Registation PHP

[toontow7]

I Have All This:

http://pastebin.com/ahYqAFyc

But for some reason, NOTHING shows up.

http://www.toontownunlimited.x10.mx/mysql_login/register.php

Whats The Problem?

 

[Dead-i]

Hi toontow7,

The error is appearing in the "error_log" file in the same directory. Judging by that, it looks like you have a malformed if statement on line 10.

Thank you,

 

[caftpx10]

Judging by the code, your issue is located at line 10.
I think you were intending to check if multiple POST are there. According to the IF statement, there are no actions for the IF statement to perform for the other POST requests and you've got an extra '$'. To fix, use isset() on the rest in the IF statement and remove the extra '$'.

 

[essellar]

@toontow7 : Would you mind posting your coding questions in the "Scripts, 3rd Party Apps, and Programming" forum? These kinds of questions are not about hosting support, and they take time away from the volunteers that are looking after the servers and accounts. There are other volunteers (like myself, f'rinstance) who regularly monitor the programming forum, so you won't get any extra attention or effort by posting in "Free Hosting".

That said, there are quite a few problems with your script and your page that need attention, and just fixing that one line (line 10) may make things appear to work over the short term, you will be relying on the things that browsers do to hide the effects of bad HTML from the users, the things that PHP tries to do to give developers what they meant rather than what they actually wrote, code that is going to stop working altogether in the not-too-distant future (it's already been deprecated, and will soon be removed from the PHP language completely) and will be putting your users at considerable risk (you're storing plain text passwords). I understand that you're a beginner, and we were all beginners once, so there's no shame in that; take what's given as an opportunity to learn from other people's mistakes rather than as anyone talking down to you.

Let's start with that line 10 thing:

if(isset($_POST['username'] && $_POST['password'] && $_POST['fname'] && $$_POST['lname'] && $_POST['email'])) {

It's easy to see what you've done there, and why you thought it might work (apart from the typo). If you translate the code directly into English, word for word so to speak, it makes perfect sense. "If the following variables are set, then..." The problem is that the PHP interpreter doesn't speak English (or any other natural language). It needs to be rewritten to be more explicit:

if(isset($_POST['username'] && isset($_POST['password']) && isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['email']))) {

The extra $ that caftpx10 mentioned won't be caught as the kind of mistake that you might think it should be caught as, since PHP allows "variable variables". What $$_POST['lname'] actually means is "the variable whose name is held in the value of the variable named $_POST['lname']. So if the user's last name is "Smith", you're asking isset($Smith). It's a weird language feature in PHP that can be incredibly useful at times, but it can also cause all kinds of problems since it's usually a typo rather than something you meant to do.

As for the passwords, it's vital to understand that the people using your site are probably using the same password almost everywhere on the web. That means that no matter how small or insignificant your site may be in the grand scheme of things, as soon as you allow registration/login that uses passwords, you are essentially taking responsibility for things like your users' banks accounts, email accounts, medical records, online storage accounts and so forth. You absolutely need to guard those passwords as if there were lives at stake. The only way to do that is to make sure that you don't know — and can't know — the passwords, but have a way to figure out whether or not the users know their own passwords. There are functions built into PHP now — password_hash(), password_verify() and password_needs_rehash() — that make that process simple, secure and foolproof. Please see this thread for more information.

 

[caftpx10]

I have just noticed something in the code. The code is SQL injectable so I highly recommend escaping the $_POST output.

EDIT: I would recommend using the error_reporting() function for displaying the errors, for faster debugging.

 

[toontow7]

@toontow7 : Would you mind posting your coding questions in the "Scripts, 3rd Party Apps, and Programming" forum? These kinds of questions are not about hosting support, and they take time away from the volunteers that are looking after the servers and accounts. There are other volunteers (like myself, f'rinstance) who regularly monitor the programming forum, so you won't get any extra attention or effort by posting in "Free Hosting".

