-2

I took a look at this posted question: I am getting no errors but the data is not going into the database on wamp but I did use mysqli for my code.

Here is my code:

<?php
  include( "includes/header.php" );
error_reporting(E_ALL); ini_set('display_errors', '1');
  $register = $_POST['register'];
  //declaring variables needed for the registration form to prevent errors
  $fname = "";
  $lname = "";
  $uname = "";
  $email = "";
  $email2 = "";
  $password = "";
  $password2 = "";
  $signup_date = "";
  $username_check = ""; // check if username exists
  //assigning variables from the registration form
  $fname = strip_tags($_POST['fname']);
  $lname = strip_tags($_POST['lname']);
  $uname = strip_tags($_POST['uname']);
  $email = strip_tags($_POST['email']);
  $email2 = strip_tags($_POST['email2']);
  $password = strip_tags($_POST['password']);
  $password2 = strip_tags($_POST['password2']);
  $signup_date = date("Y-m-d");

  if ($register) {
    if ($email == $email2) {
      $username_check = mysqli_query("SELECT username FROM users WHERE username = '$uname'");
      $row = mysqli_num_rows($username_check);
      if ($row == 0) {
        if ($fname&&$lname&&$uname&&$email&&$email2&&$password&&$password2) {
          if ($password == $password2) {
            if (strlen($uname)>25||strlen($fname)>25||strlen($lname)>25) {
              echo "The maximum limit for username/first name/ last name is 25 characters!";
            } elseif (strlen($password)>30||strlen($password)<5) {
                echo "Your password must be between 5 and 30 characters long!";
            } else {
              $password = password_hash($password);
              $password2 = password_hash($password2);
              $query = mysqli_query('INSERT INTO users VALUES ("","$uname","$fname","$lname","$email","$password","$signup_date","0")');
              die("<h2>Welcome to HackerBits</h2>Login to your account to get started . . . ");
            }
          } else {
            echo "Your passwords don't match!";
          }
        } else {
          echo "Please fill in all of the fields.";
        }
      } else {
        echo "Username already taken . . . ";
      }
    } else {
      echo "Your emails don't match!";
    }
  }
?>

I know it is messy, I am new to php, only 1 week in. So like I said it goes to the die("<h2>Welcome to HackerBits</h2>Login to your account to get started . . . "); part of the code with no errors. Then when I go to my database the user is not in the table. Which means I can then go back to the registration form and put in the same values.

Sorry if this is a bad question, new to stakeoverflow, just tell me and I will fix it up :) I can also give you more info if needed. I am using MAMP by the way.

I connect to the database with the included script:

<?php
    $db = new mysqli('mysql:host=localhost;dbname=users_table', 'root', 'taken-out');
?>

Errors given:

Warning: mysqli_query() expects at least 2 parameters, 1 given in /Users/darceymckelvey/Desktop/php/social_network/index.php on line 27

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /Users/darceymckelvey/Desktop/php/social_network/index.php on line 28

Warning: password_hash() expects at least 2 parameters, 1 given in /Users/darceymckelvey/Desktop/php/social_network/index.php on line 37

Warning: password_hash() expects at least 2 parameters, 1 given in /Users/darceymckelvey/Desktop/php/social_network/index.php on line 38

Warning: mysqli_query() expects at least 2 parameters, 1 given in /Users/darceymckelvey/Desktop/php/social_network/index.php on line 39

They are all warnings which I don't think are fatal because it still executes the code to display the login message.

I have tried these lines:

$username_check = mysqli_query($db, "SELECT username FROM users WHERE username = '$uname'");

but same warnings.

