stackoom
  简体   繁体   中英

PHP mysql Registration page issue

 原文  2017-02-21 15:35:53       php/ mysqli/ registration

Question

Good afternoon, Im trying to make registration on my web page and i have an issue - registration is happening. but it can create multiple users with same symbols and also same e-mails and dont giving error when passwords dont match.

Here is form -

    <form action = "register.php" method = "post">
                    Select username:<br>
                    <input type = "text" name = "username"><br>
                    Your e-mail:<br>
                    <input type = "email" name = "email"><br>
                    Set password:<br>
                    <input type = "password" name = "password1"><br>
                    Repeat password:<br>
                    <input type = "password" name = "password2"><br>
                    <button>&nbsp;</button>
                </form>

and here is PHP code -

    <?php



        if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['password1']) && isset($_POST['password2'])){


            $query = 'select * from users where username = "'.addslashes($_POST['username']).'"';
            $numrows = mysqli_num_rows($link,$query);
            if($numrows == 0){
                    $query_mail = 'select * from users where email = "'.addslashes($_POST['email']).'"';
                    $numrows_mail = mysqli_num_rows($link,$query_mail);
                    if($numrows_mail == 0){
                        if(isset($_POST['password1']) == isset($_POST['password2'])){
                            $sql = 'INSERT INTO users (username,password,email) VALUES("'.addslashes($_POST['username']).'","'.addslashes($_POST['password1']).'","'.addslashes($_POST['email']).'")';

                            $result = mysqli_query($link,$sql) or die(mysqli_error($link));

                    if($result){
                        echo 'Account sucsessfully created! You can now log in.';
                    }else{
                        var_dump($result);
                    }
                }else {
                    echo 'Passwords must match!';
                }
                }else {
                    echo 'E-mail allready registered!';
                }
            }else{
                echo 'Username allready in use!';
            }
        }
    ?>

Can someone explain what is incorrect here?

2 answers

solution1
 1  2017-02-21 16:08:12

I've made some modifications to your code, in order for you to see how to use parameterized queries with placeholders. This is very important security-wise , and you should not "add it later", as it most likely never will get done. The below snippet also properly hashes your password, as that's also very important . Security should never be ignored and always be the first thing you think of when building your application.

<?php 
if (isset($_POST['username'], $_POST['email'], $_POST['password1'], $_POST['password2'])) {
    $errors = array();

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE username=?");
    $stmt->bind_param("s", $_POST['username']);
    $stmt->execute();
    $stmt->bind_result($count_username);
    $stmt->fetch();
    $stmt->close;

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE email=?");
    $stmt->bind_param("s", $_POST['email']);
    $stmt->execute();
    $stmt->bind_result($count_email);
    $stmt->fetch();
    $stmt->close;

    if ($count_username)
        $error[] = "That username already exists";

    if ($count_email)
        $error[] = "That email already exists";

    if ($_POST['password1'] !==$_POST['password2'])
        $errors[] = "Passwords doesn't match";

    if (empty($errors)) {
        $password = password_hash($_POST['password1'], PASSWORD_DEFAULT);

        $stmt = $link->prepare("INSERT INTO users (username, password, email) VALUES (?, ?, ?)");
        $stmt->bind_param("sss", $_POST['username'], $_POST['email'], $password);
        if (!$stmt->execute()) {
            if ($db->errno == 1062) {
                /* Some unique values in the database was attempted inserted, might want to add some error-handling */
            }
        } else {
            /* Execution of query failed, TODO: add error-handling */
        }
        $stmt->close();
    } else {
        foreach ($errors as $e)
            echo $e."\n";
    }
}

Note: With the usage of password_hash() , your password column should be at least of length 255, and when you're verifying logins later, you have to verify it by password_verify() - the manual holds examples on how to do just that.

I recommend you read through these links, as they are highly relevant to a login-system, but dealing with user-input and passwords in general.

Readingmaterial and references

solution2
 0  2017-02-21 15:47:33

When you do this if(isset($_POST['password1']) == isset($_POST['password2'])) you are checking that both exists or both not exists, you must change it for if($_POST['password1'] == $_POST['password2']) if you want to check if password matches.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question registration page with php and mysql not working Registration Page: Writing 2 MySQL queries into 1 PHP variable Php login page issue with mysql Performance issue in a php and mysql page Registration page using PHP/MySQL not storing user values to database PHP registration form in mysql Php mysql registration with image Registration system with php and mysql simple registration page in php Php registration page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM