Why doesn't this PHP MySQL registration form work?

Question

So I wrote a very basic PHP registration form linking in with a HTML file; here's the code in PHP:

 <?php
if( $_POST )
{
$con = mysql_connect("localhost","KyleHulse","(my password)", "csdb1082");

if (!$con)
{
    die('Could not connect: ' . mysql_error());
}

mysql_select_db("csdb1082", $Users);


$insert_query = "insert into feedback(
                user,
                password,
                email
                    ) 
                    values (
            '".$_POST['user']."',
            '".$_POST['password']."',
            '".$_POST['email']."')";

mysql_query($insert_query);

echo "<h2>Thanks for registering.</h2>";

mysql_close($con);
}
?>

And here's the corresponding HTML code:

  <head>
<meta charset="UTF-8">
<title>Registration</title>
</head>
<body>
<form action="register.php" method="post">
    <p>
        <label for="user">Username</label>
        <input type="text" name="user" id="user">
    </p>
    <p>
        <label for="password">Password:</label>
        <input type="text" name="password" id="password">
    </p>
    <p>
        <label for="email">Email:</label>
        <input type="text" name="email" id="email">
    </p>
    <input type="submit" value="Submit">
</form>
</body>

The annoying thing is I had it working earlier, something I changed caused it to break.

Answer 1

Below is the modified code with Prepared Statement.

First step is to connect to the database. To do that, we need to define the access details.

// Define Database Credentials
$servername = "localhost"; //Server Name
$username = "KyleHulse"; //Username to the DB
$password = "(my password)"; //Password to the DB
$dbname = "csdb1082"; //Name of the Database

// Create Database Connection
$conn = new mysqli($servername, $username, $password, $dbname);

Now check the connection.

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

After this, you run your query. Please note that since this is your personal project, therefore I am using SHA1 as the hashing of your password. For a bigger project, I recommend to research further on how to secure your password.

To run the query, first is to prepare it. This is how you do.

$stmt = $conn->prepare("INSERT INTO feedback (user, password, email) VALUES (?, ?, ?)");

In this, you store the statement in $stmt variable. The query has INSERT INTO followed by the table's name. In your case it is feedback.

After this, you fill in the table's fields to be saved in first bracket. In your case it will be (user, password, email) followed by VALUES.

After this you add placeholders for the actual values using (?, ?, ?). Please note that the total count of ? must match the total count of fields in the previous bracket.

Now you have to bind the variables to these ?. This is done by,

$stmt->bind_param("sss", $user, $password, $email);

Please note that "sss" are the formats of values passed. Below are the formats.

i - integer
d - double
s - string
b - BLOB

So you need to pass 3 values, therefore you have 3 s, followed by the variables where you will store the values from HTML form by,

$user = $_POST["user"];
$password = sha1($_POST["password"]); //simplest way to use SHA1 hash.
$email = $_POST["email"];

Now you just need to execute the prepared statement.

$stmt->execute();

That's it!

Below is the full code.

// Define Database Credentials
$servername = "localhost"; //Server Name
$username = "KyleHulse"; //Username to the DB
$password = "(my password)"; //Password to the DB
$dbname = "csdb1082"; //Name of the Database

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$stmt = $conn->prepare("INSERT INTO feedback (user, password, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $user, $password, $email);

$user = $_POST["user"];
$password = sha1($_POST["password"]); //simplest way to use SHA1 hash.
$email = $_POST["email"];

$stmt->execute();

Hope this helps.