Community
  • 1
  • 1
Darcey Mckelvey
  • 11
  • 4
  • 1
    `$username_check = mysqli_query('SELECT` you never connected. RTM http://php.net/manual/en/mysqli.query.php – Funk Forty Niner May 02 '16 at 01:18
  • Where is the connection parameter for `mysqli_query`? – Thamilhan May 02 '16 at 01:18
  • I connected to the database though through the included script at the top – Darcey Mckelvey May 02 '16 at 01:19
  • [mysqli_query](http://php.net/manual/en/mysqli.query.php) expects two parameters – Thamilhan May 02 '16 at 01:19
  • 1
    word of advice, since you're hashing that password, you should NOT be manipulating it in any way. If a user enters valid characters that `strip_tags()` will "strip" away, they'll think that `mypassword` is what they entered (and being a valid password, I might add) and it will fail upon trying to logging in. Do what you want, but you're going to get a reality check later on. – Funk Forty Niner May 02 '16 at 01:20
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/) if you ever forget to properly escape something. – tadman May 02 '16 at 01:21
  • *"I connect to the database with the included script: getMessage() . "
    "; die(); }"* - that's even worse. You're mixing MySQLi_ and PDO APIs.     – Funk Forty Niner May 02 '16 at 01:22
  • I said I was new sorry, I changed that by the way and just did: ` $db = new mysqli('mysql:host=localhost;dbname=users_table', 'root', 'Anim8ors');` – Darcey Mckelvey May 02 '16 at 01:25
  • *"I took a look at this posted question: http://stackoverflow.com/questions/27445015/i-am-getting-no-errors-but-the-data-is-not-going-into-the-database-on-wamp but I did use mysqli for my code."* which is one I answered btw and is a working solution. – Funk Forty Niner May 02 '16 at 01:25
  • [*Refer back to comment #1 then...*](http://stackoverflow.com/questions/36973802/when-i-register-it-says-the-login-message-but-the-data-isnt-going-to-the-databa#comment61503160_36973802) – Funk Forty Niner May 02 '16 at 01:26
  • well I am still having an issue still and would like some further insight – Darcey Mckelvey May 02 '16 at 01:26
  • `'root', 'Anim8ors':` I hope this isn't your real root password... – Pedro Lobito May 02 '16 at 01:26
  • ...you have been given enough information, there isn't anything I can say or do here. – Funk Forty Niner May 02 '16 at 01:26
  • When you ask a question about an error, ***ALWAYS***, post the error log. To enable error reporting to your php code append `error_reporting(E_ALL); ini_set('display_errors', '1');` at the top of your script, what does it return ? – Pedro Lobito May 02 '16 at 01:31
  • @Fred-ii- I have fixed this line to what you have said in the other one now: `$username_check = mysqli_query("SELECT username FROM users WHERE username = '$uname'");` – Darcey Mckelvey May 02 '16 at 01:32
  • you've my answer below @DarceyMckelvey and I didn't include what I already said in comments. – Funk Forty Niner May 02 '16 at 01:57
  • You accepted my answer and now decided to accept the other. amidst all the help I've given you. wow. ok, whatever. – Funk Forty Niner May 02 '16 at 02:01
  • Actually I think you should accept @Fred-ii-'s answer, it's more comprehensive – Panda May 02 '16 at 02:02
  • @luweiqi don't worry about it. but thanks. – Funk Forty Niner May 02 '16 at 02:03
  • @Fred-ii- You're welcome :-) – Panda May 02 '16 at 02:03
  • Fred-ii- I didn't refresh when I accepted the answer so I did realize you posted an answer and to be honest it was a group effort :) I'm sorry :( EDIT: changed it on @luweiqi request – Darcey Mckelvey May 02 '16 at 02:04
  • It's ok Darcey. TBH, I didn't see @luweiqi 's answer when I was typing mine up as I was busy typing it all up and retrieving reference links. – Funk Forty Niner May 02 '16 at 02:07

3 Answers3

3

Look at what you're using here:

$db = new mysqli('mysql:host=localhost;dbname=users_table', 'root', 'taken-out');

That isn't the syntax to connect with here using the MySQLi_ API, that is PDO syntax.

Those are two different animals altogether.

Read the manual

Example taken from it:

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if ($mysqli->connect_errno) {
    printf("Connect failed: %s\n", $mysqli->connect_error);
    exit();
}

So, replace $mysqli with the variable you're using in your query, and pass the db connection to that mysqli_query() function, as I said from the get go.

This besides all the other comments I left in your question and won't retype nor paste, so go over them all again.

Plus, make sure all your POST arrays contain values. Your HTML form is unknown.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Yet, do read the following Q&A on Stack in regards to what I said about password manipulation:

And this one in Code review:

Community
  • 1
  • 1
Funk Forty Niner
  • 73,764
  • 15
  • 63
  • 131
  • 1
    thankyou, fred-ii- I have sorted out all the issues. @luweiqi helped lots. I will be sure to upvote both you guys when I can :) – Darcey Mckelvey May 02 '16 at 02:02
2

The connection parameter is required for mysqli_query:

mysqli_query($db, "SELECT username FROM users WHERE username = '$uname'");

Your DB connection is for PDO:

$db = new mysqli('mysql:host=localhost;dbname=users_table', 'root', 'taken-out');

You need to use mysqli_connect():

$db = new mysqli("localhost", "root", "taken-out", "users_table");

Also, you need to prevent SQL Injection using mysqli_real_escape_string():

$fname = mysqli_real_escape_string($db, $_POST['fname']);
$lname = mysqli_real_escape_string($db, $_POST['lname']);
$uname = mysqli_real_escape_string($db, $_POST['uname']);
Panda
  • 6,824
  • 6
  • 34
  • 49
1

Well, mysqli needs to receive the connection handler as first parameter for query:

mysqli_query($db, "SELECT username FROM users WHERE username = '$uname'");

And the password_hash needs a second parameter with the algoritm:

password_hash($password2, PASSWORD_DEFAULT); // Use default algoritm

I recommend to use prepared statements in your queries, it's have more security.

Rodrigo Teixeira Andreotti
  • 101
  • 1
  • 8
  • still geting the warnings when I do: `mysqli_query($db, "SELECT username FROM users WHERE username = '$uname'"); ` Is it because I do not have access to $db? I included the file though? Thanks for the password_hash fix :) – Darcey Mckelvey May 02 '16 at 01:48
  • Your conection command is used for PDO connection, for mysqli the syntax is (in this case, you are using procedural methods): $db = mysqli_connect('your_db_host', 'your_user', 'your_password', 'datbase_name'); OR you can use OOP method: $db = new mysqli('your_db_host', 'your_user', 'your_password', 'datbase_name'); $query = $db->query('SELECT ... '); – Rodrigo Teixeira Andreotti May 02 '16 at 13:45