PHP Register form not working after mysqli changes

Question

My register form was working properly, than in my index.php I changed all mysql functions to mysqli functions and now it does not work anymore. Register.php code:

<?php
require('config.php');
session_start();
// If the values are posted, insert them into the database.
if (isset($_POST['username']) && isset($_POST['password'])){
    $username = htmlEntities($_POST['username'],ENT_QUOTES);
    $password = htmlEntities($_POST['password'],ENT_QUOTES);

    $query = "INSERT INTO `users` (username, password) VALUES ('$username', '$password')";
    $result = mysqli_query($connect, $query);
    if($result){
       header("Location:index.php");
    }
    else
    {
        echo "Het werkt niet!";
    }    
}
?>

Don't insert the variables directly into your query. Use prepared statements.. — Ivar, Nov 17 '16 at 12:12
What php version you use? Check your php.ini for extension=mysqli.so or similar. it may be commented out. — Rafał Cz., Nov 17 '16 at 12:14
And do not - ever - change the users' password. Inform them if it isn't valid. And please encrypt it. — Jeff, Nov 17 '16 at 12:14
@RafałCz. I'm using Altervista which I think does not use the latest version of PHP. — Yarnick Boertje, Nov 17 '16 at 12:15
use [mysqli_error()](http://php.net/manual/de/mysqli.error.php) to find out what's going wrong. — Jeff, Nov 17 '16 at 12:16
@YarnickBoertje This way you are vulnerable for an SQL-Injection attack. Please read this question: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Ivar, Nov 17 '16 at 12:17
If I use either mysqli_error() or mysql_error($connection) it does not give any error. @Jeff — Yarnick Boertje, Nov 17 '16 at 12:18
@YarnickBoertje Try to print the `$query` to your browser, and then execute it yourself in your database. See what that returns. — Ivar, Nov 17 '16 at 12:21
@Ivar Thanks! The problem was that my ID was not auto incrementing so it gave the error that the ID 0 had already been used. Such an idiot mistake — Yarnick Boertje, Nov 17 '16 at 12:25

Blinkydamo · Answer 1 · 2016-11-17T12:24:46.207

Don't know the contents of you config file so added the information here.

<?php
if ( isset( $_POST[ 'username' ] ) && isset( $_POST[ 'password' ] ) )
{
    $username = htmlEntities( $_POST[ 'username' ], ENT_QUOTES );
    $hashed_password = password_hash( $_POST[ 'password' ], PASSWORD_BCRYPT, [ 'cost' => 12 ] ); // hashes the password before inserting into the database, do not alter the password though.

    $servername = "localhost";
    $username   = "username";
    $password   = "password";
    $dbname     = "myDB";

    // Create connection
    $conn = new mysqli( $servername, $username, $hashed_password, $dbname );

    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }

    // prepare and bind
    $stmt = $conn->prepare( "INSERT INTO users ( username, password ) VALUES ( ?, ? ) " );
    $stmt->bind_param( "ss", $username, $password );

    $stmt->execute();

}
?>

reference - http://www.w3schools.com/php/php_mysql_prepared_statements.asp

I have replaced the password line with one that will hash the password before placing it into the database.

When you come to check the password in the future use:

if( password_verify( $supplied_password, $hashed_password ) )
{
  // Passed
}

`$stmt->bind_param( "sss", $username, $password );` you've got one to many `s` there ;-) — Qirel, Nov 17 '16 at 12:24

PHP Register form not working after mysqli changes

1 Answers1