That said, there are quite a few problems with your script and your page that need attention, and just fixing that one line (line 10) may make things appear to work over the short term, you will be relying on the things that browsers do to hide the effects of bad HTML from the users, the things that PHP tries to do to give developers what they meant rather than what they actually wrote, code that is going to stop working altogether in the not-too-distant future (it's already been deprecated, and will soon be removed from the PHP language completely) and will be putting your users at considerable risk (you're storing plain text passwords). I understand that you're a beginner, and we were all beginners once, so there's no shame in that; take what's given as an opportunity to learn from other people's mistakes rather than as anyone talking down to you.

Let's start with that line 10 thing:

if(isset($_POST['username'] && $_POST['password'] && $_POST['fname'] && $$_POST['lname'] && $_POST['email'])) {

It's easy to see what you've done there, and why you thought it might work (apart from the typo). If you translate the code directly into English, word for word so to speak, it makes perfect sense. "If the following variables are set, then..." The problem is that the PHP interpreter doesn't speak English (or any other natural language). It needs to be rewritten to be more explicit:

if(isset($_POST['username'] && isset($_POST['password']) && isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['email']))) {

The extra $ that caftpx10 mentioned won't be caught as the kind of mistake that you might think it should be caught as, since PHP allows "variable variables". What $$_POST['lname'] actually means is "the variable whose name is held in the value of the variable named $_POST['lname']. So if the user's last name is "Smith", you're asking isset($Smith). It's a weird language feature in PHP that can be incredibly useful at times, but it can also cause all kinds of problems since it's usually a typo rather than something you meant to do.

As for the passwords, it's vital to understand that the people using your site are probably using the same password almost everywhere on the web. That means that no matter how small or insignificant your site may be in the grand scheme of things, as soon as you allow registration/login that uses passwords, you are essentially taking responsibility for things like your users' banks accounts, email accounts, medical records, online storage accounts and so forth. You absolutely need to guard those passwords as if there were lives at stake. The only way to do that is to make sure that you don't know — and can't know — the passwords, but have a way to figure out whether or not the users know their own passwords. There are functions built into PHP now — password_hash(), password_verify() and password_needs_rehash() — that make that process simple, secure and foolproof. Please see this thread for more information.

Ok, well i did
if(isset($_POST['username'] && isset($_POST['password']) && isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['email']))) {
Dosnt really fix anything, it has the same results.
Heres my whole code now:
http://pastebin.com/Wpn65zZ2


And, i was going to hash my password, this was just a test to see if everythings working as it should be.
Thanks for the thread!

 

[caftpx10]

Noticed a typo there. It should be...

if(isset($_POST['username']) && isset($_POST['password']) && isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['email'])) {

 

[essellar]

(The difference being that I have one too many closing parens in my posting. Crap happens when you're not using a code editor.)

A bigger point, though, is that you're using mysql_xxx() functions, and they are already deprecated and soon to be removed from PHP. Both mysqli_xxxx() and PDO give you the ability to use prepared statements, which will eliminate the SQL Injection attack caftpx10 mentioned. And please don't treat "hashing" as an add-on, and use the built-in methods. (Anything you've seen that uses MD5 or SHA-whatever and doesn't use a cryptographically random salt might as well be in plain text.)

 

[toontow7]

Ok, but when i use the mysqli_xxx() functions, they ask for additional parameters, and even when i do fix the typo NOTHING is showing up.

 

[caftpx10]

From what I know, you need to stick the database name IN the mysqli connect function like so...
mysqli_connect('HOST','USER','PASS','DB');

 

[toontow7]

Ok, IDK how to fix this.
I tried mysqli_connect, and now its saying that it cant connect to the database.
you said something about getting rid of the POST. Then what do i use?
do i do mysqli_query?
do i do any other mysqli_xxx() functions?

And i got access denied.
Tell me what i need to fix.
Heres my whole code:

I seperated the HTML from the PHP.

Plus, what do you mean Host and Database?

 

[caftpx10]

First off, please remove your database password from that pastebin so that the others don't see it.
The reason you've got the database error is because the last part which I've named 'DB' has the hostname instead of the actual database name.
Any function names which contain the word 'mysql' MUST be replaced with 'mysqli'.

