PHP registration form

[TylerTheJames]

Hi all, recently when I was going to make a register page (non habbo related) and put in everything I went to reigster and it doesnt give any error and redirects back to the login page, but when I refresh the db it doesnt show that a new account has been created
Code:
registration.php

<?php
if(isset($_POST["submit"])){

if(!empty($_POST['email']) && !empty($_POST['pass'])) {
    $email=$_POST['email'];
    $password=$_POST['pass'];
    $name=$_POST['name'];
    $number=$_POST['number'];
    $content=$_POST['content'];

    $con=mysql_connect('localhost','root','*****') or die(mysql_error());
    mysql_select_db('test1') or die("cannot select DB");

    $query=mysql_query("SELECT * FROM  php_users_login WHERE email='".$email."'");
    $numrows=mysql_num_rows($query);
    if($numrows==0)
    {
    $sql="INSERT INTO `php_users_login`(`id`, `email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES ([value-1],[value-2],[value-3],[value-4],[value-5],[value-6],[value-7])";

    $result=mysql_query($sql);


    if($result){
    echo "Account Successfully Created";
    } else {
    echo "Failure!";
    }

    } else {
    echo "That username already exists! Please try again with another.";
    }

} else {
    echo "All fields are required!";
}
}
?>

I have all the columns right, etc.
PS- Just started using php 2 days ago so the noob level is high right now

 

[JayC]

$sql="INSERT INTO `php_users_login`(`id`, `email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES ([value-1],[value-2],[value-3],[value-4],[value-5],[value-6],[value-7])";
$result=mysql_query($sql);

?????

 

[Weasel]

First of all, don't use mysql, use mysqli or PDO in PHP.

However, to debug your current code, add this after your mysql_query(): or die(mysql_error())

 

[brsy]

I've had a similar issue I think. You can't use hyphens in your query unless they're properly escaped.

 

[Unidentified]

This is untested but hope it helps

if(isset($_POST["submit"])){
    if(!empty($_POST['email']) && (!empty($_POST['pass']) && (!empty($_POST['name']) && (!empty($_POST['number']) && (!empty($_POST['content'])){
        $Email = mysql_real_escape_string($_POST['email']);
        $Password = mysql_real_escape_string($_POST['pass']);
        $Name = mysql_real_escape_string($_POST['name']);
        $Number = mysql_real_escape_string($_POST['number']);
        $Content = mysql_real_escape_string($_POST['content']);

        $Con = mysql_connect("Localhost", "Root", "Password") or die(mysql_error());
        mysql_select_db("test1") or die("Current Database doesn't exist");

        $Query = mysql_query("SELECT * FROM `php_users_login WHERE `email` = '$Email'");
        if(mysql_num_rows($Query) == 0){
            mysql_query("INSERT INTO `php_users_login` (`email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES ('$Email', '$Password', '$Name', '$Number', '$Content')");

            echo "Successfully: Account Created";
        } else {
            echo"Error: User already Exists";
        }
    } else {
        echo "All Fields are Required";
    }
}

 

[AaidenX]

Horrible! Simply horrible! Don't use mysql_* functions as they are deprecated and will be removed in the near future. This means that your developed applications will not work in the latest versions. Moreover, mysql_* functions are flagged as not safe. I would strongly recommend you to try out PDO.

You must be registered for see links

 

[RastaLulz]

I'm not sure why you have "value-x" in your query, since you're not bind params or anything? You need to put the actual variable there that is assigned to some data.

Also, as mentioned above, you should NOT be using mysql_* functions, and when you do switch to mysqli or PDO, make sure that you bind params, as opposed to put the data directly in the query. Also, if you're not modifying the the data posted, you don't really have to redefine them. You also don't have to include things like "id" into your insert query, as MySQL assigns that automatically.

Here's an example of a secure way of using PDO:

<?php

if (isset($_POST['submit']))
{
    if (empty($_POST['email']) || empty($_POST['pass']))
    {
        echo 'You must enter an email and password.';
    }
    else
    {
        $PDO = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');

        $query = $PDO->prepare('SELECT * FROM `php_users_login` WHERE `email` = :email');

        $query->excute([
            'email' => $_POST['email'],
        ]);

        if ($query->rowCount() >= 1)
        {
            echo 'Sorry, but that email is already being used.';
        }
        else
        {
            $query = $PDO->prepare('INSERT INTO `php_users_login` (`email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES (:email, :password, :name, :phone, :content, :last_login)');

            $query->execute([
                'email'      => $_POST['email'],
                'password'   => $_POST['pass'],
                'name'       => $_POST['name'],
                'phone'      => $_POST['phone'],
                'content'    => $_POST['content'],
                'last_login' => time(),
            ]);

            /**
             * You can also bind params like this if you want
             * to be more strict with what type of content you
             * allow, like integers, strings, etc.
             *
             * $query->bindParam('email',      $_POST['email'],    PDO::PARAM_STR, 50);
             * $query->bindParam('password',   $_POST['password'], PDO::PARAM_STR, 250);
             * $query->bindParam('name',       $_POST['name'],     PDO::PARAM_STR, 30);
             * $query->bindParam('phone',      $_POST['phone'],    PDO::PARAM_INT, 11);
             * $query->bindParam('content',    $_POST['content'],  PDO::PARAM_STR, 1000);
             * $query->bindParam('last_login', time());
             *
             * $query->execute();
             */

            echo 'Account should have been created.';
        }
    }
}

Please note that the code above is not tested.

Also, keep in mind that bind params protects you from things like SQL injections, but is does NOT protect you from things like XSS attacks. The point being, never trust the data that the user gives you, and always validate it, and when displaying it, make sure that you use a function like "

You must be registered for see links

".

 

[AaidenX]

@Rooster You might wanna know that you are not following the PHP Unofficial Conventions set by

You must be registered for see links

which is defined by various majors.

The correct way to write an if-else block according to the standards is:

if(condition) {

} else {

}

 

[RastaLulz]

@Rooster You might wanna know that you are not following the PHP Unofficial Conventions set by

You must be registered for see links

which is defined by various majors.

The correct way to write an if-else block according to the standards is:

if(condition) {

} else {

}

Nor are you, there should be a space after "if".

 

[LeChris]

I like

if (condition)
{
      //function
}
else
{
      //function
}

 

[Ecko]

@Rooster You might wanna know that you are not following the PHP Unofficial Conventions set by

You must be registered for see links

which is defined by various majors.

The correct way to write an if-else block according to the standards is:

if(condition) {

} else {

}

The 'correct' way according to an unofficial group who have no recognition from the actual PHP Group.

 

[BIOS]

It's all down to personal preference. All give you the exact same result.

But if there was to be a "true" way it should be written then it should probably be:

if ($a != 2) {
    $a = 2;
} else {
    $a = 7;
}

^ Taken from the Zend Framework coding style manual.