Click here to Skip to main content
15,846,144 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I have tried to connect to mysql. I tested the connection. It should echo error message when I change the password to randow text. However, there is no response after clicking the sumbit button. Can anyone pls help to see if there is anything for my coding??? Pls help!!!

What I have tried:

if(isset($_POST['submit']))
 {
     // if true, button is clicked
     //echo "Button Clicked";

     //1. Get the data from the form
     $full_name = $_POST['full_name'];
     $username = $_POST['username'];
     $password = md5($_POST['password']); //Password is encrypted with MD5

     //2. SQL query to send the data into mysql database
     $sql = "INSERT INTO admin SET
         full_name='$full_name',
         username='$username',
         password='$password'
     ";

     //3. Execute query and send the data in sql into mysql database
     $conn = mysqli_connect('localhost', 'root', 'ddddddd') or die(mysqli_error()); //Databased connection
     $db_select = mysqli_select_db($conn, 'my_db') or die(mysqli_error()); //Selectionn of database

     //$res = mysqlli_query($kconn, $sql) or die(mysqli_error());
 }
Posted
Updated 3-Oct-22 16:55pm
Comments
Richard MacCutchan 3-Oct-22 4:42am    
Do not use MD5 on passwords, it is known to be insecure. You should use the PHP builtin: PHP: password_hash - Manual[^].
Richard Deeming 3-Oct-22 4:46am    
$password = md5($_POST['password']); //Password is encrypted with MD5

So much fail in such a small line of code!

MD5 is a hashing algorithm, not an encryption algorithm. Hashed passwords should not be retrievable, whereas encrypted passwords would be.

You're using an unsalted hash, which leaves your code vulnerable to a rainbow-table attack.

And you're using MD5, which has not been considered "secure" for over twenty years. Thirty seconds on Google will find you plenty of sites which can take an MD5-hashed password and give you back the original plain-text in under a second.

PHP provides build-in functions to help you store and validate passwords correctly - use them.
PHP: password_hash[^]
PHP: password_verify[^]
New-comer!!! 3-Oct-22 12:31pm    
Thanks for yor comment! I will take that in mind. However, it still cannot solve the problem that I cannot return the error message after changing my password to test the accessibility to my database. Can you pls comment about this?

Well ... it doesn't execute the command you built in $sql because the line of code that does is commented out ...
PHP
//$res = mysqlli_query($kconn, $sql) or die(mysqli_error());


But that's a very, very good thing because that is the least of your worries!

Much more importantly, there are two things you need to fix throughout your whole application as a matter of priority first:

1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.
 
Share this answer
 
Comments
New-comer!!! 3-Oct-22 0:16am    
Thx for your comment. Even I commented out $mysql, below 2 functoins should be able to show the error as I added die(mysqli_error). I tried your method and uncomment the $sql, it is still the same without response. Can you pls take a look again? Thx!

$conn = mysqli_connect('localhost', 'root', 'ddddddd') or die(mysqli_error()); //Databased connection
$db_select = mysqli_select_db($conn, 'my_db') or die(mysqli_error()); //Selectionn of database
Your connection fails and your code fails to report the error.

The reason is mysqli_connect does not return error messages through mysqli_error, it uses mysqli_connect_error instead!

Check the documentation: simply google mysqli_connect and read its first result.

:)
 
Share this answer
 
Comments
New-comer!!! 4-Oct-22 5:59am    
It finally works... Thx so much!!!!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900