-1

I am trying to insert form data using mysqli, php. The issue I am stuck with is that it insert '?' as the form values in the table instead of what I am typing in the form? I know I am going wrong somewhere, but I am not able to figure it out.

My additional question is :Is it safe to use mysqli statements like this to insert or select data from the database since I guess $_POST becomes a threat for injection attacks,. Is it for now enough what I am writing here to prevent attacks or do I need to add something more?

Any suggestions would be of great help.

Here is my code

index.php

<?php

        session_start();
        include('db.php');

?>

<!DOCTYPE html>

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width,initial-scale=1" />
    <link rel="stylesheet" type="text/css" href="style.css"/>

</head>

<body>


<?php

    if(isset($_POST['login']) && $_POST['login'] == 'Login') {
        $loginEmail = $_POST['loginEmail'];
        $loginPassword = $_POST['loginPassword'];

        $query = $db->prepare("INSERT INTO dbname(password,email) VALUES ('?','?');");
        $query->bind_param("ss",$loginEmail,$loginPassword);
        $query->execute();

    }         
    ?>

        <div id="login">            
            <strong>Login</strong>

            <br/><br/>

            <form action = "<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
                <table style="width:500px">                        
                    <tr>
                        <td><input type="text" name="loginEmail" placeholder = "Email" required/><br/></td>
                    </tr>                    
                    <tr>
                        <td><input type="password"  name="loginPassword" placeholder = "Password" required/><br/></td>

                    </tr>
                </table>

                <input style="font-weight: bold; width: 70px; height: 25px; border-radius: 5px;" type="submit" name="login" value="Login"/>
            </form>
        </div>       
</body>    
</html>

db.php

<?php

        $host = 'host';
        $user = 'user';
        $password = 'password';
        $database = 'dbname';

        $db = new mysqli($host, $user, $password, $database);

        if($db->connect_errno > 0){
            die('Unable to connect to database ['.$db->connect_errno.']');
        }
?>
Bishwaroop Chakraborty
  • 155
  • 2
  • 12
  • you have syntax errors in your prepared statement and not checking for errors. Then you're using plain text for passwords. If you're live or intending to go live with this, don't. Use `password_hash()`. – Funk Forty Niner Apr 23 '16 at 13:32
  • You should not be storing plain text passwords on your database. See [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php) – RiggsFolly Apr 23 '16 at 13:35
  • @fred : you mean password_hash($loginPassword)? – Bishwaroop Chakraborty Apr 23 '16 at 13:38
  • Consult the links that @RiggsFolly gave you. It's all in there ;-) you also have an upvoted answer below. (Peter's). – Funk Forty Niner Apr 23 '16 at 13:45
  • `$query->execute();` => `if(!$query->execute()){trigger_error("there was an error....".$db->error, E_USER_WARNING);}` and you'll see the syntax error, btw. @BishwaroopChakraborty Ref: http://php.net/manual/en/mysqli.error.php – Funk Forty Niner Apr 23 '16 at 13:49
  • @BishwaroopChakraborty You need to get in the habit of [accepting answers](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) which help you to solve your issues. You'll earn points and others will be encouraged to help you. Otherwise, people will think your questions have not been solved. – Funk Forty Niner Apr 23 '16 at 13:52
  • ah, I am actually in the process of executing password_hash(). Wouldn't have taken that long, but will be accepting the answer soon :) – Bishwaroop Chakraborty Apr 23 '16 at 14:40

2 Answers2

2

Use

$db->prepare("INSERT INTO users(password,email) VALUES (?, ?);");

Instead of

$db->prepare("INSERT INTO users(password,email) VALUES ('?','?');");

ps. Order is important: in your bind_param() you have email and password in opposite order than in your query.

Peter van der Wal
  • 9,838
  • 2
  • 18
  • 28
0

Remove quotes in your INSERT query.

$query = $db->prepare("INSERT INTO dbname(password,email) VALUES (?,?);");

Also, I'd suggest you to use functions like stripslahes() and trim()

Use:

$loginEmail    = trim (stripslashes( $_POST['loginEmail'] ));
$loginPassword = stripslashes( $_POST['loginPassword'] );
Object Manipulator
  • 8,485
  • 2
  • 9
  • 25
  • 1
    `trim()` on a password? Plus, why even have to extra useless functions when using a prepared statement? – Funk Forty Niner Apr 23 '16 at 13:38
  • Good point! But trim can certainly be used. – Object Manipulator Apr 23 '16 at 13:40
  • 1
    See this Q&A on Stack http://stackoverflow.com/questions/36628418/cleansing-user-passwords you'll see what I meant. Plus, if a user has a \ in their passwords or user, then what you posted may fail. The password array should not be manipulated whatsoever. – Funk Forty Niner Apr 23 '16 at 13:41