mercredi 5 février 2020

Sign up user with PHP and PDO [duplicate]

I am trying to save a user into my MySQL database using PDO. I am trying to do it with prepared statements in order to be save of injections. If the user has typed in everything correctly, the page should stay on the sign up page and display the message 'success' in the header (which it does).

But if I am checking in the database the new data is not saved in there.

PHP Code that I am using:


// Server and db login
$servername = "myServer";
$dbUsername = "myUserServername";
$dbPassword = "myServerPw";
$dbName = "myDbName";

try {
    $pdoCon = new PDO("mysql:host=".$servername.";dbname=".$dbName.";", $dbUsername, $dbPassword);
} catch (Exception $e){
    error_log($e->getMessage());
    exit('Connection failed, please try again.');
}


// All data user sent to file
$username = $_POST['Signup_Input_UserName'];
$email = $_POST['Signup_Input_UserEmail'];
$password = $_POST['Signup_Input_UserPassword'];
$password_repeat = $_POST['Signup_Input_UserPassword_Repeat'];
$checkSubscribe = $_POST['Signup_Input_UserCheckSubscribe'];
$isAdmin = 0;
$isBanned = 0;

$hasSubscribedChecked = 0;
if (empty($_POST['Signup_Input_UserCheckSubscribe'])) {
  $hasSubscribedChecked = 0;
} else {
  $hasSubscribedChecked = 1;
}

// Insert user into db -> sign user up
$sql = "INSERT INTO TUsers (UserName, UserPassword, UserEmail, UserIsPostAdmin, UserHasSubscribed,UserIsBanned) VALUES (:UserName, :UserPassword, :UserEmail, :UserIsPostAdmin, :UserHasSubscribed, :UserIsBanned)";

$stmtUser = $pdoCon->prepare($sql);
if (!$stmtUser) {
  // If stmtUser was incorrerct -> exit
  header("Location: ../signup.php?error=sqlerror");
  exit();
} else {
  // Password hashing using bcrypt
  $hashed_pwd = password_hash($password, PASSWORD_DEFAULT);
  $new_User = array(
      ':UserName' => $username,
      ':UserPassword' => $hashed_pwd,
      ':UserEmail' => $email,
      ':UserIsPostAdmin' => $isAdmin,
      ':UserHasSubscribed' => $hasSubscribedChecked,
      ':UserIsBanned' => $isBanned
  );

  // Here I have also tried to use $stmtUser->bindValue($new_User), but that did not seem to have any effect
  $stmtUser->bindParam($new_User);
  $stmtUser->execute();

  header("Location: ../signup.php?signup=success");
  exit();

I assume the problem is the way how I handle sql injections.




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)