Click here to Skip to main content
15,905,238 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hi Team

I have back end written in php and its registers users that are new to the database and database name and config are correct. The problem each time i try to register new users to the db record list it throws an exception that i have handles as Error password do not match instead of writing the request to the db record list and tables are still empty.

What I have tried:

PHP
<pre lang="PHP">// Back end using php.

<pre><?php
	
$showAlert = false;
$showError = false;
$exists=false;
	
if($_SERVER["REQUEST_METHOD"] == "POST") {
	
	// Include file which makes the
	// Database Connection.
	include 'db_config.php';
	
	$username = $_POST["username"];
	$password = $_POST["password"];
	$cpassword = $_POST["cpassword"];
			
	
	$sql = "Select * from signup where username='$username'";
	
	$result = mysqli_query($conn, $sql);
	
	$num = mysqli_num_rows($result);
	
	// This sql query is use to check if
	// the username is already present
	// or not in our Database
	if($num == 0) {
		if(($password == $cpassword) && $exists==false) {
	
			$hash = password_hash($password,
								PASSWORD_DEFAULT);
				
			// Password Hashing is used here.
			$sql = "INSERT INTO `signup` ( `username`,
				`password`, `date`) VALUES ('$username',
				'$hash', current_timestamp())";
	
			$result = mysqli_query($conn, $sql);
	
			if ($result) {
				$showAlert = true;
			}
		}
		else {
			$showError = "Passwords do not match";
		}	
	}// end if
	
if($num>0)
{
	$exists="Username not available";
}
	
}//end if
	
?>

<?php
    
    if($showAlert) {
    
        echo ' <div class="alert alert-success 
            alert-dismissible fade show" role="alert">
    
            Success! Your account is 
            now created and you can login. 
            <button type="button" class="close"
                data-dismiss="alert" aria-label="Close"> 
                <span aria-hidden="true">×</span> 
            </button> 
        </div> '; 
    }
    
    if($showError) {
    
        echo ' <div class="alert alert-danger 
            alert-dismissible fade show" role="alert"> 
        Error! '. $showError.'
    
       <button type="button" class="close" 
            data-dismiss="alert aria-label="Close">
            <span aria-hidden="true">×</span> 
       </button> 
     </div> '; 
   }
        
    if($exists) {
        echo ' <div class="alert alert-danger 
            alert-dismissible fade show" role="alert">
    
        Error! '. $exists.'
        <button type="button" class="close" 
            data-dismiss="alert" aria-label="Close"> 
            <span aria-hidden="true">×</span> 
        </button>
       </div> '; 
     }
   
?>


// front end form
HTML
<div class="form-group relative mb-25 mb-sm-20">

    
</div>
<div class="form-group relative mb-20 mb-sm-20">

    ^__i class="fas fa-lock transform-v-center">
</div>
<div class="form-group relative mb-20 mb-sm-20">

    ^__i class="fas fa-lock transform-v-center">
</div>
<div class="form-group form-check pl-0">
    <div class="d-flex justify-content-between">
        <div class="custom-control custom-checkbox">

            Remember me
        </div>
    </div>
</div>
SIGNUP
<div class="signup-login text-center"></div>
Posted
Updated 26-Feb-23 8:25am
v3

1 solution

Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

And on a login / registration system? That's just asking for trouble...

The chances are that fixingthat throughout your whole app will fix your problem at the same time.
 
Share this answer
 
Comments
Gcobani Mkontwana 26-Feb-23 12:23pm    
@OriginalGriff i have not do any backup regular both my login and registration
OriginalGriff 26-Feb-23 12:44pm    
First off, do one: I use AOMEI Backupper, which has a fully featured free version.
No backup == loads of trouble if you get malware, ransomware, or a hardware failure. Do 'em regularly, and air-gap 'em.

If you don't have a backup, someone will try SQL Injection to see if it works - you best mate would try it just to see the look on your face. And losing your DB in production could be devasting. Always use parameterised queries!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900