PHP Register page is running, but not inputting into the database

Question

I'm currently developing a register page using PHP It all seems to run ok, but the information is not being inputted into the database. I've been looking for hours but cant seem to find the issue. Any help is appreciated.

<!DOCTYPE>
<html>
<head>
<title>Web App</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4  /jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7 /js/bootstrap.min.js"></script>
</head>
<body style="background:lightblue;">
<div class="container">
    <h1>Register</h1>
    <form action="#" method="POST">
        <div class="form-group">
            <label for="email">Email address:*</label>
            <input type="email" class="form-control" name="email" placeholder="Example@hotmail.co.uk" value="<?php if(isset($_POST['email'])) echo $_POST['email'];?>">
        </div>
        <div class="form-group">
            <label for="fname">First Name:*</label>
            <input type="text" class="form-control" name="fname" placeholder="John" value="<?php if(isset($_POST['fname'])) echo $_POST['fname'];?>">
        </div>
        <div class="form-group">
            <label for="lname">Last Name:*</label>
            <input type="text" class="form-control" name="lname" placeholder="Smith" value="<?php if(isset($_POST['lname'])) echo $_POST['lname'];?>">
        </div>
        <div class="form-group">
            <label for="pwd">Password:*</label>
            <input type="password" class="form-control" name="pwd1" placeholder="*********" value="<?php if(isset($_POST['pwd1'])) echo $_POST['pwd1'];?>">
        </div>
        <div class="form-group">
            <label for="pwd">Re-Enter Password:*</label>
            <input type="password" class="form-control" name="pwd2" placeholder="*********" value="<?php if(isset($_POST['pwd2'])) echo $_POST['pwd2'];?>">
        </div>
            <button type="submit" class="btn btn-default">Submit</button>
    </form>
</div>  
<?php

    if($_SERVER['REQUEST_METHOD'] =='POST'){

        require('connect.php');
        $error = false;

        //email
        if(isset($_POST['email'])){
            $email = mysql_real_escape_string(trim($_POST['email']));
        }
        else{
            echo'please enter your email address';
            $error = true;
        }

        //first name
        if(!isset($_POST['fname'])){
            $fname = mysql_real_escape_string(trim($_POST['fname']));
        }
        else{
            echo'please enter your first name';
        }

        //last name
        if(isset($_POST['fname'])){
            $lname = mysql_real_escape_string(trim($_POST['lname']));
        }
        else{
            echo'please enter your last name';
            $error = true;
        }

        //password
        if(isset($_POST['pwd2'])){

            if(!empty($_POST['pwd2'])){

                if ($_POST['pwd1'] != $_POST['pwd2']){

                    echo'Passwords do not match';
                    $error = true;

                }
                else{

                $pwd = mysql_real_escape_string(trim($_POST['pwd1']));

                }               
            }
            else{

            echo'Please enter your password';
            $error = true;

            }
        }
        else{

        echo'please enter your password';
        $error = true;

        }

        if (!$error){

            $query = "INSERT INTO Login (Email, Firstname, Lastname, Password) VALUES ('$email', '$fname', '$lname', SHA512('$pwd')";
            $results = mysql_query($query);

            if (results){
                header('Location: login.php');
            }
            else{
                echo'Oops!';
            }

        mysql_close($db_connected);
        exit();

        }   
    }
?>
</body>
</html>

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Nov 03 '16 at 14:25
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Nov 03 '16 at 14:26
From @tadman: ***WARNING:*** Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. — Jay Blanchard, Nov 03 '16 at 14:26
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* — Jay Blanchard, Nov 03 '16 at 14:26
***You shouldn't use [SHA password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Nov 03 '16 at 14:26
I don't believe SHA512 is a mysql function. Check for errors instead of blindly assuming that the query works. And listen to everyone else about the mysql_ functions. — aynber, Nov 03 '16 at 14:27
@JayBlanchard I would disagree with that sentiment. There is a lot of precautions to take that does not mean you need to roll your whole app into a framework for that. — nerdlyist, Nov 03 '16 at 14:28
tadman is speaking specifically to newbies @nerdlyist - there are too many ways to get this wrong. — Jay Blanchard, Nov 03 '16 at 14:29
thanks everyone for the feedback. regarding the passwords, i was just aiming to get it to run, then to look at introducing the validation and look at the hashing. — Alex Probert, Nov 03 '16 at 14:30
The reason this is failing is because you never connect to the database to begin with (`$db_connection`) — Jay Blanchard, Nov 03 '16 at 14:31
I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? — Jay Blanchard, Nov 03 '16 at 14:31
@JayBlanchard but wouldn't it be better to educate yourself then just rely on someone else. — nerdlyist, Nov 03 '16 at 14:32
@JayBlanchard Thank you for your feedback, will take it all on board your advice on board — Alex Probert, Nov 03 '16 at 14:34
@JayBlanchard The connection may be in `connect.php`... no way of knowing that. :/ — aynber, Nov 03 '16 at 14:37

score 1 · Accepted Answer · edited May 23 '17 at 11:48

The reason this is failing is because you never connect to the database to begin with ($db_connection). In addition, MySQL does not have a SHA512() function which would cause your query to fail.

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe! SQL Injection! It's not just for breakfast any more!

Please stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really pretty easy.

Never store plain text passwords! Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

PHP Register page is running, but not inputting into the database

1 Answers1