Submitting form, mysql and php

Question

I\'m new to php and sql and all that stuff, and I was watching a tutorial on youtube about forums in php and wonder why this code doesn\'t echo \"Success\" when submitting t

Answer 1

There are a few things wrong here.

You're using the wrong identifiers for your columns in (and being quotes):

('id', 'username', 'password', 'email')

remove them

(id, username, password, email)

or use backticks

(`id`, `username`, `password`, `email`)

mysql_error() should have thrown you an error, but it didn't because of:

• You're mixing MySQL APIs with mysqli_ to connect with, then mysql_ in your query.

Those two different APIs do not intermix with each other.

Use mysqli_ exclusively and change your present query to:

if($query = mysqli_query($connect, "INSERT...

and change mysql_error() to mysqli_error($connect)

as a rewrite for that block:

if(isset($_POST["submit"])){
    if($query = mysqli_query($connect,"INSERT INTO users ('id', 'username', 'password', 'email') VALUES('', '".$username."', '".$password."', '".$email."')")){
        echo "Success";
    }else{
        echo "Failure" . mysqli_error($connect);
    }
}

Just to test the error, make the changes as I outlined just above, while keeping the quotes around your columns the way you have it now. You will then see the error that MySQL will throw. You can then do as I've already outlined above and remove the quotes around the column names, or replace them with backticks.

The tutorial you saw may very well used backticks, but were probably not distinguishable enough for you to tell that they were indeed backticks and not single quotes.

However, your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

---

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

---

Also, instead of doing:

$connect = mysqli_connect("localhost", "root", "") or die("Could not connect to server!");
mysqli_select_db($connect, "php_forum") or die("Could not connect to database!");

You should be checking for errors instead, just as the manual states

$link = mysqli_connect("myhost","myuser","mypassw","mybd") 
or die("Error " . mysqli_error($link)); 

• http://php.net/manual/en/function.mysqli-connect.php

So in your case:

$connect = mysqli_connect("localhost", "root", "","php_forum") 
or die("Error " . mysqli_error($connect)); 

---

Edit: and I changed action="register.php" to action="" since you're using the entire code inside the same page.

    
        
    
    
        

            Username: 
            

            Password: 
            

            Confirm Password: 
            

            Email: 
            

             or Log in