Why doesn't this save to my mysql file? (PHP)

[garrette]

It worked literally 15 minutes before, and I tried to make a small change to the script, erased it because I changed my mind, and now it won't save this information to my database. . . any idea why?

<?php
//form data
$submit = $_POST['submit'];
$Name = strip_tags($_POST['Name']);
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = strip_tags($_POST['repeatpassword']);
$email = $_POST['email'];
$repeatemail = $_POST['repeatemail'];
$date = date("Y-m-d");


if ($submit)
{

    //opens the database
        $connect = mysql_connect('localhost',"******","*******");
        mysql_select_db('********'); //Selects the database
        
        $namecheck = mysql_query("SELECT username FROM users WHERE username='$username'");
        $count = mysql_num_rows($namecheck);
        
        if ($count!=0)
        {
        die("Username is already taken, sorry!");
        }
        
        $emailcheck = mysql_query("SELECT email FROM users WHERE email='$email'");
        $check = mysql_num_rows($emailcheck);
        
        if ($check!=0)
        {
        die("This email is already taken, sorry!");
        }
 
//Makes sure the fields are filled
if ($Name&&$username&&$password&&$repeatpassword&&$email&&$repeatemail)
{
    
    if ($password==$repeatpassword) //Makes sure the passwords are the same.
    {
        //Check character length of user name.
        if (strlen($username)>25||strlen($Name)>25)
        {
            echo "Max length of username and your name are 25 characters.";
        }
        
        else //Checks the password length
        {
        if (strlen($password)>25||strlen($password)<6)
        {
        
        echo "Password must be between 6 and 25 characters.";
        }
        else 
        
        //Encrypts the passwords.
        $password = md5($password);
        $repeatpassword = md5($repeatpassword);
        
        //Checks the email lenth
        if (strlen($email)>30||strlen($email)<10)
        {
        echo "Your email must be between 10 and 30 characters.";
        }
        
        else //Registers the user.
        
        $queryreg = mysql_query("INSERT INTO users VALUES (' ','$Name','$username','$password','$email','$date'");
    
        echo "You have been registered! <br><a href='**********'> Return to the login page</a>.";

        }
    
    }
    else
        echo "Your passwords do not match!";
}
else
    echo "Please fill in all the fields";


}
?>

It won't add it to my tables, therefore it won't create user accounts. I have no idea why either. Anyone have any ideas?

 

[Skizzerz]

An error message would be helpful if you are getting one.

Also, please note that the PHP mysql extension has been deprecated by the PHP group, due to various issues with it. A common issue with it is the fact that it leaves users to write insecure scripts. For example, there is nothing stopping me from submitting an email address with a SQL injection in it, because you fail to escape that input properly. A common rule of thumb to use is to "escape every input and sanitize every output" that involves user-generated information.

Also, what is the point behind limiting the maximum password length to 25? If there is a maximum, it should be much higher than that.

Otherwise, I can't help you much without an error message. If misson or essellar happen to pop in, I suggest you heed everything they say.

 

[garrette]

I have fixed the problem, it was within the database. I don't remember what exactly I did, but I did get it working.

As for the SQL injection, how to I stop this insecurity? I am using a tutorial from 2009 to help with learning the mysql extensions, but that is probably according to what you are saying.

Do you possibly have a resource that could show me what I should do?

 

[misson]

As for the SQL injection, how to I stop this insecurity? [...] Do you possibly have a resource that could show me what I should do?

See my previous post(s), which also cover other generic mistakes that happen to appear in the sample code in this thread. The key is to use prepared statements (and an extension that supports them).

One issue that I haven't covered in your code (but have in many other threads on these forums) is the insecure password storage scheme. MD5 is considered broken by security professionals. No less than Bruce Schneier has written:

But -- come on, people -- no one should be using MD5 anymore.

Use a newer hashing function, such as whirlpool or something from the SHA2 family (SHA256, SHA512) or (better still) Blowfish (using crypt(). Your password scheme is also vulnerable to rainbow tables. Add salt to fix this. You could use the username + a system salt, or (better still) give each user a unique salt (a "nonce") and store that in a column in table `users`.

I am using a tutorial from 2009 to help with learning the mysql extensions, but that is probably according to what you are saying.

The mysql extension became outdated in 2004, when mysqli was included with PHP 5.0.0, and again in 2005 when PDO was incorporated into PHP 5.1.0 from the PECL package (with PHP 5.0, the server admin could install PDO as an optional package). You could consider it outdated even before that, considering programmer installable packages such as Pear:B.

 

[garrette]

Thanks for the information! I will be sure to look into all of this! Very helpful.