0

okay so i'm having a problem with my database. I'm trying to create a registration page, and everything works with no problem. I'm using xampp phpmyadmin, and everytime I hit the registration button after entering some info, nothing comes up in my database. 

<?php
session_start();

$db = mysqli_connect("localhost", "root", "", "saver",);


if (isset($_POST[ 'register_btn'])) {
session_start();
$username = mysql_real_escape_string($db,$POST['username']);
$email = mysql_real_escape_string($db,$POST['email']);
$password = mysql_real_escape_string($db,$POST['password']);
$password2 = mysql_real_escape_string($db,$POST['password2']);

if ($password == $password2) {
//create user
$password = md5($password); //hashes password before entering into database
$sql = "INSERT INTO users(username, email, password) VALUES('$username',     $email', $password,)"; 
mysqli_query($db, $sql);
$_SESSION['message'] = "You are now logged in";
$_SESSION['username'] = $username;
header("location: home.php"); // Redirect to home page
}else{
$_SESSION['message'] = "The two passwords do not match";
    }
}
?>

<html> 
<head>
<title> Submission form </title>
</head>

<body>
<form method="post" action="saver.php">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username" class="textInput">
</tr>

<tr>
<td>Email:</td>
<td><input type="email" name="email" class="textInput">
</tr>

<tr>
<td>Password:</td>
<td><input type="password" name="password" class="textInput">
</tr>

<tr>
<td>Password again:</td>
<td><input type="password" name="password2" class="textInput">
</tr>

<tr>
<td></td>
<td><input type="submit" name="register_btn" value="Register">
</tr>
</table>
</form>
</body>
</html>
SudoKid
  • 439
  • 4
  • 14
Ryan R
  • 1
  • 3
  • You should provide the code so we can help. It would also be worth adding more relevant tags. What languages are you using? – SudoKid Jan 04 '17 at 00:40
  • Sure thing. okay I added it in, and I'm using php. I appreciate your help @EmettSpeer – Ryan R Jan 04 '17 at 01:50

2 Answers2

2

You can discover and solve all of the issues you are having by TURNING ON AND READING PHP ERROR LOGGING. Read How to do that.

Your problem is in these lines:

$db = mysqli_connect("localhost", "root", "", "saver",);

and

$username = mysql_real_escape_string($db,$POST['username']);

firstly, your $db has a left over comma at the end, remove it. This is causing a probably fatal PHP error you should be picking up with your error reporting.

Secondly, the $db object is a MySQLi identifier, NOT a MySQL identifier, but you've passed it to a MySQL_ function. Therefore the script will either cease on an error or the database will insert empty values. This is why you're not getting anything saved.

Also (as noted by Luke) the MySQL_ functions have an inverted argument order, so you probably simply forgot to add the i to the function name!


You have also not properly encased your values in MySQL -- each value will need to be wrapped in single quotes such as you have done with '$username' you need to do the same thing with $email and $arseword.

And you also need to remove the trailing commas from your MySQL VALUES collection too...

A few extra notes:

  • You're using both mysqli_ and mysql_ functions in you code. You should only be using MySQLi_ functions.
  • You should seriously consider (as in; DO THIS!!!) using Prepared Statements rather than procedural SQL.
  • MD5 is absolutely not suitable for hashing passwords. Stop it. Use password_hash.
  • header(Location:); relocation directives should be immediately followed by a script terminator such as exit; or die();
  • session_start() should only be called once at the top of the script.
  • Seriously, Use prepared statments. There are hundreds of good examples of them around.
  • And you will save yourself (and many folks on SO) hundreds of hours of stress by using and reading and reacting to PHP Error Logging!

EDIT:
As clarified by Luke:

The actual problem is mysql_real_escape_string accepts only one parameter (i.e. mysql_real_escape_string($POST['username']);). It can be used regardless of MySQLi being in use or not, but it should of course be avoided for using prepared statements instead.

Community
  • 1
  • 1
Martin
  • 19,815
  • 6
  • 53
  • 104
  • ohhh, Thank you so much for your time and help, I greatly appreciate it and will get to work on it and let you know what happened @martin – Ryan R Jan 04 '17 at 02:16
  • 1
    The actual problem is `mysql_real_escape_string` accepts only one parameter (i.e. `mysql_real_escape_string($POST['username']);`). It can be used regardless of MySQLi being in use or not, but it should of course be avoided for prep'd statements instead. Also Location header and exit - responding with *something* is usually a good idea, on the basis of the browser failing to redirect for whatever reason - the user would see nothing but a white screen. Also don't use hashing for verifying game scores ;) – Luke Briggs Jan 04 '17 at 02:39
  • Another also: Never have PHP's logging enabled on a production site. Make sure it saves to a file rather than accidentally leaking a bunch of information to the end user. – Luke Briggs Jan 04 '17 at 02:42
  • hey guys I did what you said, I added the "i" to the mysql, and it still doesnt work. Also, do I have to add an "id" in my database? – Ryan R Jan 07 '17 at 18:49
0

hey guys I found the problem. it was in the insert part. I had "users" in my editor, and I had "user_info" in my database. So I just changed "users", to "user_info". Thank you so much for your help guys. How can I give you credit?

Ryan R
  • 1
  • 3
  • Glad you found it. You can give credit by clicking the up arrow next to answers. It will also be useful if you mark your own anwsr (this answer) as the correct answer (with the tick) and this will close the question. Cheers. – Martin Jan 20 '17 at 15:17