Registration script, need a database input to be checked then deleted upon register

Question

I have a problem with my script. What it is supposed to do is that when a user register with the form, it should insert it, but only if the "passkey" matches the one that is in a different table that I set. After it has been verified it should insert the user info to the database, and then delete the passkey. I cannot seem to figure out what is wrong, it worked when there was only one input in the "passkey" table, but when I inserted more it stoped working. Any help would be appreciated!

Here is the code:

<?php

session_start();

if ($_SESSION['auth'] == true)
{
header('location: ../../index.php');
}

else

{
include($_SERVER['DOCUMENT_ROOT']."/skole/system/db/DbConnector.php");

new DbConnector();

if ($_POST)
{
        $navn = mysql_real_escape_string($_POST['name']);
        $brukernavn = mysql_real_escape_string($_POST['username']);
        $passord = md5(mysql_real_escape_string($_POST['password']));
        $siste_logginn = date("d/m/y H:i:s");
        $logginn_ip = $_SERVER['REMOTE_ADDR'];
        $email = mysql_real_escape_string($_POST['email']);
        $passkey = mysql_real_escape_string($_POST['passkey']);

        $qGetPasskey = mysql_query("SELECT * FROM passkey");
        $rGetPasskey = mysql_fetch_array($qGetPasskey);

    if($rGetPasskey['passkey'] == $passkey)
        {

        mysql_query("INSERT INTO brukere SET navn = '{$navn}', brukernavn = '{$brukernavn}', passord = '{$passord}', siste_logginn = '{$siste_logginn}', logginn_ip= '{$logginn_ip}', email = '{$email}', passkey = '{$passkey}'");

    mysql_query("DELETE FROM passkey WHERE passkey = '{$passkey}'");

    echo 'Success';
    }
//header('location: ../../index.php');
}
else
{
echo 'Failure';
//header('location: ../../index.php?aksjon=register&feil=1');
}
}

?>

Answer 1

I believe it is not matching because there is no loop to check multiple records in your array:

    $qGetPasskey = mysql_query("SELECT * FROM passkey");
    while($rGetPasskey = mysql_fetch_array($qGetPasskey)) {
        if($rGetPasskey['passkey'] == $passkey) {

        mysql_query("INSERT INTO brukere SET navn = '{$navn}', brukernavn = '{$brukernavn}', passord = '{$passord}', siste_logginn = '{$siste_logginn}', logginn_ip= '{$logginn_ip}', email = '{$email}', passkey = '{$passkey}'");

       mysql_query("DELETE FROM passkey WHERE passkey = '{$passkey}'");

        echo 'Success';
        }
   }

Answer 2

use or die(mysql_error());

see if you have any MySQL errors in your queries.

Example:

mysql_query("INSERT INTO brukere SET navn = '{$navn}', brukernavn = '{$brukernavn}', passord = '{$passord}', siste_logginn = '{$siste_logginn}', logginn_ip= '{$logginn_ip}', email = '{$email}', passkey = '{$passkey}'") or die("Error ->".mysql_error());

Answer 3

The recommended way to store and check a password is to use a salted hash function.
Never store an unencrypted password in a database! See: Secure hash and salt for PHP passwords

Store the userdata including passhash

INSERT INTO user (username, salt, passhash) 
VALUES ('$username','$salt',SHA2(concat('$salt','$password'),512))

Check for valid username and password

SELECT id FROM user 
WHERE username = '$username' AND passhash = SHA2(concat('$salt','$password'),512)

Insert data into a table if and only if a user exists

$passkey = mysql_real_escape_string($_POST['passkey']);      
mysql_query("INSERT INTO brukere 
  (navn, brukernavn, passord, sisteloginn, loginn_ip, email, passhash) 
  SELECT 
    '$navn','$brukernavn','$passord', '$siste_logginn', '{$logginn_ip}', '{$email}', id
  FROM user u 
  WHERE u.username =  '$brukernavn' 
    AND passhash = SHA2(concat(u.salt,'$passkey'),512) ";

Note that you don't need the {} in your query, you only need those if you want to evaluate an expression. If you just want to inject a $var, '$var' and {'$var'} is the same.