Php form: register users

Question

i`m just starting in php, and I was wondering how to make a sign up form. I'm not really sure on how to add the values to the database. I'm using phpMyAdmin for the databases.

I have the inputs here:

<div id="registerSpace">
 <form id="formulaireInscription2" name="formSignup" method="post" action="signUp.php">
  <div class="registerUsername"><input type="text" placeholder="Username" name="txtUserName" /><span class="textInputs"></span></div>
  <div class="registerNom"><input type="text" placeholder="First name" name="txtNom" /><span class="textInputs">First name</span></div>
  <div class="registerPrenom"><input type="text" placeholder="Last name" name="txtPrenom" /><span class="textInputs">Family name</span></div>
  <div class="registerPassword"><input type="password" placeholder="Password" name="txtPassword" /><span class="textInputs">Password</span></div>
  <div class="dropLogonContentOptions"><input type="submit" value="Sign Up" name="send" />
 </form>
</div>

I put all my code in signUp.php. In phpMyAdmin, my database's called jleggett_colourful , and my table (where the user, password, first name blabla) is: t_usagers .
In there, I have u_id(auto increment, numbers only), u_nom(last name), u_prenom(first name), u_courriel(mail, also username!) and u_password.

What would be the best way to add it to the database? I have this code here:

<?php 
 session_start();

 include 'inc/define.inc.php';
 include 'inc/fct.inc.php';



 if (isset($_POST["txtUserName"]) && isset($_POST["txtNom"]) && isset($_POST["txtPrenom"]) && isset($_POST["txtPassword"]))
 {
  // Ouvre une connexion au serveur MySQL
  $connection = mysql_connect(NOM_SERVEUR, USER_NOM, USER_PASSWORD) or die("Impossible de se connecter : " . mysql_error());
  if (!$connection) {
    fin_perso('Problème de connexion au serveur : '. ' ---' . NOM_SERVEUR. '- - -' . USER_NOM. '- - -' . USER_PASSWORD. '- - - '  . mysql_error(), 'erreur_bd_');
  }

  // S�lectionne une base de données MySQL
  if (!mysql_select_db(NOM_BD))
  {
     fin_perso('Problème de connexion à la base de données : ' . mysql_error(), 'erreur_bd');
  }

  $sql = "INSERT INTO t_usager (u_nom, u_prenom, u_password) VALUES ('fdfs', 'qwerty', '456789')";

 else
  echo "Please, enter all informations"
?>

I'm a bit lost here, but it should look like this! The code to connect to the database is correct, I just don't know how to add it with the values from my form. Thx! (I have entered default values, just for testing in $sql).

Answer 1

You will change the following:

$sql = "INSERT INTO t_usager (u_nom, u_prenom, u_password) VALUES ('fdfs', 'qwerty', '456789')";

to use the values in the $_POST array (ie $_POST['txtUsername']). And then after you build the string for your query, you will need to call mysql_query ( $sql ); in order to actually run the query.

I believe that you are also missing a pair of {} within your code because the line with $sql on it is currently not valid (with the else right after since there is no nearby if it can relate to).

Code Example:

$nom = mysql_real_escape_string ( $_POST [ 'txtNom' ] );
$preNom = mysql_real_escape_string ( $_POST [ 'txtPrenom' ] );
$pass = mysql_real_escape_string ( $_POST [ 'txtPassword' ] );
$sql = "INSERT INTO t_usager (u_nom, u_prenom, u_password) VALUES ('$nom', '$preNom', '$pass')";

Answer 2

Judda's answer surely works, but the risk of SQL injection is so high it transcends the "risk" realm, becoming more of a certainty.

I suggest you get a good basic manual (O'reilly's "Learning PHP, MySQL and Javascript is pretty easy and straightforward for beginners) and learn the basic security rules to observe when dealing with databases.

Spoiler, escaping is not enough; you will need prepared statements.

If you don't want to buy a book, then please for the love of god read this before going any further.