php registration form complication [closed]

I created a registration system for my website but it is not working . When i click sign up it takes me to the process page and gives me the else statement but the information goes into the database but gives me the else statements. Also, when the information goes int the database more than one user goes in.

signup.php :

<html>
 <head>
<link rel="stylesheet" type="text/css" href="css.css">
 <title>Sign Up</title>
 </head>
   <body bgcolor="#E6E6FA">

  <h2 style="text-align: right"><b style="font-size: 25px">Sign Up Below</b></h2>
 <form name="registration" method="post" action="process2.php">
 <p align="right"><input type="text" name="username" size="35" id="Username" placeholder="User Name" /></p> 
 <br></br>
 <p align="right"><input type="password" name="password" size="35"  id="Password" placeholder="Password" /></p>
<br></br>
<p align="right"><input type="password" name="password2" size="35"  id="Password2" placeholder="Confirm Password" /></p>
<br></br>
<p align="right"><input type="text" name="email" size="35"  id="Email" placeholder="E-mail" /></p>
<p align="right"><input type="submit" name="submit" value="submit"></p>
 </form>

 <h3 style="font-size: 20px"><a href="register.php">Go Back To Home Screen</a></h3>  
</body>
</html>

process2.php:

  <?php
  include("db.php");

  if (isset($_POST['submit'])) {
    if ($_POST['password'] == $_POST['password2']) {
    $username = $_POST['username'];
    $pw = $_POST['password'];
    $pw2 = $_POST['password2'];
    $email = $_POST['email'];

    $pw = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 10));
    $pw2 = password_hash($pw2, PASSWORD_BCRYPT, array('cost' => 8));

    $sql = "INSERT into users VALUES(null, '$username', '$pw', '$pw2', '$email')";
    mysqli_query($conn, $sql);
  }

 if($username > 0){
   echo"This username is in use";
  } else {

 }
 }
 ?>

This is a suggestion and I am sure the eagle eyed Fred-ii- will spot the errors in it, but I believe this to handle the ifs and elses fully

       <?php
       include("db.php");

       if (isset($_POST['submit'])) {
                if ($_POST['password'] == $_POST['password2']) {
                     $username = $_POST['username'];
                     $pw = $_POST['password'];
                     $pw2 = $_POST['password2'];
                     $email = $_POST['email'];

           // validate and sanitize all of these inputs
           // and see that they are not blank at the same time

           // Do your MySql here to find the $username and 
           // bring out result of find in $username_result

                        if($username_result > 0){
                        $return_message = "This username is in use";
                        include("register.php");
                        exit;                           // exit; // or send them back to registration page
                        } else {
                        // it is not in use so put it in
                        $pw = password_hash($pw, PASSWORD_BCRYPT, array('cost' => 10));
                        $pw2 = password_hash($pw2, PASSWORD_BCRYPT, array('cost' => 8));

                        $sql = "INSERT into users VALUES(null, '$username', '$pw', '$pw2', '$email')";

                           if(mysqli_query($conn, $sql)){                                  
                           // if insert checked as successful echo username and password saved successfully
                           $return_message = "New user name and password created successfully.";        echo $return_message;   // stays on the same page
                           }else{
                           $return_message = "Sorry there has been an error, please try again.";   // and send them back to registration page 
                           include("register.php");
                           exit;
                           }   
                        }
                }else{
                $return_message = "The passwords do not match. Please re-enter them.";  // and send them back to registration page
                include("register.php");
                exit;
                }    
      }
      ?>

Remember to close connection and sanitize anything submitted from your form before it goes anywhere near your database.

It might be better to evaluate non-matching passwords on the registration page itself with JavaScript rather than submitting the page to validate.

When registration page is included you could put the error on that and keep the values in the textfields if you wanted to - so they could edit what they put in. Fixing a length might give hackers less leeway to submit nasties. So, instead of echoing the message you could make it $return_message = and have an echo on the registration page for messages. echo $return_message; as the value is still available to the page without it having to be re-posted until it gets corrected and re-submitted by the user.

         <p align="right"><input type="text" name="username" size="35" id="Username" placeholder="User Name" value="<?php echo $username;?>" maxlength="30" /></p>

来源：https://stackoverflow.com/questions/33838137/php-registration-form-complication

标签

php

mysqli

wamp