0

having some trouble inputting user data from input fields into my MySQL table. Here's the code. Any help appreciated.

<form action="login.php" method="post">
                    First Name: <input type="text" name="name" /> <br />
                    Last Name: <input type="text" name="lName" /> <br />
                    Email: <input type="email" name="email" /> <br />
                    Username: <input type="text" name="uName" /> <br />
                    Password: <input type="password" name="pw" /> <br />
                        <input type="submit" name="register" />
            </form>
            <br>
            <form action="login.php">
               Already have an account?
                    <input type="submit" value="Login Here" />
            </form>
    </div>
    <?php 
    if (isset($_POST["register"])){
     $name = $_POST["name"];
     $lName = $_POST["lName"];
     $email = $_POST["email"];
     $uName = $_POST["uName"];
     $pw = $_POST["pw"];

     $db = new mysqli($servername, $username, $password, $database, $dbport);
     $sql = "INSERT INTO users VALUES (null, $name, $lname, $email, $uName, $pw, null)";

     $result = mysqli_query($db, $sql);
    }
    ?>
Curtis Hohl
  • 25
  • 5
  • 1
    Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Alex Howansky Apr 06 '17 at 20:52
  • 1
    (Free) Pro tip: Don't go live with this, until you use both a prepared statement and `password_hash()`. You **will** get hacked. – Funk Forty Niner Apr 06 '17 at 20:53
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 06 '17 at 20:55
  • This is still very basic implementaion, I'm very new to MySQL and am having trouble even getting the data into the database. Hashing and whatnot is next on the list. – Curtis Hohl Apr 06 '17 at 20:56
  • you should use single qoute around your variable name in the query, and i think you are ok after that – arif_suhail_123 Apr 06 '17 at 21:13
  • BTW, too late for me to answer as it's been marked as a dupe, but your variable name $lName is being inserted as $iname. This is likely the cause of your issues. – Harry Kitchener Apr 07 '17 at 12:17

0 Answers0