0

Trying to set up a panel for my users to view login-only content and I'm currently having an issue where people can register using the same username/email anybody know how to fix this I've tried a few different lines of code any advice?

Here's my current signup.php

<?php

require_once 'source/db_connect.php';

if(isset($_POST['signup-btn'])) {

      $username = $_POST['user-name'];
      if($username == '' || empty($username)){
          echo "<body style='background-color:#212121'><br><br><br><br><br><br><br><br><br><br><br><br><center><font size='12' color='red'>Username cannot be blank..</font></center> <br><br><br> <center><a href='register.html'><font size='5'>Click To Return.</font></a></body>";
          return false;
}
      $email = $_POST['user-email'];
      if(strpos($email, '@') == false || strpos($email, '.') == false){
        echo "<body style='background-color:#212121'><br><br><br><br><br><br><br><br><br><br><br><br><center><font size='12' color='red'>Invalid Email Adress..</font></center> <br><br><br> <center><a href='register.html'><font size='5'>Click To Return.</font></a></body>";
          return false;
      }
      $password = $_POST['user-pass'];
      if($password == '' || empty($password)){
          echo "<body style='background-color:#212121'><br><br><br><br><br><br><br><br><br><br><br><br><center><font size='12' color='red'>Password cannot be blank..</font></center> <br><br><br> <center><a href='register.html'><font size='5'>Click To Return.</font></a></body>";
          return false;
      }

      $hashed_password = password_hash($password, PASSWORD_DEFAULT);


try {
      $SQLInsert = "INSERT INTO users (username, password, email, to_date)
                   VALUES (:username, :password, :email, now())";

      $statement = $conn->prepare($SQLInsert);
      $statement->execute(array(':username' => $username, ':password' => $hashed_password, ':email' => $email));

      if($statement->rowCount() == 1) {
        header('location: success.html');
      }
    }
    catch (PDOException $e) {
      echo "Error: " . $e->getMessage();
    }

}

?>
joelxb
  • 1
  • 2
  • 1
    At a glance I'm seeing a variety of problems here. (1) The `else` before defining the `INSERT` statement has no curly braces, so the only thing in that block is defining the `INSERT` statement. Which means executing that statement will always happen. (2) If it's executing that statement even though it wasn't defined, that should produce an error. (3) `mysqli_num_rows($users)` should generate errors because the connection isn't specified *and* `$users` isn't defined. (4) Your code is open to SQL injection, which could be causing any number of problems. – David Mar 15 '20 at 15:18
  • Hi, David thanks for the info. I am quite new to PHP I have just edited the code back to what it is could you please explain how it is open to SQL injection and how I can fix it if possible? thanks! – joelxb Mar 15 '20 at 16:28
  • Your edit has removed the SQL injection vulnerability. To learn more about what SQL injection is, this is a good place to start: https://www.php.net/manual/en/security.database.sql-injection.php And there is specific information on how to prevent it here: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php Your edit has also significantly changed the code about which you're asking. What is the current problem with the code? Where are you trying to check for existing users and what isn't working? – David Mar 15 '20 at 16:33
  • there is no issue with the code, all I'm trying to do is prevent people from signing up with the same username and email, so prevent duplicate usernames and emails so when a user tries to signup with a username/email that's taken it will say "Username/Email already exists" The login system works fine just trying to do that – joelxb Mar 15 '20 at 18:27
  • You would do that by querying your database to see if a matching record exists. Are you familiar with how to execute a `SELECT` statement on your database and read the results? If not then now would be a good time to refresh some tutorials on using PDO in PHP with MySQL. – David Mar 15 '20 at 18:29
  • Found an easier way to do this for beginner PHP users, I set the username & email Column to UNIQUE in SQL – joelxb Mar 17 '20 at 23:43

0 Answers0