0

I have tried (as my first project) decided to make a simple login / logout proect. This is what i've done so far and it works wonders, but everytime you visit the page it registers with an empty usename and pass and only the can you register, the pass is obviously empty but i can't seem to be able to make use of empty(); Any ideas?

<html>
    <head>
    <title>Quick Register</title>
</head>
<body>
<form action="/register.php" method = "post">

        <b>Quick.</b>
        <p>USERNAME</p>
        <input type="text" name="usernameInput" size="30">
        <p>PASSWORD</p>
        <input type="password" name="passwordInput" size="30">       
        <p><input type='submit' name='submit' value = "Send"></p>
</form>
<?php
if (isset($_POST['submit']))
{
  $date_missing = array();
  if (empty($_POST['usernameInput']))
  {
    $data_missing[] = "Username";
  }
  else
  {
    $username = trim($POST['usernameInput']);
  }

  if (empty($_POST['passwordInput']))
  {
    $data_missing[] = "Password";
  }
  else
  {
    $password = trim($POST['passwordInput']);
  }

  if (empty($data_missing))
  {
    require_once ("config.php");
    if(empty($password)!=0)
    {
    $query = "INSERT INTO users (username, password,created_at) VALUES(?, ?,NOW());";
    $stmt = mysqli_prepare($link, $query);
    mysqli_stmt_bind_param($stmt, "ss", $username, $password);
    mysqli_stmt_execute($stmt);
    $affected_rows = mysqli_stmt_affected_rows($stmt);
    }
    if ($affected_rows && empty($password)<>0)
    {
      echo ($password."Regee");
      mysqli_stmt_close($stmt);
      mysqli_close($link);
    }
  }
  else
  {
      echo "Nu ma lasa gol boss";
      foreach($data_missing as $missing)
              echo($missing);

  }
}
?>


</body>
</html>
Mattia Marziali
  • 99
  • 1
  • 1
  • 7
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 05 '18 at 19:24
  • Thanks you very much of that, i am aware of that, (except for the trimming thing, thank you on that one), but what is the error in my code? – Mattia Marziali Feb 05 '18 at 19:26
  • Because `$data_missing` is empty, the code runs because that check is not inside the check for `$_POST['submit'])` – Jay Blanchard Feb 05 '18 at 19:27
  • If you're aware of that then why didn't you code for that? – Jay Blanchard Feb 05 '18 at 19:28
  • Don't trim passwords; a space is a character as well. – Xorifelse Feb 05 '18 at 19:40

2 Answers2

-1

You have lots of errors in your code. You really should indent properly which will help you catch them. 

<html>
<head>
    <title>Quick Register</title>
</head>
<body>
<form action="/register.php" method="post">

    <b>Quick.</b>
    <p>USERNAME</p>
    <input type="text" name="usernameInput" size="30">
    <p>PASSWORD</p>
    <input type="password" name="passwordInput" size="30">
    <p><input type='submit' name='submit' value="Send"></p>
</form>
<?php
if (isset($_POST['submit'])) {

    // You had a spelling error here. You defined $datE_missing
    $data_missing = array();

    if (empty($_POST['usernameInput'])) {
        $data_missing[] = "Username";
    } else {
        // You had syntax error on $_POST
        $username = trim($_POST['usernameInput']);
    }

    if (empty($_POST['passwordInput'])) {
        $data_missing[] = "Password";
    } else {
        // You had syntax error on $_POST
        $password = trim($_POST['passwordInput']);
    }

    if (empty($data_missing)) {
        require_once("config.php");
        // Empty returns a boolean not an integer
        if (!empty($password)) {
            // Didn't check SQL logic here but you seem to be OK with that.
            $query = "INSERT INTO users (username, password,created_at) VALUES(?, ?,NOW());";
            $stmt = mysqli_prepare($link, $query);
            mysqli_stmt_bind_param($stmt, "ss", $username, $password);
            mysqli_stmt_execute($stmt);

            // You are defining $affected_rows here and also trying to use it the next IF statement. 
            // What happens if $affected_rows isn't set here? It will blow up in the next statement.
            // You need to change that. I have commented it out for now so that the rest of the code is OK.   
            $affected_rows = mysqli_stmt_affected_rows($stmt);
        }

        // empty is a boolean so empty($password) <> 0 is better written as empty($password) === true
        // Also, you don't really need to worry about closing connections. The env. will handle that for you. 
//        if ($affected_rows && empty($password) === true) {
//            echo($password . "Regee");
//
//            // You really don'y need to close connections here in a web app. Let the env. handle that for you.
//            mysqli_stmt_close($stmt);
//            mysqli_close($link);
//        }
    } else {
        echo "Nu ma lasa gol boss";
        foreach ($data_missing as $missing)
            echo($missing);

    }
}

EDIT #2

Here is the way I'd structure my code to make it a bit cleaner. 