Host = Hostname
DB = Database

EDIT: You don't need the mysqli_select_db() function since we have already selected it in the connection.

 

[toontow7]

But what is my database? my database username?

 

[caftpx10]

No. The database name is the name for the database which you've created.

 

[toontow7]

Ok well, it fixed, but it dosnt seem to insert ANYTHING into the database.

 

[caftpx10]

The reason for that is that you have not assigned the connection to the mysqli_query() function, so basically it has no where for it to execute the query.

 

[toontow7]

Changed it.

[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_query() expects at least 2 parameters, 1 given in /home/toontow7/public_html/mysql_login/registerform.php on line 12
[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_error() expects exactly 1 parameter, 0 given in /home/toontow7/public_html/mysql_login/registerform.php on line 36
[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_close() expects exactly 1 parameter, 0 given in /home/toontow7/public_html/mysql_login/registerform.php on line 39

 

[caftpx10]

Changed it.

[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_query() expects at least 2 parameters, 1 given in /home/toontow7/public_html/mysql_login/registerform.php on line 12
[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_error() expects exactly 1 parameter, 0 given in /home/toontow7/public_html/mysql_login/registerform.php on line 36
[05-Oct-2014 16:51:38 America/New_York] PHP Warning: mysqli_close() expects exactly 1 parameter, 0 given in /home/toontow7/public_html/mysql_login/registerform.php on line 39

Replace the following functions set to...

mysql_query($databasehandle,"INSERT INTO users (Username, Password) VALUES ($user, $pass)");
mysqli_error($databasehandle);
mysqli_close($databasehandle);

As you can see, they all have to be assigned to the MySQL server so PHP knows where the error is going to be from and what to close. You have to do this since your connection is in a variable rather than directly out there for the PHP to catch and use straight away.

 

[essellar]

That's still using "unclean" values naked. Mysqli has a prepared statement function that will do the necessary escaping for you.

$query = mysqli_prepare($databasehandle, "INSERT INTO users (Username, Password) VALUES (?, ?)"));
mysqli_stmt_bind_param($query, "ss", $user, $password);
mysqli_stmt_execute($query);

The "ss" indicateed that both of the parameters you are binding to the staement are strings. From there, you can either get the number of affected rows (for insert, update or delete operations) using mysqli_stmt_affected_rows() or get read results using mysqli_stmt_fetch().

It's a heck of a lot easier, though, to write and maintain the code if you use PDO, since you can use named parameters rather than trying to figure out or remember which question mark stands for which value. Yes, it's object-oriented, but it's really pretty easy. You can start with this tutorial, and the documentation at php.net is always worth reading (and a lot of extra information is in the comments section to each of the entries). There is no good reason not to use PDO in preference to MySQL Improved unless you are using MySQL-only database features (hint: you probably won't be doing that) or are trying to quickly update a large, old codebase.

 

[caftpx10]

That's still using "unclean" values naked. Mysqli has a prepared statement function that will do the necessary escaping for you.

$query = mysqli_prepare($databasehandle, "INSERT INTO users (Username, Password) VALUES (?, ?)"));
mysqli_stmt_bind_param($query, "ss", $user, $password);
mysqli_stmt_execute($query);

The "ss" indicateed that both of the parameters you are binding to the staement are strings. From there, you can either get the number of affected rows (for insert, update or delete operations) using mysqli_stmt_affected_rows() or get read results using mysqli_stmt_fetch().

It's a heck of a lot easier, though, to write and maintain the code if you use PDO, since you can use named parameters rather than trying to figure out or remember which question mark stands for which value. Yes, it's object-oriented, but it's really pretty easy. You can start with this tutorial, and the documentation at php.net is always worth reading (and a lot of extra information is in the comments section to each of the entries). There is no good reason not to use PDO in preference to MySQL Improved unless you are using MySQL-only database features (hint: you probably won't be doing that) or are trying to quickly update a large, old codebase.

The OP did say that he would escape them anyway, but it's nice to know that there is an alternative of escaping.