Inserting data into database

[Amanda-Lee]

Hey all

I really need help with a project I am doing.

I need to create a website with a registration form that checks if the user exists if not to add the user details to my local database MySQL.

My webpage looks like it should, it connects with the database but when I enter a new user it does nothing when it should save the new user to the database!

I am guessing my problem is within the if...else section.

Please help my code is:

 

<?php

include('connect.php');  //connection details to database in a connect.php page

$name = "";
$surname = "";
$username = "";
$password = ""; 
$confirmp =  "";
$errorMessage = "";
$num_rows = 0;

//if form was submitted
if ($_SERVER['REQUEST_METHOD'] == 'POST'){

//get values from fields
$submit = $_POST['Submit'];
$title = $_POST['title'];
$name = $_POST['name'];
$surname = $_POST['surname'];
$username = $_POST['username'];
$password = $_POST['password']; 
$confirmp =  $_POST['confirmp'];

//getting string lengths
$nameLength = strlen($name);
$surnameLength = strlen($surname);
$usernameLength = strlen($username);
$passwordLength = strlen($password);
$confirmpLength = strlen($confirmp);

//testing if strings are between certain  numbers
if ($nameLength > 1 && $nameLength <= 20) {
	$errorMessage = "";
}
else {
	$errorMessage = $errorMessage . "Name must be between 2 and 20 characters" . "<br>";
}
if ($surnameLength >= 2 && $surnameLength <= 50) {
	$errorMessage = "";
}
else {
	$errorMessage = $errorMessage . "Surname must be between 2 and 50 characters" . "<br>";
}
  if ($usernameLength = 6) {
	$errorMessage = "";
}
else {
	$errorMessage = $errorMessage . "Username must be 6 characters long" . "<br>";
}

if ($passwordLength = 6) {
	$errorMessage = "";
}                                                                              
else {
	$errorMessage = $errorMessage . "Password must be 6 characters long" . "<br>";
}
  if ($confirmpLength = 6) {
	$errorMessage = "";
}                                                                              
else {
	$errorMessage = $errorMessage . "Password must be 6 characters long" . "<br>";
}

  if ($errorMessage == "")  {
  
$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);

//check to see if the $result is true
    if ($num_rows = 1){
      $errorMessage = "Username already exists";
      }
    else {
        if($password == $confirmp){
        
        $query = "INSERT INTO user (title, name, surname, username, password) VALUES ('$title', '$name', '$surname', '$username', '$password')";
        $result = mysql_query($query);
        
        session_start();
		   $_SESSION['login'] = "1";
        header ("Location: login.php");
        }
        else {
         $errorMessage = "Passwords do not match!";
        }
        }
        }
        else {
      $errorMessage = "Error Registering";
      }   
      }
else {
      $errorMessage = "Please enter your details";  
      }           
  
?>


<html>
<head>
<title>Mia's Beauty Products</title>
</head>
<body>
<p><img src = "banner1.jpg" width = "975" height = "95" alt = "Mia's Beauty Product" /></p> 
<br>
<p align= "center"><a href="register.php">Register</a> | <a href="login.php">Login</a> | <a href="insert.php">Insert</a> | <a href="list.php">List</a></p> 
<form method = "post" action = "register.php">
<table>
<tr><td>Title:</td><td><select name = "title">
                  <option>Miss</option>
                  <option>Mrs</option>
                  <option>Mr</option>
                  </select></td></tr>
<tr><td>Name:</td><td><input name = "name" type = "text" value ="<?php print $name;?>"></td></tr>
<tr><td>Surname:</td><td><input name = "surname" type = "text" value ="<?php print $surname;?>"></td></tr>
<tr><td>Username:</td><td><input name = "username" type = "text" value ="<?php print $username;?>"></td></tr>
<tr><td>Password:</td><td><input name = "password" type = "password" value ="<?php print $password;?>"></td></tr>
<tr><td>Confirm Password:</td><td><input name = "confirmp" type = "password" value ="<?php print $confirmp;?>"></td></tr>
<tr><td><input type = "submit" name = "Submit" value = "Submit"></td></tr>
</table>
</form>
<p align= "center"><a href="code.txt">Code</a></p>
<br>
<?php
      print $errorMessage;
?>
<p><img src = "banner2.jpg" width = "975" height = "95" alt = "Mia's Beauty Product" /></p>
</body>
</html>

 

 

Thank you

Amanda

[Jessica]

Use code tags when you post here.

 

Your form does no error checking on your queries.

 

Also this part is going to cause problems for you in the future. Think about what you said you're trying to do here.

$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);

//check to see if the $result is true
    if ($num_rows = 1){
      $errorMessage = "Username already exists";
      }

[MMDE]

Use code tags when you post here.

 

Your form does no error checking on your queries.

 

Also this part is going to cause problems for you in the future. Think about what you said you're trying to do here.

$query = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$result = mysql_query($query);
$num_rows = mysql_num_rows($result);

//check to see if the $result is true
    if ($num_rows = 1){
      $errorMessage = "Username already exists";
      }

 

I was about to say the exact same thing, but I was also going to say a lot of other things. I see she has used the code tag now, but the formatting seems a bit off.

 

You do a whole lot of checks on the data submitted by the user, you try to write an error message, but it only stores the last error. You could either have made the other checks dependent on the checks before it if you only want to save the last one, or you can make it save them all by using ".=" instead of "=" when "saving" the error messages. Even with all those checks, you don't sanitize the input, and so your database is open for attacks.

 

Even though this:

if ($_SERVER['REQUEST_METHOD'] == 'POST'){

it doesn't mean the rest of the post data is set. Not even does it check if REQUEST_METHOD is set.

You may want to turn on error report!

 

As mentioned above:

    if ($num_rows = 1){

should be:

    if ($num_rows == 1){

 

 

You also don't hash or salt the password, that's really bad practice when you don't even sanitize input.

[Amanda-Lee]

Jesirose

 

Sorry for the code. Saw it was a mistake and tried to edit it before anyone saw it, my bad.

I am new to php, and really can't see what i am doing wrong 

 

MMDE

It should really be basic.

It is a project and I only have to fillful to the basic criteria.

[Amanda-Lee]

MMDE

 

I changed the following:

if ($num_rows = 1){

 

to

if ($num_rows == 1){

 

and it worked thank you SO SO much! Now to do the rest!

 

Slowly I am learning!

[MMDE]

MMDE

 

I changed the following:

if ($num_rows = 1){

 

to

if ($num_rows == 1){

 

and it worked thank you SO SO much! Now to do the rest!

 

Slowly I am learning!

If you read my earlier post and fix the problems I pointed out for you, you will learn a lot more.

 

Are you sure you fill all the requirements? I mean you surely don't create a very good error message, it only stores the last error.

The script itself if ever used is very dangerous. It saves the passwords in plain text and anyone could get them.

You also count on people filling out every field in the form.

[Jessica]

The $num_rows == 1 is only HALF the error.

 

The comments say check if the username exists, but that's not what the code is doing.

[MMDE]

The $num_rows == 1 is only HALF the error.

 

The comments say check if the username exists, but that's not what the code is doing.

 

That is so true. It checks if the username/password combination exists!