insite put the method you want to use $_GET, or $_POST if this don't work, please use PHP + name.php on CMD/terminal and post the error here, if you trying to do this in the same page, you have to use .php on the file, and also remove the action from it.
I have HTML registration form when I submit the form the PHP code appears and data not insert to database i made my database using phpMyAdmin, what should I do?
Here my PHP code:
<?php
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
if ($con) {
echo "good";
}else {
die('error');
}
if(isset($_POST['submit'])){
$Fname = mysqli_real_escape_string($con,$_POST["Fname"]);
$Lname = mysqli_real_escape_string($con,$_POST["Lname"]);
$email = mysqli_real_escape_string($con,$_POST['email']);
$password = mysqli_real_escape_string($con,$_POST['password']);
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher` (Re_fname,Re_lname,Re_mobile,Re_password) values ('$Fname','$Lname','$email','$password ')");
if (mysqli_query($sql)){
echo "insert";
} else {
echo "error" .$sql ."<br>". mysqli_error($con);
}
}
?>
here my registration HTML code
<form method="post" action="connect.php">
<legend class="center">Register </legend>
<br>
<div>
<input type="text" name="Fname" placeholder="First Name"/>
</div>
<div>
<input type="text" name="Lname" placeholder="Last Name"/>
</div>
<div>
<input type="text" name="email" placeholder="Email"/>
</div>
<div>
<input type="password" name="password" placeholder="Password"/>
</div>
<div>
<input type="password" name="con_password" placeholder="Password confirm"/>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
Look at the following:
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher`
^^^^^^^^^^^^ function
(Re_fname,Re_lname,Re_mobile,Re_password)
values ('$Fname','$Lname','$email','$password ')");
^ space
if (mysqli_query($sql)){
^^^^^^^^^^^^ function
You're using that mysqli_query() function twice, remove one and just do:
if ($sql){...}
and mysqli_error($con) should have thrown you an error about it.
If it didn't throw an error, then that may suggest you're using this as file:/// as opposed to http://localhost.
Edit:
"i have html registration form whin i submit the form the php code apears"
That's because of what I wrote above before quoting you. You need to run this off a webserver with php/mysql installed and running properly and as http://localhost.
Also, remove the space in this '$password '. That space counts as a character.
Double-check your column names also. There seems to be something that doesn't match (Re_fname,Re_lname,Re_mobile,Re_password) the Re_mobile and you're referencing an email '$email' in VALUES.
You also seem to store plain text passwords; don't, it's not safe if you intend on going live with this. Use password_hash() and a prepared statement.
Footnotes:
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
You can shorten that to using all 4 arguments in mysqli_connect():
$con=mysqli_connect('localhost','root', '', 'research_sys');
(I found this but still dont understand) {HTML form PHP post to self to validate or submit to new page}
I am sorry if this question is explained better in another place but I have been stuck for hours, have searched, and have just given up. I am going by the W3c website tutorial on how to validate, sanitize, and handle forms using PHP. All went well (At least I think it did) until it was time to do something with this data. I will show you the code now and further explain my position and problem after the code:
<form method="POST" name="signup" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label for="first name"></label><input id="first name" name="first_name" placeholder="First Name" type="text" value="<?php echo $firstname;?>" /> <span class="error">* <?php echo $firstnameErr;?></span>
<label for="last_name"></label><input id="last name" name="last_name" placeholder="Last Name" type="text" value="<?php echo $lastname;?>" />
<span class="error">* <?php echo $lastnameErr;?></span>
<br><br>
<label for="email"></label><input id="email" name="email" placeholder="Email" type="text" value="<?php echo $email;?>" />
<span class="error">* <?php echo $emailErr;?></span>
<br /><br />
<label for="password"></label><input id="password" name="password" placeholder="Create Password" type="password" />
<span class="error">* <?php echo $passwordErr;?></span>
<br /><br />
<label for="male"><strong>Male</strong></label>
<input id="male" value="male" <?php if (isset($gender) && $gender=="male") echo "checked";?> name="gender" type="radio" />
<label for="female"><strong>Female</strong></label> <input id="female" value="female"
<?php if (isset($gender) && $gender=="female") echo "checked";?> name="gender" type="radio" />
<span class="error">* <?php echo $genderErr;?></span>
<br /><br />
<label for="submit">"I Agree To Terms And Conditions"</label> <input id="submit" value="Submit" type="submit" name="submit"/><br /><br />
<p><span class="error">* required field.</span></p>
<hr>
I am confused on many things. Should I keep the 'Form Action" as is, or should I change it to something like, "welcome.php". If I do change it to "welcome.php" do I still include the 'htmlspecialchars'? I am going to be using MSQLI. I am already able to connect to my database but how do I go about converting the users data into viable information for the server? Do I just go ahead and use the variables that I created in this HTML form? I know I need to put some kind of variables into a query string and then make sure I exit it as well. I am sorry if I pissed some of you off but I am just needing help. I dont want negative points but if I can receive some answers than I can handle a few bad points. Thanks for your help and happy holidays.
Below is my "welcome.php." It is actually called something different but for this moment it is "welcome.php". Thanks again.
<?php
$hostname="social89.db";
$username="social89";
$password="P!!";
$dbname="social89";
$db_conx = mysqli_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
if(mysqli_connect_errno()){
echo mysqli_connect_error();
exit();
}
$select = mysqli_select_db($db_conx,$dbname);
$firstname= $_POST["first_name"];
$lastname= $_POST["last_name"];
$email= $_POST["email"];
$password= $_POST["password"];
$gender= $_POST["gender"];
mysqli_query($db_conx,"INSERT INTO users (firstname, lastname, email, password, gender)
VALUES ('$firstname', '$lastname', '$email', '$password', '$gender')");
mysqli_close($db_conx);
header("Location: ERASETHISprofile.php")
?>
Ooh, where to begin.
