Click here to Skip to main content
15,867,835 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
Hi Team

I am struggling to signup new users to the record list from the database, somehow it refuse to insert data to the database columns.

What I have tried:

// database record

SELECT * FROM `signup` WHERE 1 return 

id	name	email	password	code	
status





// signup-user.php

<?php require_once "signup-data-details.php"; ?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Signup Form</title>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
    <link rel="stylesheet" href="css/style.css">
</head>
<body>
    <div class="container">
        <div class="row">
            <div class="col-md-4 offset-md-4 form">
                <form action="signup-user.php" method="POST" autocomplete="">
                    <h2 class="text-center">Signup Form</h2>
                    
                    <?php
                    if(count($errors) == 1){
                        ?>
                        <div class="alert alert-danger text-center">
                            <?php
                            foreach($errors as $showerror){
                                echo $showerror;
                            }
                            ?>
                        </div>
                        <?php
                    }elseif(count($errors) > 1){
                        ?>
                        <div class="alert alert-danger">
                            <?php
                            foreach($errors as $showerror){
                                ?>
                                <li><?php echo $showerror; ?></li>
                                <?php
                            }
                            ?>
                        </div>
                        <?php
                    }
                    ?>
                    <div class="form-group">
                        <input class="form-control" type="text" name="name" placeholder="Full Name" required value="<?php echo $name ?>">
                    </div>
                    <div class="form-group">
                        <input class="form-control" type="email" name="email" placeholder="Email Address" required value="<?php echo $email ?>">
                    </div>
                    <div class="form-group">
                        <input class="form-control" type="password" name="password" placeholder="Password" required value="<?php echo $password ?">
                    </div>
                    <div class="form-group">
                        <input class="form-control" type="password" name="cpassword" placeholder="Confirm password" required>
                    </div>
                    <div class="form-group">
                        <input class="form-control button" type="submit" name="signup" value="Signup">
                    </div>
                    <div class="link login-link text-center">Already a member? <a href="login-user.php">Login here</a></div>
                </form>
            </div>
        </div>
    </div>
    
</body>
</html>



//signup-data-details.php

<?php

session_start();

require "config.php";

$email = "";

$name = "";

$errors = array();



//if user signup button

if(isset($_POST['signup'])){

    $name = mysqli_real_escape_string($con, $_POST['name']);

    $email = mysqli_real_escape_string($con, $_POST['email']);

    $password = mysqli_real_escape_string($con, $_POST['password']);

    $cpassword = mysqli_real_escape_string($con, $_POST['cpassword']);

    if($password !== $cpassword){

        $errors['password'] = "Confirm password not matched!";

    }

    $email_check = "SELECT * FROM signup WHERE email = '$email'";

    $res = mysqli_query($con, $email_check);

    if(mysqli_num_rows($res) > 0){

        $errors['email'] = "Email that you have entered is already exist!";

    }

    if(count($errors) === 0){

        $encpass = password_hash($password, PASSWORD_BCRYPT);

        $code = rand(999999, 111111);

        $status = "notverified";

        $insert_data = "INSERT INTO signup (name, email, password, code, status)

                        values('$name', '$email', '$encpass', '$code', '$status')";

        $data_check = mysqli_query($con, $insert_data);

        if($data_check){

            $subject = "Email Verification Code";

            $message = "Your verification code is $code";

            $sender = "From: gcobani.mkontwana@agilelimitless.org.za";

            if(mail($email, $subject, $message, $sender)){

                $info = "We've sent a verification code to your email - $email";

                $_SESSION['info'] = $info;

                $_SESSION['email'] = $email;

                $_SESSION['password'] = $password;

                header('location: user-otp.php');

                exit();

            }else{

                $errors['otp-error'] = "Failed while sending code!";

            }

        }else{

            $errors['db-error'] = "Failed while inserting data into database!";

        }

    }



}

    //if user click verification code submit button

    if(isset($_POST['check'])){

        $_SESSION['info'] = "";

        $otp_code = mysqli_real_escape_string($con, $_POST['otp']);

        $check_code = "SELECT * FROM signup WHERE code = $otp_code";

        $code_res = mysqli_query($con, $check_code);

        if(mysqli_num_rows($code_res) > 0){

            $fetch_data = mysqli_fetch_assoc($code_res);

            $fetch_code = $fetch_data['code'];

            $email = $fetch_data['email'];

            $code = 0;

            $status = 'verified';

            $update_otp = "UPDATE signup SET code = $code, status = '$status' WHERE code = $fetch_code";

            $update_res = mysqli_query($con, $update_otp);

            if($update_res){

                $_SESSION['name'] = $name;

                $_SESSION['email'] = $email;

                header('location: home.php');

                exit();

            }else{

                $errors['otp-error'] = "Failed while updating code!";

            }

        }else{

            $errors['otp-error'] = "You've entered incorrect code!";

        }

    }



    //if user click login button

    if(isset($_POST['login'])){

        $email = mysqli_real_escape_string($con, $_POST['email']);

        $password = mysqli_real_escape_string($con, $_POST['password']);

        $check_email = "SELECT * FROM signup WHERE email = '$email'";