<?php
// Move the form processing up here so that you can show validation errors above the form.

// Make this variable available right away.
$validationErrors = [];

if (isset($_POST['submit'])) {

    // Do validation first.
    $username = trim($_POST['usernameInput']);
    $password = $_POST['passwordInput'];

    if (empty($username)) {
        $validationErrors['username'] = 'You must enter a username';
    }

    if (empty($password)) {
        $validationErrors['password'] = 'You must enter a password';
    }

    if (empty($validationErrors)) {
        // Insert row into DB here. 
    } 
}
?>

<html>
<head>
    <title>Quick Register</title>
</head>
<body>

<?php
// Output validation errors here. 
if (!empty($validationErrors)) {
    foreach ($validationErrors as $error) {
        echo '<div style="">$error</div>';
    }
}
?>
<form action="/register.php" method="post">

    <b>Quick.</b>
    <p>USERNAME</p>
    <input type="text" name="usernameInput" size="30">
    <p>PASSWORD</p>
    <input type="password" name="passwordInput" size="30">
    <p><input type='submit' name='submit' value="Send"></p>
</form>
waterloomatt
  • 3,444
  • 1
  • 18
  • 24
  • That' not what causes the failure. – Jay Blanchard Feb 05 '18 at 19:29
  • OP did ask about a failure; they asked why it `registers with an empty usename and pass`. – waterloomatt Feb 05 '18 at 19:31
  • The tutorial i watched said that after using $_POST i can use $POST for quicker responses – Mattia Marziali Feb 05 '18 at 19:32
  • Which tutorial said that? – waterloomatt Feb 05 '18 at 19:32
  • "but everytime you visit the page it registers with an empty usename and pass " which means code runs every time you visit the page - adding a blank username and password. OP doesn't want the code to run every time you visit the page. – Jay Blanchard Feb 05 '18 at 19:32
  • https://www.youtube.com/watch?v=mpQts3ezPVg also, fun thing, tmcior.tk/register.php is where my code is seen in action. – Mattia Marziali Feb 05 '18 at 19:33
  • @JayBlanchard - fair enough. I will update my answer with some code to help OP out. – waterloomatt Feb 05 '18 at 19:36
  • nvm, i misunderstood the tutorial, but still what is the issue? – Mattia Marziali Feb 05 '18 at 19:36
  • So that's your explanation? "a lot of things are wrong with your code"? A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Feb 05 '18 at 19:52
  • Ugh, again. Don't trim passwords. `Empty returns a boolean not an integer`, true but well, `true == 1`. – Xorifelse Feb 05 '18 at 20:00
  • @JayBlanchard - did you even read the code and see the comments? – waterloomatt Feb 05 '18 at 20:00
  • 1
    That is not the point here @waterloomatt, the point is that you may have given the OP some code they can copy and paste, but you offered no good explanation for what you did or why you did it that way. People gloss over code comments all of the time and wonder why the code still doesn't work. Look, I am just trying to help you out here while hoping the OP learns something. If you want to post explanationless code, so be it. – Jay Blanchard Feb 05 '18 at 20:02
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 05 '18 at 20:04
-1

It looks Like you have a typo

$date_missing = array();

I think should be

$data_missing = array();

otherwise $data_missing is undefined

Also as suggested by @Jay Blanchard

$POST is undefined and should be $_POST

aaron.noble
  • 32
  • 2
  • doesn't matter, you don't need to define the array in the first place. – Xorifelse Feb 05 '18 at 19:45
  • @Xorifelse you may not 'NEED' to define the array but you SHOULD define it. It stops other errors creeping in when you least expect it [link](https://stackoverflow.com/questions/8246047/is-it-necessary-to-declare-php-array-before-adding-values-with) – aaron.noble Feb 05 '18 at 20:06