Php insert data to table NOT working but doesn't show any errors

Question

1.00/5 (1 vote)

See more:

Sorry my english is not very good but i need your helps to find what's wrong in below php file.
I'm just learning PHP and am trying to capture info from a form and insert it into a table in a mySQL database.Before doing that,i want to check for duplicate username or email, so i added an if statement but no data was inserted into table and no error was shown.
. Could someone please tell me what I am doing wrong?

Before adding if statement, it worked.

<?php
include('config.php');

    $name = $_POST['name'];
    $user = $_POST['id'];
    $password = $_POST['password'];
    $mail = $_POST['email'];
    $phone = $_POST['phone'];
    $sex = $_POST['sex'];
    $nationality = $_POST['nationality'];
    $dob=$_POST['year'] . '-' . $_POST['month'] . '-' . $_POST['days'];
    $question = $_POST['mistery_question'];
    $reply = $_POST['reply'];

    date_default_timezone_set("Asia/Calcutta");
    $insertdate = date("Y-m-d H:i:s");
    $sql = "INSERT INTO regist (Name, Username, Password, Mail, PhoneNumber, Sex, Religion, DateOfBirth, Question, Answer,date_time) 
            VALUES ('$name', '$user','$password','$email', '$phone', '$sex', '$nationality', '$dob', '$question', '$reply', '$insertdate')";

            mysqli_close($conn);

?>

What I have tried:

After adding an if statement. It does not work

<?php
include('config.php');

    $name = $_POST['name'];
    $user = $_POST['id'];
    $password = $_POST['password'];
    $mail = $_POST['email'];
    $phone = $_POST['phone'];
    $sex = $_POST['sex'];
    $nationality = $_POST['nationality'];
    $dob=$_POST['year'] . '-' . $_POST['month'] . '-' . $_POST['days'];
    $question = $_POST['mistery_question'];
    $reply = $_POST['reply'];

    date_default_timezone_set("Asia/Calcutta");
    $insertdate = date("Y-m-d H:i:s");
        
        $query = mysqli_query($conn,"SELECT * FROM regist WHERE Username='$user' OR Mail='$mail'");
        if(mysqli_num_rows($query) > 0 ) {
          
          echo "<script type='text/javascript'>alert('User name or Email id already exists.');
               window.location='regist.html';history.back();
               </script>";
          }else{

          $sql = "INSERT INTO regist (Name, Username, Password, Mail, PhoneNumber, Sex, Religion, DateOfBirth, Question, Answer,date_time) 
            VALUES ('$name', '$user','$password','$email', '$phone', '$sex', '$nationality', '$dob', '$question', '$reply', '$insertdate')";

           }   
        

            mysqli_close($conn);

?>

Posted 30-Oct-18 7:17am

Member 14038244

Add a Solution

Comments

Richard Deeming 30-Oct-18 13:27pm

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

Richard Deeming 30-Oct-18 13:28pm

You're storing passwords in plain text. Don't do that!
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

PHP even includes functions to help you do the right thing:
PHP: password_hash[^]
PHP: password_verify[^]

Richard MacCutchan 30-Oct-18 13:35pm

You never execute the INSERT statement (and did not in the first sample), nothing to do with the if.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)