0

I'm making a secret diary website for mysql practice. I've set up 4 columns to accept an id, email, password, and diary entry. The id is the primary key and auto increments whenever I use a query to insert the $_POST['email'] and $_POST['password']. I've successfully been able to add fake entries into the database so that isn't my issue. I'm following a video guide on how to do this and the instructor uses the method mysqli_real_escape_string() with the POST variable inside before inserting into the database and whenever I use it, only blank text is entered into my database. Whenever I don't use that method, my query writes to my db successfully. Can anyone explain why this is?

enter image description here

I've implemented checks prior to the following php code to add to my $error variable if the user doesn't fill in a field or enters incorrect email format.

if (!empty($error)) {
            $error = '<p><strong>There were error(s) in your sign-up:</strong></p>'.$error;
        } else {
                print_r($_POST);
                //$emailInput = mysqli_real_escape_string($_POST['email']);
                $emailInput = $_POST['email'];
                //$passwordInput = mysqli_real_escape_string($_POST['password']);
                $passwordInput = $_POST['password'];
                $query = "INSERT INTO `users` (`email`, `password`) VALUES ('$emailInput', '$passwordInput')";

                if($result = mysqli_query($link, $query)) {
                    echo "Sign Up Successful";
                } else {
                    $error .= "<p>Could not sign you up - please try again</p>";
                  }      
            }
}
Jay Blanchard
  • 32,731
  • 15
  • 70
  • 112
Talcicio
  • 65
  • 7
  • 2
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 17 '17 at 18:54
  • 2
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 17 '17 at 18:54
  • 1
    `mysqli_real_escape_string()` requires 2 arguments and you're only putting in one. – Jay Blanchard Apr 17 '17 at 18:55
  • I don't like to guess, and I bet you don't either when troubleshooting ;-) So why don't you save us all the time, and implement proper error-reporting, both for PHP in general (`error_reporting(E_ALL); ini_set("display_errors", 1);`) and for the query (`mysqli_error($link)`)? – Qirel Apr 17 '17 at 18:56
  • don't go live with this; your db and users info are at stake – Funk Forty Niner Apr 17 '17 at 18:56
  • Use password hash. Do not save plain text. Your script mustn't go live. It'll be hacked.Also on no account should you escape passwords. Don't!! – Rotimi Apr 17 '17 at 18:57
  • Uh.......@Akin? – Jay Blanchard Apr 17 '17 at 19:01
  • I was missing the first parameter for mysqli_real_escape_string(), silly mistake. And I definitely don't plan on going live. This is my 2nd project using a db so this is just me getting the basics down. Password security is next on my list. Thank you for the feedback! – Talcicio Apr 17 '17 at 19:03

0 Answers0