php mysql注册表格

Question

I've tried creating a register php code so i can sign people up when im not at my computer but for some reason it wont create the table and wont create the folders even when there not there.

the output is:

( ! ) Notice: Undefined variable: db_add_user

added user

user folder already created

user image folder already created

user profile picture already there

didn't create user table

done

and here's the code

connection.php

<?php

$servername = "localhost";
$username = "root";
$password = "";

// Create connections
$main_db = new mysqli($servername, $username, $password, "main_db");
$user_db = new mysqli($servername, $username, $password, "u");
$chat_db = new mysqli($servername, $username, $password, "chat");
$log_db = new mysqli($servername, $username, $password, "log");

?>

index.php

<?php
require('/website/live/includes/checkadmin.php')
?>

<html>
    <head>
        <title>register</title>
        <link rel="stylesheet" type="text/css" href="/main.css">
    </head>
    <body class="disableNotifications">
        <?php include("/website/live/includes/nav.php"); ?>

        <form action="register.php" method="post" >
            <input type="text" name="user" placeholder="user" required>
            <input type="text" name="login" placeholder="login" required>
            <input type="text" name="pass" placeholder="pass" required>
            <input type="text" name="email" placeholder="" required>
            <input type="text" name="year" placeholder="" required>
            <button type="submit"><h2>register</h2></button>
            <button type="reset"><h2>reset</h2></button>

        </form>

    </body>
</html>

register.php

<?php
#makes sure user is admin
require("/website/live/includes/checkadmin.php");
#opens connection to database
require("/website/live/includes/connection.php");

$query = $main_db->query("SELECT user FROM main_table WHERE user = '$_POST[user]'", MYSQLI_USE_RESULT);

if ($query) {
   while ($row = $query->fetch_array()) {
       $db_add_user = $row['user'];
   }
}

if ($db_add_user != $_POST['user']) {

    #adds user to main database
    $inserttable = "INSERT INTO `main_table` (`ID`, `user`, `email`, `year`, `login`, `pass`, `admin`, `master`, `banned`) VALUES (NULL, '$_POST[user]', '$_POST[email]','$_POST[year]' ,'$_POST[login]', '$_POST[pass]', 'False', 'False', 'False')";

    if ($main_db->query($inserttable, MYSQLI_USE_RESULT) === TRUE) {
        echo "added user <br>";
    } 
    else {
        echo "didn't add user <br>";
    }

    #makes folders
    if (file_exists("'/website/live/u/' . $_POST[user]") === TRUE) {
        mkdir('/website/live/u/' . $_POST['user']);
        echo "created user folder <br>";
    }
    else {
        echo "user folder already created <br>";
    }
    if (file_exists("'/website/live/u/' . $_POST[user] . '/images'") === TRUE) {
        mkdir('/website/live/u/' . $_POST['user'] . '/images');
        echo "created user image folder <br>";
    }
    else {
        echo "user image folder already created <br>";
    }
    if (file_exists("'/website/live/images/logo.png','/website/live/u/'.$_POST[user].'/logo.png'") === TRUE) {
        copy('/website/live/images/logo.png','/website/live/u/'.$_POST['user'].'/logo.png');
        echo "copyed user logo across <br>";
    }
    else {
        echo "user profile picture already there <br>";
    }
    #adds folders to user database
    $makeimages = "CREATE TABLE `$_POST[user]` ('name' TEXT NOT NULL , `time` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP , `upvotes` INT NOT NULL DEFAULT '0' , `downvotes` INT NOT NULL DEFAULT '0' , UNIQUE `name` (`name`))";

    if ($user_db->query($makeimages, MYSQLI_USE_RESULT) === TRUE) {
        echo "created user table <br>";
    }
    else {
        echo "didn't create user table <br>";
    }

}

else {
    echo "user already added <br>";
    die;
}

#not going to redirect so erros can be displayed
echo "done <br>";
?>

btw the email input is just a number cause reasons.

Answer 1

I imagine due to the undefined variable your query is failing:

Notice: Undefined variable: db_add_user

$query = $main_db->query("SELECT user FROM main_table WHERE user = '$_POST[user]'", MYSQLI_USE_RESULT);

if ($query) {
   while ($row = $query->fetch_array()) {
       $db_add_user = $row['user'];
   }
}

If query is false ( or return no results ) the while never runs, ergo the variable is never set. One thing that is at least "bad form" is this

  '$_POST[user]'"

No quotes for the key, this should issue a warning like undefined constant, then PHP will default the constant value to = the name of the constant, or name .

It's doubtful that is why it is failing, but one never knows. In any case the while loop itself here is pointless when a single result is expected. Especially when using fetch_array instead of just fetch . That said I haven't used Mysqli in about 4 years so I'm a bit rusty on that as I use PDO these days. But unless I am mistaken, fetch_array should return the whole result set, thereby also making the while loop pointless.

In the case that the query does run, your user may not be correct.

Note - this is not necessary intended as an answer but is too much for a comment.

Following through with this, ignoring the fact it's totally open to SQL injection, when concatenating $_POST values directly into the SQL, is that you should check that the value of that post item is indeed what it should be. If not then it all falls apart. ie $_POST['user'] is what you think it is.

Also, another thing on the while loop.

By working my way through your code. fetch_array returns something like this

 [
   0 => ['item' => 'value' ]
 ]

In other words a multidimensional array. So therefore your while loop as it's coded can never pull the correct $row['user'] value out, because row is the entire result set, wrapped in a container array. So you would be looking at one level up in the array then where you think you are. ie. an array of rows, not a single row.

As mentioned in the comments by @Javad, your file_exists check in the if statement is also incorrect.

 file_exists("'/website/live/u/' . $_POST[user]");

Containing both single and double quotes ( also missing quotes around the key ). And should be of the form such as

 file_exists('/website/live/u/' . $_POST['user']);


 file_exists("/website/live/u/{$_POST['user']}");  //I prefer the {} for variable interpolation, yep that's a big word that means variable interpretation, or more simply PHP will just fill the variable value in.

etc.

Really, just think what that first error means to your code, in your mind replace this $db_add_user with ? or undefined . As it runs it will pass into the loop because surely that is not equal to posted user value. And with the improper formatted file exists check, the file will never exist, which causes it to create the proper file, because those are coded correctly. So the next time you run it, it does the same thing, creating the proper files/folders, which don't match the miss coded file exists check.

This Line is extremely troubling ( which is why i took the time to explain the below ):

  $inserttable = "INSERT INTO `main_table` (`ID`, `user`, `email`, `year`, `login`, `pass`, `admin`, `master`, `banned`) VALUES (NULL, '$_POST[user]', '$_POST[email]','$_POST[year]' ,'$_POST[login]', '$_POST[pass]', 'False', 'False', 'False')";

Imagine I post this as my password.

$_POST[pass] = "password', true, true, false )--";

The -- comments the rest of the sql out, so I just made myself an admin, and master of your site. ( assuming you mean true and not 'true' as a string ) Because your query becomes something like this

"INSERT INTO `main_table` (`ID`, `user`, `email`, `year`, `login`, `pass`, `admin`, `master`, `banned`) VALUES (NULL, 'god', 'gad@heaven.com','2017' ,'God', 'password', true, true, false) --', 'False', 'False', 'False')"

Where nothing after the -- counts because the DB thinks its a comment. Now I am not saying that exactly would work, as I'm not in a habit of exploiting SQL injection vulnerabilities, but it's close enough that you should seriously consider using prepared statements.