Validation not working for register form

Question

When I click the 'Sign Up' button, I want the page to be redirected to the server.php so it can run the validation (which is named reg_user).

But when the button is click, the page just refreshes to the same thing. None of the validation/error messages are shown.

Below is the code for my server.php where I have stated all the validations I want to happen:

<?php
session_start();

// initializing variables
$name = "";
$email = "";
$username = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', 'root', 'register');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $name = mysqli_real_escape_string($db, $_POST['name']); 
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($name)) { array_push($errors, "Full name is required");  
  }
  if (empty($email)) { array_push($errors, "Email is required"); 
  }
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO users (name, email, username, password) 
              VALUES('$name', '$email', '$username', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['success'] = "You are now logged in";
    header('location: index.php');
  }
}

// ... 
// ... 

// LOGIN USER
if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($password)) {
    array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
    $password = md5($password);
    $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    $results = mysqli_query($db, $query);
    if (mysqli_num_rows($results) == 1) {
      $_SESSION['username'] = $username;
      $_SESSION['success'] = "You are now logged in";
      header('location: index.php');
    }else {
        array_push($errors, "Wrong username/password combination");
    }
  }
}

?>

And below is the html page to register a user:

<?php include('server.php') ?>
<!DOCTYPE html>
<html lang="en">
<head>
    <title>Register</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">  
    <link rel="stylesheet" type="text/css" href="css/util.css">
    <link rel="stylesheet" type="text/css" href="css/main.css">
</head>
<body style="background-color: #999999;">

    <div class="header">
    <div class="limiter">
        <div class="container-login100">
            <div class="login100-more" style="background-image: url('images/bg-01.jpg');"></div>

            <div class="wrap-login100 p-l-50 p-r-50 p-t-72 p-b-50">
                <form class="login100-form validate-form">
                    <span class="login100-form-title p-b-59">
                        Sign Up
                    </span>                   
                      <form method="post" action="register.php">
                      <?php include('errors.php'); ?>

                    <div class="wrap-input100 validate-input">
                        <span class="label-input100">Full Name</span>
                        <input class="input100" type="text" name="name" placeholder="Name...">
                        <span class="focus-input100"></span>
                    </div>
                    <!------------------------------------------->

                    <div class="wrap-input100 validate-input">
                        <span class="label-input100">Email</span>
                        <input class="input100" type="text" name="email" placeholder="Email addess...">
                        <span class="focus-input100"></span>
                    </div>
                    <!------------------------------------------->

                    <div class="wrap-input100 validate-input">
                        <span class="label-input100">Username</span>
                        <input class="input100" type="text" name="username" placeholder="Username...">
                        <span class="focus-input100"></span>
                    </div>
                    <!------------------------------------------->

                    <div class="wrap-input100 validate-input">
                        <span class="label-input100">Password</span>
                        <input class="input100" type="password" name="password_1" placeholder="*************">
                        <span class="focus-input100"></span>
                    </div>
                    <!------------------------------------------->

                    <div class="wrap-input100 validate-input">
                        <span class="label-input100">Repeat Password</span>
                        <input class="input100" type="password" name="password_2" placeholder="*************">
                        <span class="focus-input100"></span>
                    </div>
                    <!------------------------------------------->

                    <div class="flex-m w-full p-b-33">
                        <div class="contact100-form-checkbox">
                            <input class="input-checkbox100" id="ckb1" type="checkbox" name="remember-me">
                            <label class="label-checkbox100" for="ckb1">
                                <span class="txt1">
                                    I agree to the
                                    <a href="#" class="txt2 hov1">
                                        Terms of User
                                    </a>
                                </span>
                            </label>
                        </div>


                    </div>

                    <div class="container-login100-form-btn">
                        <div class="wrap-login100-form-btn">
                            <div class="login100-form-bgbtn" ></div>
                            <button type = "submit" class="login100-form-btn" name="reg_user">
                                Sign Up
                            </button>
                        </div>

