store to detabase

[MuphN]

hello. For some reason my script works but it doesnt store to the detabase.

I made these so it would be stored without selection input or something.

$s = 100;
$sa = 1;
$sb = 10;
$ac = 10;
$sd = 10;

 

 

And my storing results script.

        if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt, drop, s, sa, sb, ac, ad) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {
            $insert_stmt->bind_param('ssssssssss', $username, $email, $password, $random_salt, $drop, $s, $sa, $sb, $ac, $ad);
            // Execute the prepared query.
            if (! $insert_stmt->execute()) {
                header('Location: ../error.php?err=Registration failure: INSERT');
            }
        }

 

[ginerjm]

You are not showing enough code to validate what you want us to examine.  You don't check the results of the bind-param call.  How about giving us enough info to help you out?

[MuphN]

okey, so I need to create simple numbers to go to the detabase on register page. for exemple:

<?php
include_once 'db_connect.php';
include_once 'psl-config.php';
 
$error_msg = "";
 
if (isset($_POST['username'], $_POST['email'], $_POST['p'])) {
    // Sanitize and validate the data passed in
    $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
    $email = filter_var($email, FILTER_VALIDATE_EMAIL);
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        // Not a valid email
        $error_msg .= '<p class="error">The email address you entered is not valid</p>';
    }
 
    $password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
    if (strlen($password) != 128) {
        // The hashed pwd should be 128 characters long.
        // If it's not, something really odd has happened
        $error_msg .= '<p class="error">Invalid password configuration.</p>';
    }
 	$drop = filter_input(INPUT_POST, 'my_dropdown', FILTER_SANITIZE_STRING);

    // Username validity and password validity have been checked client side.
    // This should should be adequate as nobody gains any advantage from
    // breaking these rules.
    //
 
    $prep_stmt = "SELECT id FROM members WHERE email = ? LIMIT 1";
    $stmt = $mysqli->prepare($prep_stmt);
 
    if ($stmt) {
        $stmt->bind_param('s', $email);
        $stmt->execute();
        $stmt->store_result();
 
        if ($stmt->num_rows == 1) {
            // A user with this email address already exists
            $error_msg .= '<p class="error">A user with this email address already exists.</p>';
        }
    } else {
        $error_msg .= '<p class="error">Database error</p>';
    }
	

    // TODO: 
    // We'll also have to account for the situation where the user doesn't have
    // rights to do registration, by checking what type of user is attempting to
    // perform the operation.
 
    if (empty($error_msg)) {
        // Create a random salt
        $random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));
 
        // Create salted password 
        $password = hash('sha512', $password . $random_salt);
		$hp = 100;
		$level = 1;
		$str = 10;
		$agi = 10;
		$range = 10;
        // Insert the new user into the database 
        if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt, Race, health, level, str, agi, range) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {
            $insert_stmt->bind_param('ssssssssss', $username, $email, $password, $random_salt, $drop, $hp, $level, $str, $agi, $range);
            // Execute the prepared query.
            if (! $insert_stmt->execute()) {
                header('Location: ../error.php?err=Registration failure: INSERT');
            }
        }
        header('Location: ./register_success.php');
    }
}?>

This is my whole register.inc page. As you know on other page there is a registraton form, which results get hare and stores in to detabase, dont really know how to explain it. 

 

$hp = 100;

$level = 1;

$str = 10;

$agi = 10;

$range = 10; 

 

This is just numbers that should be inserted into detabase, but after I added those for some reason it doesn't store them in the db.

 

Sorry for leaving not much info.

[ginerjm]

Sorry - your code is just difficult to follow.

[MuphN]

Sorry - your code is just difficult to follow.

No problem, I guess its my own fault though.

Edited January 26, 2014 by MuphN

[mac_gyver]

you need to tell us what the code IS doing when it runs. is it redirecting to the error.php page or what?

[MuphN]

It sends the $username, $email, $password, $random_salt, $drop, $hp, $level, $str

to detabase, from inputs.

 

// Insert the new user into the database 

if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt, Race, health, level, str, agi, range) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssssssssss', $username, $email, $password, $random_salt, $drop, $hp, $level, $str, $agi, $range);
// Execute the prepared query.
if (! $insert_stmt->execute()) {
header('Location: ../error.php?err=Registration failure: INSERT');
}
}
header('Location: ./register_success.php');
}

 

And I need to add custom vars to the db, like $hp to healt

[kicken]

Those extra comments add nothing of value. All they do is say what the code should be doing, which is already obvious. If it were actually doing that, you wouldn't be posting here so what you need to tell us is what it's actually doing.

 

You said it doesn't insert the data, but how exactly does it fail? Do you get redirected to the error page? Do you see the success page but no data in the DB? Have you checked the error message mysql gives you if the query fails?

 

That is all basic debugging steps you should have completed before posting. The results of those steps should have been included in your first post.

[MuphN]

It doesn't show any errors, just doesn't add those numbers to detabase, it doesnt add enything after I added those. maybe I made a syntax mistake, maybe I selected the vars wrong? 

 

When I try to register. It shows Sucsessifuly registered. I got to db, no new user registered.

 

Could be that I made a mistake in detabase, for exemple: all these new vars are numbers. and to detabase I added those collums with property INI(100) - 100 length, so maybe it doesnt add because there is some colums witch is wrong.

[Ch0cu3r]

The query could be failing due you using a reserved keyword as a column name. Range is a reserved keyword in MySQL. WHen using this column name in queries add backticks when you reference it in your query

 

if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt, Race, health, level, str, agi, `range`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {

Edited January 26, 2014 by Ch0cu3r

[MuphN]

The query could be failing due you using a reserved keyword as a column name. Range is a reserved keyword in MySQL. WHen using this column name in queries add backticks when you reference it in your query

 

if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, salt, Race, health, level, str, agi, `range`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")) {

 i though so, that u can find the problem, by checking the code. Thanks dude, u save my a** again. Gratefull! )

[mac_gyver]

several words of caution about the script you found. it is at best just a demonstration of the secure login concepts that were presented. it is not a well written, finished, login script.

 

for example, in the registration process. if the prepare statement is failing due to an error, which is what is happening when you modified the insert query statement, the code doesn't attempt to run the insert query at all and it reports that registration was successful. the code should - a) detect and report errors that occur, and b) only report a successful registration if the insert query ran without any errors and actually inserted the row.