Abdullah Amir Abdullah Amir - 3 days ago 4
PHP Question

Something's wrong with my php register codes

I've been trying to create a register page using php and html and once i was finally done and wanted to check if it works, it just reloaded the page and when i checked the database nothing new was in there. Here are the codes,
in register.php,

?php

require_once('connect.php');

$errors = array();

if (isset($_GET['submit'])) {

if (empty($_POST['username'])) { array_push($errors, 'Choose a username.'); }
if (empty($_POST['email'])) { array_push($errors, 'Choose an email.'); }
if (empty($_POST['password'])) { array_push($errors, 'Choose a password.'); }

$old_usn = mysql_query("SELECT id FROM users WHERE name = '".$_POST['username']."' LIMIT 1;") or die(mysql_error());
if (mysql_num_rows($old_usn) > 0) { array_push($errors, 'This username is already taken.'); }

$old_email = mysql_query("SELECT id FROM users WHERE email = '".$_POST['email']."' LIMIT 1;") or die(mysql_error());
if (mysql_num_rows($old_email) > 0) { array_push($errors, 'There is an existing account with this email.'); }

if ($_POST['password1'] != $_POST['password2']) { array_push($errors, 'The password does not match'); }

if (sizeof($errors) == 0) {

//htmlentities($_POST['username'], ENT_QUOTES);
$username = htmlentities($_POST['username'], ENT_QUOTES);
$email = htmlentities($_POST['email'], ENT_QUOTES);
$password1 = htmlentities(sha1($_POST['password1']), ENT_QUOTES);

mysql_query("INSERT into users (name, hashed_psw, email, joined)
VALUES ('{$username}', '{$password}', '{$email}', NOW());") or die(mysql_error());

}

}


?>
and below that,

<div class="container v-align-transform">
<div class="row">
<div class="col-sm-6 col-sm-offset-3">
<div class="feature bordered text-center">
<h4 class="uppercase">Register Here</h4>
<?php

foreach($errors as $e) {

echo $e;
echo "<br />\n";

}
?>
<form class="text-left" action="register.php" method="post">
<input type="text" name="username" value="" placeholder="Username" />
<input type="text" name="email" value="" placeholder="Email Address" />
<input type="password" name="password1" value="" placeholder="Password" />
<input type="password" name="password2" value="" placeholder="Confirm Password" />
<input type="submit" name="submit" value="Register" />
</form>
<p class="mb0">By signing up, you agree to our
<a href="/">Terms Of Use</a>
</p>
</div>
</div>
</div>
</div>


I've tried finding what's wrong but coudnt find anything.

Answer

There's a few things wrong with this that you should consider buttoning up.

  1. Don't use mysql_* functions. Use PDO, or at the very least, mysqli_* functions.
  2. Sanitize your SQL data. Or else.
  3. No need to use array_push (you can use it if you want to), you can use the shorthand version: $errors[] = "New Error"
  4. Don't use sha1/md5/etc hashes for passwords. Use salted hashes instead.
  5. Your form method is POST, but you're checking for $_GET... Switch that to $_POST (including your posted variables)
Comments