                        <a href="register.php" class="dis-block txt3 hov1 p-r-30 p-t-10 p-b-10 p-l-30">
                            Sign in
                            <i class="fa fa-long-arrow-right m-l-5"></i>
                        </a>
                    </div>
                </form>

                </form>
            </div>

            </div>
        </div>
    </div>
    </body>
</html>
<!-- ===============================================================================================-->
    <!--<script src="vendor/jquery/jquery-3.2.1.min.js"></script>
<!--===============================================================================================-->
    <!--<script src="vendor/animsition/js/animsition.min.js"></script>
<!--===============================================================================================-->
    <!--<script src="vendor/bootstrap/js/popper.js"></script>
    <script src="vendor/bootstrap/js/bootstrap.min.js"></script>
<!--===============================================================================================-->
    <!--<script src="vendor/select2/select2.min.js"></script>-->
<!--===============================================================================================-->
    <!--<script src="vendor/daterangepicker/moment.min.js"></script>
    <script src="vendor/daterangepicker/daterangepicker.js"></script>
<!--===============================================================================================-->
    <!--<script src="vendor/countdowntime/countdowntime.js"></script>
<!--===============================================================================================-->
    <!--<script src="js/main.js"></script>
</body>
</html>

I am using mysql to create a database called 'register' that has a table called 'users' which has a name, username, email and password field.

Thanks in advance!

Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's — RiggsFolly, Apr 20 '18 at 21:50

Charis Moutafidis · Accepted Answer · 2018-04-20T22:03:22.317

It is actually a good practice to use Post Requests on form submittion. This is usually a lot safer! Below is the change you need to make to your form tag, in order to make you redirect to server.php and send the data there with a Post request.

Replace:

<form class="login100-form validate-form">

With:

<form action="server.php" method="post" class="login100-form validate-form">

From what I see you are sending name, email, username, password_1, password_2, reg_user as request parameters. It is a good idea to make some validations in your server.php file on the top of it.

<?php
if(!isset($_POST['name']) or !isset($_POST['email']) or !isset($_POST['username']) 
or !isset($_POST['password_1']) or !isset($_POST['password_2']) or
 !isset($_POST['reg_user']) or $_SERVER['REQUEST_METHOD'] !== 'POST'){
    //redirect to an unauthorized page or something eg...
    header("Location: unauthorized.php");
    exit;
}

That way you also allow acces to POST requests only.

$_POST object has all the request data.

$username = $_POST['username'];
$email = $_POST['email'];
//ect...

Regarding the SQL Injection RiggsFolly mentioned, you need to change your code a little bit to look like this:

$stmt = $dbh->prepare("SELECT * FROM users WHERE username=? OR email=? LIMIT 1");
if ($stmt->execute(array($_POST['username'], $_POST['email']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}

Please be more specific to where this goes, I new to this :) — , Apr 20 '18 at 21:50
In your html page you need to replace your
like to the one above — Charis Moutafidis, Apr 20 '18 at 21:54
If there is something you did not understand or I was not specific enough, let me know! — Charis Moutafidis, Apr 20 '18 at 21:58
Feel free to give it a +1 or accept the answer if you think it was useful :P — Charis Moutafidis, Apr 20 '18 at 22:07

score 0 · Answer 2 · answered Apr 20 '18 at 21:47

0

You need to add attributes to form tag in order to post

 form action="server.php" method="POST">

answered Apr 20 '18 at 21:47

Aman jaura

201
3
15

So where exactly does this go sorry? Do I replace
with the above?
– Apr 20 '18 at 21:49
yes you should add action and method attributes to your form tag – Aman jaura Apr 20 '18 at 21:50
Just noticed you have multiple form tags. There cant be form inside other form. Either have two different forms or have one. – Aman jaura Apr 20 '18 at 21:54

Validation not working for register form

2 Answers2