0

I'm using my HTML to pass the data to my below PHP form.

<?php

session_start();

include_once 'connect_to_db.php';

if($_SERVER["REQUEST_METHOD"] == "POST"){

    $fname = trim($_POST['user-fname']);
    $fname = strip_tags($fname);
    $fname = htmlspecialchars($fname);

    $lname = trim($_POST['user-lname']);
    $lname = strip_tags($lname);
    $lname = htmlspecialchars($lname);

    $email = trim($_POST['user-email']);
    $email = strip_tags($email);
    $email = htmlspecialchars($email);

    $pass = trim($_POST['user-password']);
    $pass = strip_tags($pass);
    $pass = htmlspecialchars($pass);
    $pass = hash($pass);

    $mail_query = mysql_query("SELECT user-email FROM User WHERE user-email='$email'");
    $ifthere = mysql_num_rows($mail_query);

    if ($ifthere!=0){
        $error = true;
        $mailexist = "The email provided is already registered with us, if you forgot your password, please use reset password";
    }
}

mysql_query("INSERT INTO User(user-fname, user-lname, user-email, user-password) VALUES('$fname', '$lname', '$email', '$pass'"));

?>

I'm not sure what is happening, it loads my php page, but just fails with an error "unable to handle this query.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Vignesh SP
  • 451
  • 6
  • 15
  • 1
    `-` in mysql usually means `substract`. So `user-fname` is `substract fname from user`. Not what you expect, huh? – u_mulder Oct 15 '17 at 16:15
  • Please start using `mysqli_*` or `PDO` as `mysql_*` is deprecated and removed as of PHP7. Also note that `strip_tags`, `htmlspecialchars` don't do the same as `mysql_real_escape_string` and that you can use functions inside functions. `hash` isn't secure either use `password_hash` instead. I think you need to wrap your column names in backticks. you are now basically saying `1-1` instead of `user-fname` – SuperDJ Oct 15 '17 at 16:17
  • @chris85, I'm just getting started with programming. I'm just trying to tie stuff together to learn, please suggest me how can I fix this or some other way to implement this. Thank you. – Vignesh SP Oct 15 '17 at 16:18
  • The `trim, strip_tags, htmlspecialchars` aren't securing your query (possibly `trim` is the only function that should be used but not on the password). Your `hash()` usage is incorrect (use http://php.net/manual/en/function.password-hash.php). You driver is out of date an unable of handling parameterized queries which would secure your query (use `PDO` or `mysqli`. Also move the `insert` call inside the conditional. Check out http://www.codingcage.com/2015/04/php-login-and-registration-script-with.html – chris85 Oct 15 '17 at 16:19
  • @chris85, Thank you. I will follow that post now. – Vignesh SP Oct 15 '17 at 16:29

0 Answers0