当前位置: 动力学知识库 > 问答 > 编程问答 >

html - PHP Register form is not inserting credentials into database

问题描述:

I have a database with a single table called Users and 6 columns

(userID (primary), prenume, nume, nicknamee, parola, tara)

I want to develop a user registration system. For now, I only want the user to type in the username / nickname and the password. The problem is that when I press submit, the credentials are not inserted into the database. Can someone please help me out?

Here's my code:

<html>

<?php

$servername = hhhhh;

$username = hiuhiuhiuh;

$password = theseAreSecret;

$dbname = shhhh;

// Create connection

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

if ($conn->connect_error) {

die("Connection failed: " . $conn->connect_error);

}

echo "Connected successfully\n";

?>

<head>

<meta charset="utf-8">

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<title>Campfire</title>

<link rel="stylesheet" href="">

</head>

<body>

<form method="post">

Username:

<input type="text" name="nicknamee" value="Username"><br>

Password:

<input type="password" name="password" value="Password"><br>

<input type="submit" name="Submit1" value="submit">

<?php

if ( isset( $_POST['Submit1'] ) ) {

$sql = "INSERT INTO Users (userID, prenume, nume, nicknamee, parola, tara)

VALUES (5, 'John', 'Snow', '$_POST[nicknamee]', '$_POST[password]', 'Romania')";}

?>

</form>

</body>

<?php

// Print everything out

$result = $conn->query("SHOW TABLES");

while ( $row = $result->fetch_row() ){

$table = $row[0];

echo '<h3>',$table,'</h3>';

$result1 = $conn->query("SELECT * FROM $table");

if($result1) {

echo '<table cellpadding="0" cellspacing="0" class="db-table">';

$column = $conn->query("SHOW COLUMNS FROM $table");

echo '<tr>';

while($row3 = $column->fetch_row() ) {

echo '<th>'.$row3[0].'</th>';

}

echo '</tr>';

while($row2 = $result1->fetch_row() ) {

echo '<tr>';

foreach($row2 as $key=>$value) {

echo '<td>',$value,'</td>';

}

echo '</tr>';

}

echo '</table><br />';

}

}

echo '<br>';echo '<br>';echo '<br>';echo '<br>';

$conn->close();

?>

</html>

网友答案:

The reason why the row isn't being added to the database is because the query isn't executing. It is simply setting $sql to your query. Now all you need to do is execute the query using $conn->query($sql).

By the way, the values of the variables $servername, $username, $password, and $dbname should be in double (") or single (') quotes.

And a few other issues...

  • When it echos "Connected Successfully\n", it echos a \n. HTML uses <br> though.
  • There's an empty <link rel="stylesheet" href=""> in the <head>.
  • There are a few security issues with this. Refer to the bottom of this answer for more info.

Here's the corrected code:

<html>
<?php
$servername = 'hhhhh';
$username   = 'hiuhiuhiuh';
$password   = 'theseAreSecret';
$dbname     = 'shhhh';

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully<br>";    
?>

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <title>Campfire</title>
</head>
<body>
    <form method="post">
        Username:
        <input type="text" name="nicknamee" value="Username"><br>
        Password:
        <input type="password" name="password" value="Password"><br>
        <input type="submit" name="Submit1" value="submit">
        <?php
if (isset($_POST['Submit1'])) {
    $sql = "INSERT INTO Users (userID, prenume, nume, nicknamee, parola, tara)
        VALUES (5, 'John', 'Snow', '$_POST[nicknamee]', '$_POST[password]', 'Romania')";
    $conn->query($sql); // this line was missing
}
?>
    </form>

</body>

<?php

// Print everything out
$result = $conn->query("SHOW TABLES");
while ($row = $result->fetch_row()) {
    $table = $row[0];
    echo '<h3>', $table, '</h3>';
    $result1 = $conn->query("SELECT * FROM $table");
    if ($result1) {
        echo '<table cellpadding="0" cellspacing="0" class="db-table">';
        $column = $conn->query("SHOW COLUMNS FROM $table");
        echo '<tr>';
        while ($row3 = $column->fetch_row()) {
            echo '<th>' . $row3[0] . '</th>';
        }
        echo '</tr>';
        while ($row2 = $result1->fetch_row()) {
            echo '<tr>';
            foreach ($row2 as $key => $value) {
                echo '<td>', $value, '</td>';
            }
            echo '</tr>';
        }
        echo '</table><br />';
    }
}
echo '<br><br><br><br>';

$conn->close();

?>
</html>

There are a few security issues with this setup though.

  • You may want to hash the passwords for better security. You can read more about that here
  • It is vulnerable to SQL Injection
  • You probably don't want to echo the tables that contain your password.
  • The form doesn't a CSRF token that is submitted with it. That isn't a huge problem, but someone could use it to spam your site. For example, they would create several <iframe>s on their site that would submit a post request to generate spam users.
  • It is vulnerable to XSS because it prints the rows. Someone could insert something like <script>alert(1)</script> into the database, and it would print it to the page and trigger an alert. I'd suggest encoding the responses with htmlspecialchars($html).
网友答案:

if no connection issue you should execute query that insert your data into database.

You just have your query string $sql but never execute.

after this line; $sql = "INSERT INTO Users (userID, prenume, nume, nicknamee, parola, tara) VALUES (5, 'John', 'Snow', '$_POST[nicknamee]', '$_POST[password]', 'Romania')";

try;

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}
分享给朋友:
您可能感兴趣的文章:
随机阅读: