-1

I have created a login and register screen using sql as database and php as scripting language. Java code on android works perfectly but when I input user information on register screen and hit register button, the data is not inserted into my database. So I am assuming that there is something wrong with my php files.

Below is my php file:

require "connection.php";

$first_name = $_GET['first_name'];
$last_name = $_GET['last_name'];
$email = $_GET['email'];
$password = $_GET['password'];
$mobile_no = $_GET['mobile_no'];
$carplate_no = $_GET['carplate_no'];

if($first_name == '' || $last_name == '' || $email == '' || $password == '' 
|| $mobile_no == '' || $carplate_no == '')
{
echo 'Please fill all values';
}   
else {
$sql = "SELECT * FROM Users WHERE email='$email' OR password='$password'";
$check = mysqli_fetch_array(mysqli_query($connection,$sql));
if(isset($check)){
    echo 'email already exists';
}
else{
    $sqli="INSERT INTO Users (first_name,last_name,email,password,mobile_no,carplate_no) VALUES ('$first_name','$last_name','$email','$password','$mobile_no','$carplate_no')";
    if(mysqli_query($connection,$sql)){
        echo'Registered Successfully';
    }
    else {
        echo 'Oops...Try again';
    }
}
mysqli_close($connection);
}

?>
Tiffany
  • 609
  • 12
  • 26
Sarahtech
  • 51
  • 2
  • 6
  • sql injection is a thing in java too? Im sure it is – Dale Mar 20 '18 at 12:02
  • 2
    Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 20 '18 at 12:02
  • 2
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Mar 20 '18 at 12:02
  • 1
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. – John Conde Mar 20 '18 at 12:02
  • 1
    what error you are getting? – Serving Quarantine period Mar 20 '18 at 12:03
  • 3
    BTW: `WHERE email='$email' OR password='$password'` should change to `WHERE email='$email' AND password='$password'` – B001ᛦ Mar 20 '18 at 12:03

1 Answers1

0

The line will always return TRUE as $check has been already initialized before the if condition below.

Change:

if(isset($check)){

to 

if(is_array($check)){

The above checks if there is a record retrieved that matches the used email and password.

The below query should match to both email AND password. Not just either of them.

From

$sql = "SELECT * FROM Users WHERE email='$email' OR password='$password'";

to

$sql = "SELECT * FROM Users WHERE email='$email' AND password='$password'";
Karlo Kokkak
  • 3,606
  • 4
  • 15
  • 31