PHP query to insert data into mysql database

[zestyy99]

I have been creating a registration system, and my code will not insert the fields: "firstname", "lastname", "email", "username" into my database however it will insert the hashed password into my database. I think the problem might have something to do with the for loop, but to me it seems like it should work.

<?php


if (isset($_POST['submit'])){
    require_once 'config.php';
        $hashed_password = password_hash($_POST["password"], PASSWORD_DEFAULT);
        $fields = ['firstname', 'lastname', 'email', 'username'];
        $escaped_values = [];
        foreach($fields as $field){
            $escaped_values[$field] = mysqli_real_escape_string($connect, $_POST['$field']);
        }
        $sql = "INSERT INTO users (firstname, lastname, email, username, password) VALUES ('{$escaped_values["firstname"]}', '{$escaped_values["lastname"]}', '{$escaped_values["email"]}', '{$escaped_values["username"]}', '$hashed_password')";
        mysqli_query($connect, $sql);
        // send email
        $emailRecipient = $_POST["email"];
        $subject = 'Welcome!';
        $message_body = 'You have successfully created an account ' . $_POST["username"] . '! Welcome.';
        mail($emailRecipient, $subject, $message_body);
}
?>

Edited February 9, 2018 by zestyy99

[archive]

You should be getting errors, check your query as it has problems with single and double quotation marks; better still would be to change it to prepared statements.

INSERT INTO users (firstname, lastname, email, username, password) VALUES (?, ?, ?, ?, ?);

[pwntastic]

Hello, 

 

 

This line is off: 

 $escaped_values[$field] = mysqli_real_escape_string($connect, $_POST['$field']);

You don't want to pass in a variable into single quotation marks.  It looks like you would like to just do: 

$escaped_values[$field] = mysqli_real_escape_string($connect, $_POST[$field]);

Edited February 10, 2018 by pwntastic