PHP and SQLi connection help

[rich_hemmo]

Hi Guys I'm creating my own website and I want users to be able to register and log in at the momnet I'm just having trouble with letting users to log in 

 

here is the code 

 

config.php 

<?php 

$connection = mysqli_connect("localhost","root","","registration");

// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

mysqli_close($connection);
?>

This is the submit_form.php

<?php

//select your database
//$b=mysql_select_db("database_name",$a);
$firstname=$_POST['firstname'];
$lastname=$_POST['lastname'];
$username=$_POST['username'];
//$confirmusername=$_POST['confirmusername'];
$password=$_POST['password'];
$confirmpassword=$_POST['confirmpassword'];
$email=$_POST['email'];
$confirmemail=$_POST['confirmemail'];
//Database connection
require_once("config.php");

//mysql query to insert value to database
$query="INSERT INTO 'users' (`firstname`, `lastname`, `username`, `confirmusername`, `password`, `confirmpassword`, `email` ,`confirmemail`) VALUES ('$firstname', '$lastname', '$username', '$password', '$confirmpassword', '$email' , '$confirmemail')";

$result = mysqli_query($connection,$query);
//if value inserted successyully disply success message
if(!$result) {

    die("The following SQL Failed $query");
}
echo 'Registred successfully..!!</div>';
?>

This is the error message that I'm getting 

 

Warning: mysqli_query(): Couldn't fetch mysqli in C:\xampp\htdocs\submit-form.php on line 19
The following SQL Failed INSERT INTO 'users' (`firstname`, `lastname`, `username`, `confirmusername`, `password`, `confirmpassword`, `email` ,`confirmemail`) VALUES ('richard', 'Hemmings', 'hemmo001', 'password', 'password', 'richardgwhemmings@msn.com' , 'richardgwhemmings@msn.com')

 

Can anyone shed any light onto the problem please?

 

Thanks in advance 

 

Rich

[Oliverkahn]

If the user is new to the site, and wants to sign up,

you can add a link to a "sign up" page. Open up

your signup.php page, and you'll see some code

already there. We'll now walk you through what it

all does.

When you open up the code for the signup.php

page, you'll see quite a lot of it is code that you've

already met. It starts with the function that checks

for dangerous SQL characters. Then we check that

the form has been POSTED. The next lines are

these:

$uname = $_POST['username'];

$pword = $_POST['password'];

$uname = htmlspecialchars($uname);

$pword = htmlspecialchars($pword);

We're just getting the username and password

from the form, like we did before, and then

checking it for unwanted tags. The next thing you

need to do, though, is test that the username and

password are of the correct length. You don't want

a malicious user trying to inject megabytes of text!

$uLength = strlen($uname);

$pLength = strlen($pword);

if ($uLength >= 10 && $uLength <= 20) {

$errorMessage = "";

}

else {

$errorMessage = $errorMessage . "Username must

be between 10 and 20 characters" . "<BR>";

}

if ($pLength >= 8 && $pLength <= 16) {

$errorMessage = "";

}

else {

$errorMessage = $errorMessage . "Password must

be between 8 and 16 characters" . "<BR>";

}

What we're doing here is using the inbuilt function

strlen ( ) to get the length of the string. We then

use if .. else statements to check that the

username and password are between certain

values. If they are ok, the variable called

$errorMessage is left blank. If they are not ok, we

add some text for the error message.

Before checking the username and password

against the database, we can check to see if the

error message is blank:

if ($errorMessage == "") {

}

If it's blank, then everything is ok. In which case

the rest of the code is executed. If it's not OK, then

the user will see the text of the error message

displayed.

Inside of the if statement for the error message

check, we just set up the database code like we did

before:

$user_name = "root";

$pass_word = "";

$database = "login";

$server = "127.0.0.1";

$db_handle = mysql_connect($server, $user_name,

$pass_word);

$db_found = mysql_select_db($database,

$db_handle);

if ($db_found) {

}

We're just checking that the database can be

found. If it is, then we need to check if the

username has already been taken:

$SQL = "SELECT * FROM login WHERE L1 =

$uname";

$result = mysql_query($SQL);

$num_rows = mysql_num_rows($result);

if ($num_rows > 0) {

$errorMessage = "Username already taken";

}

else {

}

The code attempts to select all the records from

the table where a match with the username is

found. (L1 is the name of the username field in the

table.) If any records are returned, then the

variable called $num_rows will be greater than

zero. We check the value of $num_rows in an if ...

else statement.

If the username has already been taken, then we

can add something to the error message variable.

(But there are security considerations to bear in

mind here. Do you really want to tell a malicious

user that a username has already been taken? If

it's for a forum, then it's ok: the malicious user

can simply read usernames from forum posts. But

in that case, perhaps we shouldn't be using a

username to log people in?)

If the value in the variable $num_rows is still zero,

then we can go ahead and add the user to the

database:

$SQL = "INSERT INTO login (L1, L2) VALUES

($uname, $pword)";

$result = mysql_query($SQL);

mysql_close($db_handle);

Here, we use the SQL command INSERT INTO to

add a new record to the database.

After the user has been added to the database, we

can then set the session variable:

session_start();

$_SESSION['login'] = "1";

The session variable called login will be set to 1.

This means that the user can then start using the

site straight away. In fact, we redirect them to a

different page on the site:

header ("Location: page1.php");

Our new user is now a member!

 

note:>that's not a complete signup script

[rich_hemmo]

thanks for this but im confused to be honest 

 

at the moment all i want to do is just make it work simple is best at the min 

[Oliverkahn]

read again my explaination is understandable for newbie

[Ch0cu3r]

read again my explaination is understandable for newbie

The way you have posted your reply makes it hard for any one to read. Also when posting code it makes the post more readable if you wrap it in

tags.

 

EDIT. I have read your post but I do not see how it relates to the OP.

Edited April 16, 2014 by Ch0cu3r

[Ch0cu3r]

@rich_hemmo: The problem is you are not connected to mysql. You need to call mysqli_connect first before running any queries

 

Also you should atleast validate and sanitize the the user input before using it in your query. And is it necessary to store the users username, password and email twice? Passwords should not be stored as plain text, they should be hashed

[Oliverkahn]

ok @chuk3r

 

and @rich_hemmo. use the md5() php function to encrypt pass....

you will password variable holding the pass into it before storing

 

md5($password);

[boompa]

The way you have posted your reply makes it hard for any one to read. Also when posting code it makes the post more readable if you wrap it in

tags.

 

EDIT. I have read your post but I do not see how it relates to the OP.

It's just a copy/paste from a very bad online tutorial (to which I won't link; doesn't deserve it).

[Ch0cu3r]

It's just a copy/paste from a very bad online tutorial (to which I won't link; doesn't deserve it).

So you thought you would post it here... 

[maxxd]

You've got 8 columns listed, and only 7 values - looks like confirmusername.