Form validation with JQuery and PHP not working

Question

I am validating my form using jquery and after the form is left with no errors, I want to insert the data into the database but for some reasons, it is not working properly. Can you help me find out my mistake. Thanks,

The JQuery is

$.post('register_user.php',
                    {
                    'name' : name,
                    'email' : email,
                    'password': password
                    }, 
                    function(data) {
                            if(data == "success"){
                                alert("success");
                            } else if(data == "fail"){
                                alert("fail");
                            }
                    });

THE PHP

            $name = $_POST['name']; //else assign it a variabl
         $email = $_POST['email'];
        $password = $_POST['password'];

    $sql = "SELECT email FROM users WHERE LOWER(email) = '" . $email . "'";
    $result = mysql_query($sql) or die("Could not get email: " . mysql_error());

    if(mysql_num_rows($result) > 0) {
        //email is already taken
    }
    else {
        $query = mysql_query("INSERT INTO `users` ( `name`, `email`, `password`) VALUES ( '$name', '$email', '$password')") or die(mysql_error());
        $result2 = mysql_result($query);
        if((mysql_affected_rows($result2) ==1){
            echo 'success';
        } else {
            echo 'fail';
            }
    }

Answer 1

I dont have enough rep yet to comment, so I'll have to put this as an answer.

Step 1: Echo (or print) out what you can. Add echo inside your logic, like where you have: //email is already taken Also echo out the POST variables.

If they all look OK, you should try to echo out your queries. Eg. copy your query line that is like:

$query = mysql_query("INSERT INTO `users` ( `name`, `email`, `password`) VALUES ( '$name', '$email', '$password')")

Then paste it and change it to:

echo "INSERT INTO `users` ( `name`, `email`, `password`) VALUES ( '$name', '$email', '$password')";

Then if this looks bad, it's your query.. You can of course test the output in mysql directly via phpmyadmin or ssh to your server and run the commands through the console (if they give you shell access)

If you manage to get this to work, as some others commented: mysqli or pdo should be your next steps. You also need to do some basic stuff, even though that will take care of mysql injection.

You are still vunerable to XSS and also simply things like whitespace at the end of the email (users often get this, when they copy stuff and insert it into forms).

You can solve some of it by some helper functions you make in PHP, like:

function cleanData($data) {
    return strip_tags(trim($data));
}

That was a very simple sample by me, you can also add other parameters to the function, like casing. Then you can switch the casing and do strtolower, strtoupper, ucwords(strtolower(, etc. And you can then simply wrap your variables inside the function :-)

Btw. E-Mail I would check with regular expressions. Also dont let JS / client side code do the input validation, as it's very easy to manipulate the DOM, or even post from an alternative source. You have to think of this data as "dirty", as it's easy to tamper with.