Any problem with my PHP code?

Question

1.00/5 (1 vote)

See more:

I have tried to connect to mysql. I tested the connection. It should echo error message when I change the password to randow text. However, there is no response after clicking the sumbit button. Can anyone pls help to see if there is anything for my coding??? Pls help!!!

What I have tried:

if(isset($_POST['submit']))
 {
     // if true, button is clicked
     //echo "Button Clicked";

     //1. Get the data from the form
     $full_name = $_POST['full_name'];
     $username = $_POST['username'];
     $password = md5($_POST['password']); //Password is encrypted with MD5

     //2. SQL query to send the data into mysql database
     $sql = "INSERT INTO admin SET
         full_name='$full_name',
         username='$username',
         password='$password'
     ";

     //3. Execute query and send the data in sql into mysql database
     $conn = mysqli_connect('localhost', 'root', 'ddddddd') or die(mysqli_error()); //Databased connection
     $db_select = mysqli_select_db($conn, 'my_db') or die(mysqli_error()); //Selectionn of database

     //$res = mysqlli_query($kconn, $sql) or die(mysqli_error());
 }

Posted 2-Oct-22 17:19pm

New-comer!!!

Updated 3-Oct-22 15:55pm

Add a Solution

Comments

Richard MacCutchan 3-Oct-22 4:42am

Do not use MD5 on passwords, it is known to be insecure. You should use the PHP builtin: PHP: password_hash - Manual[^].

Richard Deeming 3-Oct-22 4:46am

$password = md5($_POST['password']); //Password is encrypted with MD5

So much fail in such a small line of code!

MD5 is a hashing algorithm, not an encryption algorithm. Hashed passwords should not be retrievable, whereas encrypted passwords would be.

You're using an unsalted hash, which leaves your code vulnerable to a rainbow-table attack.

And you're using MD5, which has not been considered "secure" for over twenty years. Thirty seconds on Google will find you plenty of sites which can take an MD5-hashed password and give you back the original plain-text in under a second.

PHP provides build-in functions to help you store and validate passwords correctly - use them.
PHP: password_hash[^]
PHP: password_verify[^]

New-comer!!! 3-Oct-22 12:31pm

Thanks for yor comment! I will take that in mind. However, it still cannot solve the problem that I cannot return the error message after changing my password to test the accessibility to my database. Can you pls comment about this?

2 solutions

Solution 1

Well ... it doesn't execute the command you built in $sql because the line of code that does is commented out ...

PHP

//$res = mysqlli_query($kconn, $sql) or die(mysqli_error());

But that's a very, very good thing because that is the least of your worries!

Much more importantly, there are two things you need to fix throughout your whole application as a matter of priority first:

1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.

Posted 2-Oct-22 18:02pm

OriginalGriff

Comments

New-comer!!! 3-Oct-22 0:16am

Thx for your comment. Even I commented out $mysql, below 2 functoins should be able to show the error as I added die(mysqli_error). I tried your method and uncomment the $sql, it is still the same without response. Can you pls take a look again? Thx!

$conn = mysqli_connect('localhost', 'root', 'ddddddd') or die(mysqli_error()); //Databased connection
$db_select = mysqli_select_db($conn, 'my_db') or die(mysqli_error()); //Selectionn of database

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Luc Pattyn · Accepted Answer · 2022-10-03T15:55:00

Solution 2

Your connection fails and your code fails to report the error.

The reason is mysqli_connect does not return error messages through mysqli_error, it uses mysqli_connect_error instead!

Check the documentation: simply google mysqli_connect and read its first result.

:)

Posted 3-Oct-22 15:55pm

Luc Pattyn

Comments

New-comer!!! 4-Oct-22 5:59am

It finally works... Thx so much!!!!