I have a form to signup with the code below:
<form method="post">
Username<input type="text" size="12" maxlength="16" name="username"><br />
Password<input type="password" size="12" maxlength="32" name="password"><br />
<input type="submit" name="submit" value="Sign Up!" />
</form>
And then I have it too check if the username contains any special characters and if it doesn’t it runs this code:
define("DB_SERVER", "localhost");
define("DB_USER", "will");
define("DB_PASS", "blahblah");
define("DB_NAME", "blahblah");
define("TBL_USERS", "users");
$connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME, $connection) or die(mysql_error());
function addNewUser($username, $password){
global $connection;
$username =$POST['username'];
$password =$_POST['password'];
$password1 = md5($password);
$q = "INSERT INTO ".TBL_USERS." VALUES ('$username', '$password1')";
return mysql_query($q, $connection);
}
This should add the username and password to my table with the password as an md5 hash but it doesn’t, could someone please help me.
Thanks!
First of all:
Don’t use concatenated strings to insert values to the database. This is a major security hole, it can be exploited using a technique called SQL-Injection. You can prevent this by using so called Prepared Statements.
And this should solve your problem:
You probably don’t really call the addNewUser function. You just connect ot the database.
Try this: