-2

I need a bit of help with my registration page: when I try to put an username and a pwd I can't understand why it doesn't work and I don't know how to show the error in any way. Work everything but it can't insert the data in the database, and I'm sure that the connection to the database works!

I've also tried to print the $query and it's right. I think that the error is in $inseriscidati but I don't now what can be the problem

Following the code:


<?php

    $mex = "";

    $database = "users";
    $userArray = "SELECT 'username' FROM $database";

    if(isset($_POST['submit'])){

        $user = $_POST['user'];
        $pass = $_POST['pass'];
        $passconf = $_POST['passconf'];
        
        $username = mysqli_real_escape_string($connessione,$user);
        $password = mysqli_real_escape_string($connessione,$pass);
        $passwordConf = mysqli_real_escape_string($connessione,$passconf);

        if($username != "" && $password != "" && $passwordConf != ""){
            if($password == $passwordConf){
                if($user != $userArray){
                    $passwordCrypt = crypt($password, '$6$rounds=5000$usesomesillystringforsalt$');

                    $query = "INSERT INTO `users` (`username`,`passwor`) VALUES (`$username`, `$passwordCrypt`)";
                    $inseriscidati = mysqli_query($connessione,$query);

                    if(!$inseriscidati){
                        $mex = "<p style='color: red;'>A causa di un errore non è stato possibile caricare i dati. Riprova più tardi!</p>"; 
                        mysqli_error($connessione);
                        echo "\n Password criptata: ".$passwordCrypt;
                        echo "\n Query: ".$query;
                        header("Location: $currentpage?DatiNonInseriti");
                    }else{
                        header("Location : $currentpage?DatiInseritiCorrettamente");
                        $mex = "<p style='color: green;'>I dati inseriti sono stati caricati correttamente!</p>";
                    }

                }else $mex = "<p style='color: red;'>Username non disponibile</p>";
            }else $mex = "<p style='color: red;'>Le password non corrispondono</p>";
        }else $mex = "<p style='color: red;'>Compilare tutti i campi</p>";
    }
?>

<form action="" method="POST" enctype="multipart/form-data">
    <?php if($mex != "") echo $mex; ?>
    <input type="text" placeholder="Inserire Username" name="user" >
    <input type="password" placeholder="Crea Password" name="pass" minlength="8" maxlength="20">
    <input type="password" placeholder="Conferma Password" name="passconf"minlength="8" maxlength="20">
    <input type="submit" name="submit">
</form>```
Jason Aller
  • 3,475
  • 28
  • 40
  • 37
Elizzit
  • 9
  • 3
  • 1
    `INSERT TO` needs to be `INSERT INTO`, also 'passwor' is misspelled? – Ron Sep 10 '20 at 18:42
  • You are using the wrong quotes for columns, and are open to SQL injections. Use error reporting. – user3783243 Sep 10 '20 at 18:42
  • Does this answer your question? [Catching Mysqli Errors](https://stackoverflow.com/questions/19193911/catching-mysqli-errors) – user3783243 Sep 10 '20 at 18:43
  • ...and/or https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql – user3783243 Sep 10 '20 at 18:43
  • Also `$userArray` will never be a username. It will always be a SQL query... and if you were to execute it would be extremely inefficient. – user3783243 Sep 10 '20 at 18:55
  • I've try to use $userArray for check if the username that has been entered is just in the database... I've used a wrong way? Anyway, thank you for your warn about the SQL injection – Elizzit Sep 10 '20 at 19:14
  • Ron, thank you. "passwor" is right... i've used this name in the database – Elizzit Sep 10 '20 at 19:21
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 10 '20 at 19:43
  • thank you... i now, i've just fixed it. Thanks – Elizzit Sep 10 '20 at 19:46
  • `mysqli_real_escape_string` doesn't fix it, it's a quick fix that will cause you issues down the road. – user3783243 Sep 10 '20 at 20:00
  • `$userArray` is just a SQL statement you never execute it. Additionally it has no `where` clause so you're going to be returning every user in the DB the comparing against your string, or just comparing against the first row. – user3783243 Sep 10 '20 at 20:01
  • So what shuld I do for avoid SQL injection? – Elizzit Sep 10 '20 at 20:04
  • Use prepared statements and parameterize your query. https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php – user3783243 Sep 10 '20 at 20:21

1 Answers1

-1

Use single quotation instead of ``

$query = "INSERT INTO users (username,passwor) VALUES ('$username', '$passwordCrypt')";
Ripon Uddin
  • 633
  • 2
  • 14
  • 23