11 Replies - 1999 Views - Last Post: 27 November 2011 - 01:19 PM Rate Topic: -----

#1 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

User Registration Problems

Posted 24 November 2011 - 10:14 AM

Hello again, guys!

I'm making a user registration for my first-ever database drive app and I've encountered a problem that I can't fix since last night. First, there was a problem with the DB connection which is now fixed (doesn't give any errors).

There might be something wrong with my code here, that I really can't find out.

<?php

include ("db.php");

if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email']) )

{

// prevent SQL injections

$username = mysqli_real_escape_string ($_POST ['username']);
$email = mysqli_real_escape_string ($_POST['email']);

// md5 hash of password

$password = md5 ($_POST['password']);

// check to see if username exists

$sql = mysqli_query ("SELECT username FROM users WHERE username = '".$username."'");

if (mysqli_num_rows($username>0))
{
die ("Username taken.");
} 
		
$insert_user = mysqli_query ("INSERT INTO users (username, password, email) VALUES ( '$username', '$password', '$email')") or die ("Error"); echo "Account Created.";

}	


There errors are these:

Quote

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\path\register.php on line 11

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\path\register.php on line 12

Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\path\register.php on line 20

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\path\register.php on line 22

Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\path\register.php on line 27
Error


Please note that I am quite a novice in PHP and I have trouble figuring errors out.

Thanks for you help, in advance.

Is This A Good Question/Topic? 0
  • +

Replies To: User Registration Problems

#2 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3098
  • View blog
  • Posts: 10,883
  • Joined: 08-August 08

Re: User Registration Problems

Posted 24 November 2011 - 10:17 AM

You should not use mysql_* functions. Learn PDO.
Was This Post Helpful? 0
  • +
  • -

#3 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

Re: User Registration Problems

Posted 24 November 2011 - 10:56 AM

Thank you, sir, but now I'm even more confused. :)
Was This Post Helpful? 0
  • +
  • -

#4 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 948
  • View blog
  • Posts: 2,357
  • Joined: 15-February 11

Re: User Registration Problems

Posted 24 November 2011 - 10:57 AM

View PostCTphpnwb, on 24 November 2011 - 01:17 PM, said:

You should not use mysql_* functions. Learn PDO.

It's actually MySQLi.

@Boyan I don't see where you actually opened the connection. The resource returned from creating the connection is required as the first parameter when using MySQLi's procedural functions.
Was This Post Helpful? 1
  • +
  • -

#5 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3098
  • View blog
  • Posts: 10,883
  • Joined: 08-August 08

Re: User Registration Problems

Posted 24 November 2011 - 11:02 AM

In that case you should not be escaping strings. You should instead be using mysqli prepared statements.
Was This Post Helpful? 1
  • +
  • -

#6 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

Re: User Registration Problems

Posted 24 November 2011 - 11:09 AM

View Postcodeprada, on 24 November 2011 - 10:57 AM, said:

View PostCTphpnwb, on 24 November 2011 - 01:17 PM, said:

You should not use mysql_* functions. Learn PDO.

It's actually MySQLi.

@Boyan I don't see where you actually opened the connection. The resource returned from creating the connection is required as the first parameter when using MySQLi's procedural functions.


The connection the the database in the included db.php file. That file in my app is:

<?php

session_start();
$con = mysqli_connect("localhost", "root", "password");
mysqli_select_db($con, "thedatabase") or die ("Cannot connect to database");

function user_login ($username, $password)
{

	$username = mysqli_real_escape_string ($username);
	
	//begin the query
	
	$sql = mysqli_query ("SELECT * FROM users WHERE username = ' ".$username." ' AND password = ' ".$password." ' LIMIT 1");
	
	$rows = mysqli_num_rows ($sql);
	
		if ($rows <=0 )
		{	
			echo "Incorrect username/password";
		}
		
		else 
		{
		
		$_SESSION ['username'] = $username;
		
		}
		

}
?>


Maybe the problem is here?

Thanks in advance.
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3098
  • View blog
  • Posts: 10,883
  • Joined: 08-August 08

Re: User Registration Problems

Posted 24 November 2011 - 11:31 AM

When using mysqli procedural style you need to pass the link as well as the query.
Was This Post Helpful? 0
  • +
  • -

#8 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

Re: User Registration Problems

Posted 27 November 2011 - 08:34 AM

Hello guys! I figured this out! I'm posting the code, maybe someone will find it useful.

Here we go:

The registration form, v_register.html

<html>
<title>Registration</title>
<table border="0">

<form method="post" action="register.php">

<tr><td>Username: </td>
<td><input type="text" name="username" /></td></tr>
<tr><td>Password: </td>
<td><input type="password" name="password" /></td></tr>
<tr><td>E-mail: </td>
<td><input type="text" name="email" /></td></tr>

<tr><td></td><td><input type="submit" value="submit" /></td></tr>

</table>
</form>

</html>


And now the register.php file. The connection to the datebase is not in a separate file, I needed to code it quicky to see if it works. I will post the update version, so please don't close the thread.

<?php

// Connection with databse

$con=mysql_connect ("localhost", "root", "password");
mysql_select_db ("thedatabase");

// Storing the values submitted by form

$username=$_POST['username'];
$pass=$_POST['password'];
$password=md5($pass);
$email=$_POST['email'];

// Checking if the username is already in use

$queryuser=mysql_query ("SELECT * FROM users WHERE username='$username' ");
$checkuser=mysql_num_rows($queryuser);

if ($checkuser !=0)
{
	echo "Sorry, ".$username." is already been taken.";
}

// A query that inserts user into databse

$insert_user=mysql_query ("INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')" );

if ($insert_user)
{
	echo "Registration successful";
}

else 
{
	echo "Error in registration";
}


?>

Was This Post Helpful? 0
  • +
  • -

#9 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3098
  • View blog
  • Posts: 10,883
  • Joined: 08-August 08

Re: User Registration Problems

Posted 27 November 2011 - 09:54 AM

You've allowed user supplied data directly into an SQL query without scrubbing it or using prepared statements. You're asking to be hacked.
Was This Post Helpful? 0
  • +
  • -

#10 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

Re: User Registration Problems

Posted 27 November 2011 - 10:10 AM

I know there's nothing to protect against SQL injections. Also, I'm trying to figure the sessions now.

Can I use this against SQL injections? Any help is welcomed guys, because I'm just a beginner.

$username = mysqli_real_escape_string ($_POST ['username']);
$password = mysqli_real_escape_string ($_POST ['password']);
$email = mysqli_real_escape_string ($_POST['email']);


Thanks.
Was This Post Helpful? 0
  • +
  • -

#11 Valek  Icon User is offline

  • The Real Skynet
  • member icon

Reputation: 543
  • View blog
  • Posts: 1,713
  • Joined: 08-November 08

Re: User Registration Problems

Posted 27 November 2011 - 11:07 AM

That will help, but it's imperfect. The best protection against SQL injection is Prepared Statements.

This post has been edited by Valek: 27 November 2011 - 11:07 AM

Was This Post Helpful? 1
  • +
  • -

#12 Boyan  Icon User is offline

  • D.I.C Regular

Reputation: 4
  • View blog
  • Posts: 254
  • Joined: 09-September 07

Re: User Registration Problems

Posted 27 November 2011 - 01:19 PM

Thank you, Valek. Can you please give me some hints how to use that in my code? I'm confused. :nervous:

Thanks!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1