[Boyan]

Hello again, guys!

I'm making a user registration for my first-ever database drive app and I've encountered a problem that I can't fix since last night. First, there was a problem with the DB connection which is now fixed (doesn't give any errors).

There might be something wrong with my code here, that I really can't find out.

<?php

include ("db.php");

if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email']) )

{

// prevent SQL injections

$username = mysqli_real_escape_string ($_POST ['username']);
$email = mysqli_real_escape_string ($_POST['email']);

// md5 hash of password

$password = md5 ($_POST['password']);

// check to see if username exists

$sql = mysqli_query ("SELECT username FROM users WHERE username = '".$username."'");

if (mysqli_num_rows($username>0))
{
die ("Username taken.");
} 
		
$insert_user = mysqli_query ("INSERT INTO users (username, password, email) VALUES ( '$username', '$password', '$email')") or die ("Error"); echo "Account Created.";

}	

There errors are these:

Quote

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\path\register.php on line 11

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\path\register.php on line 12

Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\path\register.php on line 20

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\path\register.php on line 22

Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\path\register.php on line 27
Error

Please note that I am quite a novice in PHP and I have trouble figuring errors out.

Thanks for you help, in advance.

[CTphpnwb]

You should not use mysql_* functions. Learn PDO.

[Boyan]

Thank you, sir, but now I'm even more confused.

[codeprada]

CTphpnwb, on 24 November 2011 - 01:17 PM, said:

You should not use mysql_* functions. Learn PDO.

It's actually MySQLi.

@Boyan I don't see where you actually opened the connection. The resource returned from creating the connection is required as the first parameter when using MySQLi's procedural functions.

[CTphpnwb]

In that case you should not be escaping strings. You should instead be using mysqli prepared statements.

[Boyan]

codeprada, on 24 November 2011 - 10:57 AM, said:

CTphpnwb, on 24 November 2011 - 01:17 PM, said:

You should not use mysql_* functions. Learn PDO.

It's actually MySQLi.

@Boyan I don't see where you actually opened the connection. The resource returned from creating the connection is required as the first parameter when using MySQLi's procedural functions.

The connection the the database in the included db.php file. That file in my app is:

<?php

session_start();
$con = mysqli_connect("localhost", "root", "password");
mysqli_select_db($con, "thedatabase") or die ("Cannot connect to database");

function user_login ($username, $password)
{

	$username = mysqli_real_escape_string ($username);
	
	//begin the query
	
	$sql = mysqli_query ("SELECT * FROM users WHERE username = ' ".$username." ' AND password = ' ".$password." ' LIMIT 1");
	
	$rows = mysqli_num_rows ($sql);
	
		if ($rows <=0 )
		{	
			echo "Incorrect username/password";
		}
		
		else 
		{
		
		$_SESSION ['username'] = $username;
		
		}
		

}
?>

Maybe the problem is here?

Thanks in advance.

[CTphpnwb]

When using mysqli procedural style you need to pass the link as well as the query.

[Boyan]

Hello guys! I figured this out! I'm posting the code, maybe someone will find it useful.

Here we go:

The registration form, v_register.html

<html>
<title>Registration</title>
<table border="0">

<form method="post" action="register.php">

<tr><td>Username: </td>
<td><input type="text" name="username" /></td></tr>
<tr><td>Password: </td>
<td><input type="password" name="password" /></td></tr>
<tr><td>E-mail: </td>
<td><input type="text" name="email" /></td></tr>

<tr><td></td><td><input type="submit" value="submit" /></td></tr>

</table>
</form>

</html>

And now the register.php file. The connection to the datebase is not in a separate file, I needed to code it quicky to see if it works. I will post the update version, so please don't close the thread.

<?php

// Connection with databse

$con=mysql_connect ("localhost", "root", "password");
mysql_select_db ("thedatabase");

// Storing the values submitted by form

$username=$_POST['username'];
$pass=$_POST['password'];
$password=md5($pass);
$email=$_POST['email'];

// Checking if the username is already in use

$queryuser=mysql_query ("SELECT * FROM users WHERE username='$username' ");
$checkuser=mysql_num_rows($queryuser);

if ($checkuser !=0)
{
	echo "Sorry, ".$username." is already been taken.";
}

// A query that inserts user into databse

$insert_user=mysql_query ("INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')" );

if ($insert_user)
{
	echo "Registration successful";
}

else 
{
	echo "Error in registration";
}


?>

[CTphpnwb]

You've allowed user supplied data directly into an SQL query without scrubbing it or using prepared statements. You're asking to be hacked.

[Boyan]

I know there's nothing to protect against SQL injections. Also, I'm trying to figure the sessions now.

Can I use this against SQL injections? Any help is welcomed guys, because I'm just a beginner.

$username = mysqli_real_escape_string ($_POST ['username']);
$password = mysqli_real_escape_string ($_POST ['password']);
$email = mysqli_real_escape_string ($_POST['email']);

Thanks.

[Valek]

That will help, but it's imperfect. The best protection against SQL injection is Prepared Statements.

This post has been edited by Valek: 27 November 2011 - 11:07 AM

[Boyan]

Thank you, Valek. Can you please give me some hints how to use that in my code? I'm confused.

Thanks!