Im trying to create a user registration page using PDO, I've never worked with this before so im having trouble understanding how the values are inserted into my table.
Can anybody see whats going wrong with my code?
<?php
include_once ('/_includes/classes/connection.class.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES ($firstname,$lastname,$email,$password,$accounttype)";
echo $query;
$count = $dbh->exec($query);
$dbh = null;
?>
<?php
$dsn = 'mysql:host=localhost;dbname=site.co.uk';
$username = 'access@site.co.uk';
$password = 'password';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userpassword = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $userpassword);
$stmt->bindParam(':accounttype', $accounttype);
$stmt->execute();
?>
Never do it the way you didt, cause of SQL Injections
Use prepared statements.
http://php.net/manual/de/pdo.prepared-statements.php
<?php
require_once ('_includes/classes/connection.class.php');
$stmt = $dbh->prepare('INSERT INTO users (firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)');
$stmt->execute(array($_POST));
What is going wrong is, that you forget the quotes for your values. But in case of prepared statements you dont need quotes.
http://www.w3schools.com/sql/sql_insert.asp
And please dont save plain text passwords into the database, use hashes
Secure hash and salt for PHP passwords
Better use "require" or "require_once" if you realy need the includet file.
include_once ('/_includes/classes/connection.class.php');
will never include anything. There are no _includes directory in the root of the local filesystem Can anybody see whats going wrong with my code?
There can be other errors but watching code is not the way to go. One have to run the code, to debug it, and watch the errors occurred.
the only thing I have to add as a side note - your code is as WET as a flood. Look at it: you're writing every field name SIX times!
$firstname = $_POST['firstname'];
- 2x bindParam(':firstname', $firstname);
- 2x with total of 6 repetitions
You need to bind the values rather than use string concatenation.
$dsn = 'mysql:host=localhost;dbname=mydb';
$username = 'myun';
$password = 'mypw';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES
(:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
//etc
$stmt->execute();
You should really use prepared statements. You should do something more like this, assuming:
Your code would be more like this.
<?php
error_reporting(E_ALL);
include_once ('_includes/classes/connection.class.php');
$_POST['password'] = hash('md5', $_POST['password']);
$statement = $dbh->prepare("INSERT INTO
users(firstname,lastname,email,password,accounttype)
VALUES (:firstname, :lastname, :email, :password, :accounttype)");
if ($statement->execute($_POST) !== true) {
// there was some kind of error
// perhaps $statement->errorInfo() will tell you something
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.