0

I'm trying to create a registration form that stores the users entered data into an MySQL database. I was able to get it to work by manually setting the values, but learned that it was best to use prepared statements. This is what my PHP code looks like:

<?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "accounts";

//Creating a new connection to the database
$connection = new mysqli($servername, $username, $password, $dbname);

//Checking the connection
if ($connection->connect_error) {
    die("Connection failed: " . $connection->connect_error);
}

//SQL string used to insert the data into the database
$sql = "INSERT INTO users (name, email, password) VALUES (?, ?, ?)";

$stmt = mysqli_stmt_init($connection);
if (!mysqli_stmt_prepare($stmt, $sql)) {
    echo "Failed";
} else {
    mysqli_stmt_bind_param($stmt, "sss", $_POST["name"], $_POST["email"], $_POST["passowrd"]);
    mysqli_stmt_execute($stmt);
}
?>

And this is the HTML:

<div id="wrapper">
    <div id="formContent">
        <h3>Complete the following form to register an account:</h3>

        <form class="register" action="registration.php" method="post">

            Email: <input type="email" name="email" required> <br></br>
            Name: <input type="name" name="name" required> <br></br>
            Password: <input type="password" name="password" required> <br></br>
            Confirm Password: <input type="password" name="confirmed_password" required> <br></br>
            <input type="submit" name="submit">

        </form>
    </div>
</div>

The listed code returns no error but the database is not updated. I have been busting my head for some time now, so any help is appreciated.

Improve this question
2
  • 1
    You should be creating salts and hashing the passwords. Storing the submitted passwords in the database is not the correct way to do this. Commented Dec 2, 2018 at 1:11
  • @DevinCeartas I'm quite new to PHP and have come across that point, but I'm currently struggling with this particular problem. Commented Dec 2, 2018 at 2:10

1 Answer 1

Reset to default
2

First, you have a typo for password (you have $_POST['passowrd']) and second, this is based on the example from the documentation:

# Prepare (use the OOP version of this library)
$query  =   $connection->prepare("INSERT INTO users (`name`, `email`, `password`) VALUES (?, ?, ?)");
# Bind parameters and spell "password" correctly
$query->bind_param('sss', $_POST['name'], $_POST['email'], $_POST['password']);
# Execute
$query->execute();
# See if the row was created and echo success
echo ($query->affected_rows > 0)? 'Success!' : 'Failed';

You should be using password_hash() (storing) and password_verify() (validating) or a bcrypt equivalent library (if your version of php doesn't have those native functions). When using these functions, make sure your password column has like 255 character length so not as to cut off the password hash.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Now I just feel stupid :D. Thanks a lot for the help and the example. I quite new to PHP and security seems to be the primary concern when doing most things, I will alter my approach to learning it. Thanks again.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.