André André - 9 days ago 4
HTML Question

PHP MySQL User registration form doesn't block empty password fields

I'm trying to create a simple user registration form using PHP and MySQL. Everything is working fine except the message "Please insert a password." is never echoed if the password input fields are empty and the data is inserted into the database with a blank password. How can I fix this?

<?php
if(isset($_SESSION['username'])){
header("Location: index.php");
}

if(isset($_POST['register'])){
include_once('connect.php');

$name = $surname = $email = $username = "";

$name = strip_tags($_POST['name']);
$surname = strip_tags($_POST['surname']);
$email = strip_tags($_POST['email']);
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$password_confirm = strip_tags($_POST['password_confirm']);

$name = stripslashes($name);
$surname = stripslashes($surname);
$email = stripslashes($email);
$username = stripslashes($username);
$password = stripslashes($password);
$password_confirm = stripslashes($password_confirm);

$name = mysqli_real_escape_string($conn, $name);
$surname = mysqli_real_escape_string($conn, $surname);
$email = mysqli_real_escape_string($conn, $email);
$username = mysqli_real_escape_string($conn, $username);
$password = mysqli_real_escape_string($conn, $password);
$password_confirm = mysqli_real_escape_string($conn, $password_confirm);

$password = md5($password);
$password_confirm = md5($password_confirm);

$sql_store = "insert into user (username, name, surname, email, password) values ('$username', '$name', '$surname', '$email', '$password')";
$sql_fetch_username = "select username from user where username = '$username'";
$sql_fetch_email = "select email from user where email = '$email'";

$query_username = mysqli_query($conn, $sql_fetch_username);
$query_email = mysqli_query($conn, $sql_fetch_email);

if (!empty($name) && !empty($surname) && !empty($email) && !empty($username) && !empty($password) && !empty($password_confirm)){

if(mysqli_num_rows($query_username)){
echo "That username is already in use.<br>";
}

else{
if(mysqli_num_rows($query_email)){
echo "That email is already in use.<br>";
}

else{
if($password != $password_confirm){
echo "The passwords do not match.<br>";
}

else{
mysqli_query($conn, $sql_store);
header("Location: index.php");
}
}
}
}

else{
if($name == ""){
echo "Please insert a name.<br>";
}

if($surname == ""){
echo "Please insert a surname.<br>";
}

if(mysqli_num_rows($query_username)){
echo "That username is already in use.<br>";
}

if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
if($email == ""){
echo "Please insert an email.<br>";
}

else{
echo "The email is not valid.<br>";
}
}

if(mysqli_num_rows($query_email)){
echo "That email is already in use.<br>";
}

if($username == ""){
echo "Please insert an username.<br>";
}

if($password == "" || $password_confirm == ""){
echo "Please insert a password.<br>";
}
}
}
?>

<html>
<body>
<form action="register.php" method="POST">
<input placeholder="Name" name="name" type="text" value="<?php if(!empty($name)){echo $name;}?>">
<input placeholder="Surname" name="surname" type="text" value="<?php if(!empty($surname)){echo $surname;} ?>"><br><br>
<input placeholder="E-Mail Address" name="email" type="text" value="<?php if(!empty($email)){echo $email;} ?>">
<input placeholder="Username" name="username" type="text" value="<?php if(!empty($username)){echo $username;} ?>"><br><br>
<input placeholder="Password" name="password" type="password">
<input placeholder="Confirm Password" name="password_confirm" type="password">
<input name="register" type="submit" value="Register">
</form>
</body>
</html>

Answer

You're not testing the password, you're testing the md5 hash of the password. The md5 hash of an empty string is not empty.

Also --

Your error message echo-ing is outside of the <html> element, which is not ideal. You should set a validation message (or better - a series of validation messages for each input, perhaps in an array) and then output this inside the <body> element.

And if this is to be a remotely secure system you should read up on secure password hashing.