At the beginning I guess.
"Post to self" refers to having the same script that renders the form receive the form data. The form action points back at the same php script using the server variable $_SERVER['PHP_SELF'].
This means you can do something like:
<?php
if (!empty($_POST)) { // if $_POST isn't empty, the user submitted the form
// validate
if ($validationPassed) {
// insert to db
} else {
// tell the user they messed up
$error = 'Hey, you! Email address was incorrect.';
}
}
//
?>
<html> ...
<?php if (isset($error)) { echo $error; } ?>
// form
The above is really basic. You'll want to set errors for specific fields failing validation to give the user more of a clue as to what to correct.
htmlspecialchars() - Convert special characters to HTML entities
In short, if you trust the input string, you don't need it. So "welcome.php" that has been typed manually by yourself into the document, is trusted, and doesn't need to have special characters converted - there aren't any in the string. If that text came from a user it could contain, for example, <h2>Hello</h2>. Without the use of this function, your page may render that Hello inside the H2.
Recommended reading for the next part: How can I prevent SQL injection in PHP?
At the moment you are vulnerable, because you are taking data from the form and are not validating or sanitizing it. Obligatory XKCD comic: http://xkcd.com/327/. In addition to the risk of SQL injection there is the risk of junk data ending up in your DB.
Validation in PHP: filter_var examples: http://www.php.net/manual/en/filter.examples.validation.php
I want to send a couple of form fields as a POST request to my PHP page, but I can't get it to work. Here is my code:
PHP login.php
<?php
if(!ISSET($_POST["username"]) && !ISSET($_POST["password"])) {
include "login.html";
}
else {
echo "hi";
}
?>
HTML login.html
<form action="login.php" method="post">
<label for="username">Username</label><input type="text" id="username"/>
<label for="password">Password</label>Password<input type="password" id="password"/>
<input type="submit" value="Submit"/>
</form>
Can anyone spot my mistake?
Your inputs do not have names. The id is used for client-side referencing, but it is the (non-unique) name attribute that is used to determine the key for a value when the data is submitted. A form control cannot be successful (i.e. in the form data) without a name.
You haven't included the name attribute in your html input elements. name attribute is used when passing form information to the webserver. id is primarily used for javascript based manipulation.
Username<input type="text" name="username"/>
Password<input type="password" name="password"/>
I have a database and a login form and want to write a php script that validates the login.
How are the types' data access and used?
For example, how do I access the input entered from the user in these elements.
<p><input type="text" name="login" value="" placeholder="Username or Email"></p>
<p><input type="password" name="password" value="" placeholder="Password"></p>
I want to use the login and password for validation. How can these be passed to a php script?
EDIT: I set the action to
<form method="post" action="loginVerification.php">
and when I enter the fields and submit the values, my OS wants to save the loginVerification.php. When I save it I dont get the echo.
I have this in the php file
<?php
echo $_POST['login'];
echo $_POST['password'];
How do I write the logs to a file in php, or is there a way to do runtime verification for php?
Edit 2:
<div class="container">
<section class="login">
<h1>Login</h1>
<form method="post" action="loginVerification.php">
<p><input type="text" name="login" value="" placeholder="Username or Email"></p>
<p><input type="password" name="password" value="" placeholder="Password"></p>
<p class="remember_me">
<label>
<input type="checkbox" name="remember_me" id="remember_me">
Remember me on this computer
</label>
</p>
<p class="submit"><input type="submit" name="commit" value="Login"></p>
</form>
</section>
<section class="login-help">
<p>Lost password? Click here to reset it.</p>
</section>
If your form method is post, these variables would be accessible through $_POST['login'] and $_POST['password'].
These fields should be part of a <form> element, such as the following:
<form method="POST" action="process.php">
<!-- input elements here -->
<input type="submit" />
</form>
Submitting the form will pass your data to your action location. In this case, to a script on the server called "process.php". Assuming your method is POST, from within process.php you could access your input fields via the $_POST global array:
<?php
// Show value of <input type="text" name="foo" />
echo $_POST['foo'];
?>
There are two ways to get the data from HTML forms :
POST
HTML form tag :
<form method="post" action="some.php">
<input type="text" name="username" size="20"/>
<input type="password" name="password" size="20"/>
</form>
To access the values of fiedls in some.php you can use the $_POST super global.
eg: $_POST['username']
GET
HTML form tag :
<form method="get" action="some.php">
<input type="text" name="username" size="20"/>
<input type="password" name="password" size="20"/>
</form>
To access the values of fiedls in some.php you can use the $_GET super global.
eg: $_GET['username']
Now to create a login system you need to create a database of username and password :
username | password
----------------------
abc | passcode!##
xyz | passco#$%^^
For signing-in you can use session to keep the user logged in across several pages (web application). In the login script check whether the user is valid by looking into the table and set some value for a session's variable using the $_SESSION super global. You can access that variable in any page of your web application, for that the session needs to be started in every page using :
session_start()
function. On each and every page, the session's variable must be checked for its value, if it is valid show the page else land the user to the login page.
Here you can find information on sessions : http://php.net/manual/en/ref.session.php
Form input values are passed via POST typically. From your PHP, you access those values using the $_POST superglobal like this:
$login = $_POST['login'];
$password = $_POST['password'];
The array key in the $_POST array is what you set name to in your HTML element like name="login".
When using this value, be aware that it comes straight from your user and should not be trusted. If you don't filter it prior to using it with database operations, you run the very real risk of becoming a victim of SQL injection leading to your site being compromised.
in your php file try this
echo $_REQUEST['login'];
echo $_REQUEST['password'];