        $res = mysqli_query($con, $check_email);

        if(mysqli_num_rows($res) > 0){

            $fetch = mysqli_fetch_assoc($res);

            $fetch_pass = $fetch['password'];

            if(password_verify($password, $fetch_pass)){

                $_SESSION['email'] = $email;

                $status = $fetch['status'];

                if($status == 'verified'){

                  $_SESSION['email'] = $email;

                  $_SESSION['password'] = $password;

                    header('location: home.php');

                }else{

                    $info = "It's look like you haven't still verify your email - $email";

                    $_SESSION['info'] = $info;

                    header('location: user-otp.php');

                }

            }else{

                $errors['email'] = "Incorrect email or password!";

            }

        }else{

            $errors['email'] = "It's look like you're not yet a member! Click on the bottom link to signup.";

        }

    }



    //if user click continue button in forgot password form

    if(isset($_POST['check-email'])){

        $email = mysqli_real_escape_string($con, $_POST['email']);

        $check_email = "SELECT * FROM signup WHERE email='$email'";

        $run_sql = mysqli_query($con, $check_email);

        if(mysqli_num_rows($run_sql) > 0){

            $code = rand(999999, 111111);

            $insert_code = "UPDATE signup SET code = $code WHERE email = '$email'";

            $run_query =  mysqli_query($con, $insert_code);

            if($run_query){

                $subject = "Password Reset Code";

                $message = "Your password reset code is $code";

                $sender = "From: gcobani.mkontwana@agilelimitless.org.za";

                if(mail($email, $subject, $message, $sender)){

                    $info = "We've sent a passwrod reset otp to your email - $email";

                    $_SESSION['info'] = $info;

                    $_SESSION['email'] = $email;

                    header('location: reset-code.php');

                    exit();

                }else{

                    $errors['otp-error'] = "Failed while sending code!";

                }

            }else{

                $errors['db-error'] = "Something went wrong!";

            }

        }else{

            $errors['email'] = "This email address does not exist!";

        }

    }



    //if user click check reset otp button

    if(isset($_POST['check-reset-otp'])){

        $_SESSION['info'] = "";

        $otp_code = mysqli_real_escape_string($con, $_POST['otp']);

        $check_code = "SELECT * FROM signup WHERE code = $otp_code";

        $code_res = mysqli_query($con, $check_code);

        if(mysqli_num_rows($code_res) > 0){

            $fetch_data = mysqli_fetch_assoc($code_res);

            $email = $fetch_data['email'];

            $_SESSION['email'] = $email;

            $info = "Please create a new password that you don't use on any other site.";

            $_SESSION['info'] = $info;

            header('location: new-password.php');

            exit();

        }else{

            $errors['otp-error'] = "You've entered incorrect code!";

        }

    }



    //if user click change password button

    if(isset($_POST['change-password'])){

        $_SESSION['info'] = "";

        $password = mysqli_real_escape_string($con, $_POST['password']);

        $cpassword = mysqli_real_escape_string($con, $_POST['cpassword']);

        if($password !== $cpassword){

            $errors['password'] = "Confirm password not matched!";

        }else{

            $code = 0;

            $email = $_SESSION['email']; //getting this email using session

            $encpass = password_hash($password, PASSWORD_BCRYPT);

            $update_pass = "UPDATE signup SET code = $code, password = '$encpass' WHERE email = '$email'";

            $run_query = mysqli_query($con, $update_pass);

            if($run_query){

                $info = "Your password changed. Now you can login with your new password.";

                $_SESSION['info'] = $info;

                header('Location: password-changed.php');

            }else{

                $errors['db-error'] = "Failed to change your password!";

            }

        }

    }

   

   //if login now button click

    if(isset($_POST['login-now'])){

        header('Location: signup-user.php');

    }

?>
Posted
Updated 28-Feb-23 0:55am

As I told you last time ...
Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

And on a login / registration system? That's just asking for trouble...

The chances are that fixing that throughout your whole app will fix your problem at the same time.
 
Share this answer
 
Comments
Gcobani Mkontwana 28-Feb-23 0:55am    
@OriginalGriff how do i use parametized queries, i have not do a backup yet. Should i include it as always for security reason?
OriginalGriff 28-Feb-23 3:41am    
You don't back up your computer at all? :OMG:

You have heard of malware? Ransomware? Hardware failure?

https://www.google.com/search?q=PHP+parameterised+queries&sourceid=chrome&ie=UTF-8
Firstly, as mentioned by OriginalGriff, you are wide open to some serious security risks. Read this article with solutions to how you can fix these security risks - Nine Severe PHP Vulnerabilities & How to Fix Them[^]

To get to your problem, you need to do error checking in all of your code at all times. Try the below and see where your error occur, fix the error and you should be good to go -
// Required field names before we can add a new record...
$required = array('name', 'email', 'password', 'code', 'status');

// Loop over field names, make sure each one exists and is not empty
$error = false;
foreach($required as $field) {
  if (empty($_POST[$field])) {
    $error = true;
  }
}

if ($error) {
  echo "All fields are required.";
} else {
  echo "Proceed, all fields have a value, add new record...";
}


You can also show the values to see which one of the fields holds no value -
print_r($required );
 
Share this answer
 
v2

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900