-2

I´m trying to insert data into database but for some reason the code doesn´t work. Here is form i´m using.

<form id="registration" method="post" action="index.php" style="display: none;">
                <label for="username" class="username">
                    Username
                </label>    
                <input type="text" name="r-username" id="r-username" placeholder="Username" required/>
                <label for="password">
                    Password
                </label>    
                <input type="password" name="password" id="password" placeholder="Password" required/>
                <label for="check_password" class="check_password">
                    Password Check
                </label>    
                <input type="password" name="check-password" id="check_password" placeholder="Password again" required/>
                <label for="e-mail">
                    E-mail
                </label>    
                <input type="email" name="e-mail" id="e-mail" placeholder="E-mail" required/>
                <label for="check-e-mail" class="check_email">
                    E-mail Check
                </label>    
                <input type="email" name="check-e-mail" id="check-e-mail" placeholder="E-mail again" required/>
                <input type="submit" name="submit" class="submit" value="Register"/> 
            </form>

And here is PHP code:

if(isset($_POST['r-username']))
                {
                    $name=$_POST['r-username'];
                    $pass=$_POST['password'];
                    $passcheck=$_POST['check-password'];
                    $mail=$_POST['e-mail'];
                    $mailcheck=$_POST['check-e-mail'];
                    if($name==''||$pass==''||$passcheck==''||$mail==''||$mailcheck=='')
                    {
                        echo "<script type='text/javascript'>alert('Field must be filled.');</script>";
                    }
                    elseif(strlen($pass)<=6) 
                    {
                        echo "<script type='text/javascript'>alert('Password is too short.');</script>";
                    }
                    elseif(strlen($pass)>=20) 
                    {
                        echo "<script type='text/javascript'>alert('Password is too long.');</script>";
                    }
                    elseif($pass!==$passcheck) 
                    {
                        echo "<script type='text/javascript'>alert('Passwords must be same.');</script>";
                    }
                    elseif($mail!==$mailcheck) 
                    {
                        echo "<script type='text/javascript'>alert('Emails must be same.');</script>";
                    }
                    else
                    {
                        $sql5='INSERT INTO user(user_name,password,joined,user_email) VALUES(:username,:password,Now(),:email)';
                        $query1=$db->prepare($sql5);
                        $result=$query1->execute(array( ":username" => $name, 
                                                        ":password" => $pass, 
                                                        ":email" => $mail
                                                      ));
                        if($result)
                        {
                            echo "<script type='text/javascript'>alert('Inserted.');</script>";
                        }
                        else
                        {
                            echo "<script type='text/javascript'>alert('ERROR.');</script>";
                        }
                    }
                }

Code runs but id doesn´t do anything. It just reloads page echoes message ERROR and inserts no data into database. Sorry for my bad english and thanks for possible answers :).

NoSkilz
  • 41
  • 5
  • https://secure.php.net/manual/en/pdo.error-handling.php – gre_gor Jul 19 '16 at 18:07
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 19 '16 at 18:07
  • Allow users to use the [passwords / phrases](https://xkcd.com/936/) they desire. [Don't limit passwords.](http://jayblanchard.net/security_fail_passwords.html) – Jay Blanchard Jul 19 '16 at 18:08
  • 1
    Have you checked your error logs? You're making an assumption the query is working. – Jay Blanchard Jul 19 '16 at 18:09
  • 3
    don't output fixed/USELESS error messages. if your query failed, it's for a reason: have the system TELL you that reason: `if(!$result) { die($db->error_info); }` – Marc B Jul 19 '16 at 18:10
  • Thanks for answers and tips. It´s working now :). – NoSkilz Jul 19 '16 at 18:41

1 Answers1

0

You should use: 

    $sql5 = mysql_query("INSERT INTO `[database_name]`.`[table_name]` (user_name,password,joined,user_email) VALUES('$name','$pass','Date()','$mail');)";

And also you should get variables by using this type of code because people can type html code inside your form so when you try to get it it will execute that code.But if you use this method all html tags like <html> will be translated.You can see more on it here. And here's the code for it.

    $name = stripslashes(mysql_real_escape_string(htmlentities($_POST['r-username'])));

Bye, Marko.

Maki325
  • 32
  • 1
  • 4
  • Well, that's not a good idea. Going from prepared statements in a modern API to the old, outdated `mysql_` API which is about as secure as locking the door, when the windows are wide open. – Qirel Jul 19 '16 at 18:55