G3NERALCHRIS Posted December 16, 2014 Share Posted December 16, 2014 I have created a add-login.php and add-reg.php. I'm trying to figure out why it doesn't say to my table in mysql. Add login below. <!DOCTYPE html> <html> <head> <title>Home Page</title> <style type="text/css"> @import url("templatemo_style.css"); </style> </head> <body> <div id="page"> <div id="logo"> </div> <html> <body> <p align="center"><a href="add-reg.php">Register</a>, or enter your user name and password:</p> <form action="index.html" method="post"> <p align="center"> Username: <input type = "text" name="User"><br> <p align="center"> Password: <input type = "password" name="Pass"><br> <br> </br> <input type="submit" value="Login"/> <input type="reset"> </form> </body> </html> </body> </html> add-reg.php <!DOCTYPE html> <html> <head> <title>Home Page</title> <style type="text/css"> @import url("templatemo_style.css"); </style> </head> <body> <div id="page"> <div id="logo"></div> <?php $host= "localhost"; $user = "root"; $passwd = ""; $database = "test"; $tbl_name = "PASS"; mysql_connect($host, $user, $passwd) or die(mysql_error()); mysql_select_db("test") or die(mysql_error()); //This code runs if the form has been submitted if (isset($_POST['submit'])) { //This makes sure they did not leave any fields blank if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) { die('You did not complete all of the required fields, please go back, and complete the missing fields!'); } // checks if the username is in use if (!get_magic_quotes_gpc()) { $_POST['username'] = addslashes($_POST['username']); } $usercheck = $_POST['username']; $check = mysql_query("SELECT username FROM PASS WHERE username = '$usercheck'") or die(mysql_error()); $check2 = mysql_num_rows($check); //if the name exists it gives an error if ($check2 != 0) { die('Sorry, the username '.$_POST['username'].' is already in use.'); } // this makes sure both passwords entered match if ($_POST['pass'] != $_POST['pass2']) { die('Your passwords did not match. '); } // here we encrypt the password and add slashes if needed $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); $_POST['username'] = addslashes($_POST['username']); } // now we insert it into the database $insert = "INSERT INTO PASS (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')"; $add_member = mysql_query($insert); ?> <h1>Registered</h1> <p>Thank you very much, you have registered - you may now <a href="add-login.php">login</a>.</p> <?php } else { ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0"> <tr><td colspan=2><h1>Register to access the website.</h1></td></tr> <tr><td>Username:</td><td><br> <input type="text" name="username" maxlength="60"> </td></tr> <tr><td>Password:</td><td><br> <input type="password" name="pass" maxlength="10"> </td></tr> <tr><td>Confirm Password:</td><td><br> <input type="password" name="pass2" maxlength="10"> </td></tr> <tr><th colspan=0><input type="submit" name="submit" value="Register"></th></tr> </table> </form> <?php } ?> Link to comment https://forums.phpfreaks.com/topic/293124-php/ Share on other sites More sharing options...
cyberRobot Posted December 16, 2014 Share Posted December 16, 2014 I'm not sure I follow your question, but I noticed the username form field is named "User": <input type = "text" name="User"> And the script that processes the form uses "username": $_POST['username'] = addslashes($_POST['username']); Those names need to match. Also note that addslashes() is meant for protecting your database from SQL injections. You should use mysql_real_escape_string() instead. More information can be found here: http://php.net/manual/en/function.mysql-real-escape-string.php Of course, it should be said that the mysql_* functions have been deprecated. If you haven't done so already, you need to look into PDO or MySQLi. More information can be found here: http://php.net/manual/en/mysqlinfo.api.choosing.php Lastly, you'll want to avoid using the raw value from PHP_SELF for a form's action attribute. It makes your page susceptible to XSS attacks. More information about the attacks and how to change the attribute can be found here: http://seancoates.com/blogs/xss-woes Link to comment https://forums.phpfreaks.com/topic/293124-php/#findComment-1499726 Share on other sites More sharing options...
Strider64 Posted December 16, 2014 Share Posted December 16, 2014 /* Get the path and filename that you are currently on. */ $phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL); $path_parts = pathinfo($phpSelf); $basename = $path_parts['basename']; This is one way of making PHP_SELF safe and to utilize it all you would do something like this: <form class="formStyle" action="<?php echo $basename; ?>" method="post"> However, if you really just want to be safe then just do this: <form class="formStyle" action="register.php" method="post"> Link to comment https://forums.phpfreaks.com/topic/293124-php/#findComment-1499732 Share on other sites More sharing options...
cyberRobot Posted December 16, 2014 Share Posted December 16, 2014 Also note that addslashes() is meant for protecting your database from SQL injections. Sorry, I just noticed a typo. The above should have been "Also note that addslashes() isn't meant for protecting...". Link to comment https://forums.phpfreaks.com/topic/293124-php/#findComment-1499734 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.