Login and sign uo form issues


#1

I am having problems figuring out what is wrong with my php code for a sign up and login form

the following is the sign up form which isnt executing the query
[php] <?php
ob_start();
session_start();
if( isset($_SESSION[‘user’])!="" ){
header(“Location: Profile.php”);
}
include_once ‘Config.php’;

$error = false;

if ( isset($_POST[‘btn-signup’]) ) {

// clean user inputs to prevent sql injections
$name = trim($_POST[‘name’]);
$name = strip_tags($name);
$name = htmlspecialchars($name);

$email = trim($_POST[‘email’]);
$email = strip_tags($email);
$email = htmlspecialchars($email);

$pass = trim($_POST[‘pass’]);
$pass = strip_tags($pass);
$pass = htmlspecialchars($pass);

// basic name validation
if (empty($name)) {
$error = true;
$nameError = “Please enter your full name.”;
} else if (strlen($name) < 3) {
$error = true;
$nameError = “Name must have atleat 3 characters.”;
} else if (!preg_match("/^[a-zA-Z ]+$/",$name)) {
$error = true;
$nameError = “Name must contain alphabets and space.”;
}

// email validation
if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
$error = true;
$emailError = “Please enter valid email address.”;
} else {
// check if email already exists
$query = “SELECT Email FROM ‘Users’ WHERE Email=’$email’”;
$result = mysqli_query($db,$query);
$count = mysqli_num_rows($result);
if($count!=0){
$error = true;
$emailError = “Provided Email is already in use.”;
}
}
// password validation
if (empty($pass)){
$error = true;
$passError = “Please enter password.”;
} else if(strlen($pass) < 6) {
$error = true;
$passError = “Password must have atleast 6 characters.”;
}

// password encrypt using SHA256()
$password = hash(‘sha256’, $pass);

// if there’s no error, continue to signup
if( !$error ) {

if ($stmt = $db->prepare(“INSERT INTO Users (Username, Password, Email) VALUES (? , ?, ?)”)) {
$stmt->bind_param(“sss”, $username, $password, $email);
$stmt->execute();
if($stmt->execute()){
$result = $stmt->get_result();
}
}

if ($result) {
$errTyp = “success”;
$errMSG = “Successfully registered, you may login now”;
unset($name);
unset($email);
unset($pass);
} else {
$errTyp = “danger”;
$errMSG = “Something went wrong, try again later…”;
}

}

}
?>[/php]

This one is the login form that seems to have the same issue
[php]<?php

ob_start();
session_start();
include_once ‘Config.php’;

// it will not let you open login page if session is set
if ( isset($_SESSION[‘user’])!="" ) {
header(“Location: Profile.php”);
exit;
}

$error = false;

if( isset($_POST[‘btn-login’]) ) {

//prevent sql injections/ clear user invalid inputs
$email = trim($_POST[‘email’]);
$email = strip_tags($email);
$email = htmlspecialchars($email);

$pass = trim($_POST[‘pass’]);
$pass = strip_tags($pass);
$pass = htmlspecialchars($pass);

if(empty($email)){
$error = true;
$emailError = “Please enter your email address.”;
} else if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
$error = true;
$emailError = “Please enter valid email address.”;
}

if(empty($pass)){
$error = true;
$passError = “Please enter your password.”;
}

// if there’s no error, continue to login
if (!$error) {

$password = hash(‘sha256’, $pass); // password hashing using SHA256

$stmt = $db->prepare(“SELECT * FROM Users WHERE Email = ? && Password = ?”);
$stmt->bind_param(“ss”, $email, $password);
$stmt->execute();

if($stmt->num_rows == 1) {
$_SESSION[‘user’] = $email;
header(“Location: Profile.php”);
}

else {
$errMSG = “Incorrect Credentials, Try again…”;
}

}

}

?>[/php]


#2

Hi,
How is $db set?

Which query is not executing?

The one where you want to check if the email is already in use?
See what the query looks like before being sent.

The other query ,INSERT INTO etc, seem to be to a condition in ,if, statement - i have no idea if it can be used like that but personally i would do it differently.

Would not it be better:

[php]
if( !$error )
{
$stmt = $db->prepare(“INSERT INTO Users (Username, Password, Email) VALUES (? , ?, ?)”)) {
$stmt->bind_param(“sss”, $username, $password, $email);
$stmt->execute();
…then whatever…
}
[/php]


#3

Sorry for the commentary, but this code looks like it was pieced together from bad w3schools coding examples. It’s hiding problems (with ob_start()) and it is not doing anything when there is a detectable problem to tell you why it isn’t working. There’s at least one variable naming mistake that either is being hidden by the ob_start() or you don’t have php’s error_reporting set to E_ALL and display_errors set to ON, so that php will help you by reporting and displaying all the errors it detects.

At a minimum, do the following -

  1. Remove the ob_start(); statements.

  2. Insure that php’s error_reporting is set to E_ALL and display_errors is set to ON, preferably in the php.ini on your development system.

  3. Add error handling for all the database statements (connection, queries.) The easiest way of doing this is to use exceptions and let php catch the exception, where it will use its error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. Error_reporting should always be set to E_ALL. Display_errors should be set to ON, when learning, developing, and debugging code/queries. Display_errors should be OFF and log_errors should be ON, when on a live/public server.

Te enable exceptions for the mysqli extension, add the following line before where you make the connection and remove any error handling logic there may be in the code now -
[php]mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);[/php]

After doing the above, you should start getting errors that will help you find some of the problems. Also, using $stmt->get_result() with the INSERT query will always fail. It always returns false for an INSERT query, because it is only used with SELECT queries.