PHP Registration Script Not Working

Question

I've written a PHP registration/login system that works fine. However, I tried to add some server side error checking to prevent a user from signing up without entering a password, to check that the password fields match, etc. Here is my code:

<?php

session_start();

// retrieve data via POST

$username = $_POST['username'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$userLoc = $_POST['userLoc']; // user location is a field on the submitted form

include("config.php");

$username = mysqli_real_escape_string($conn, $username); // clean username input

// ensure that the two password fields match
if ($pass1 != $pass2) {
    header('Location: ../');
    die();
}

// ensure that the user didn't bypass  maxlength for username
if(strlen($username) > 30) {
    header('Location: ../');
    die();
}

// ensure that the user actually entered a password
if( strlen($pass1<3) || strlen($pass2<3) ) {
    header('Location: ../');
    die();
}

// check if username already taken
// I'm using a session variable that causes a div to be displayed on index.php to indicate username taken
// (I also have AJAX username check already implemented)

$query = "SELECT 1 FROM users WHERE username='$username'";
$result = mysqli_query($conn,$query);
if ( $result && mysqli_num_rows($result) > 0 ) {
    $_SESSION['usernameTaken'] = 1;
    header('Location: ../');
}

// create hash for password
$hash = hash('sha256', $pass1);

// create salt for password
function createSalt()
{
    $string = md5(uniqid(rand(), true));
    return substr($string, 0, 3);
}

$salt = createSalt();
$hash = hash('sha256', $salt . $hash);

$userLoc = mysqli_real_escape_string($conn, $userLoc);
$query = "INSERT INTO users ( username, password, salt, userLoc ) VALUES ( '$username' , '$hash' , '$salt' , '$userLoc' );";
mysqli_query($conn,$query);
mysqli_close();

header('Location: ../');

?>

Here's the problem that I can't figure out: with the die(); statements in there, the script will in fact terminate itself if any of the conditions are met (passwords don't match, username already exists, etc.), it is properly redirected to index.php (../), and the username is not added to the database. However, even if none of the error checking logic is triggered (in other words, the username is available, the passwords do match, etc.), the username will not be added to the database. The only way that I'm able to get anything to add to the database is by getting rid of every die() statement, but this makes it so none of the error checking works (for example, I can enter mismatched passwords, and the username will still be added to the database, along with the hashed pass1).

I think this is happening because the die() statements are being triggered even if a given if statement does not evaluate to true. Any suggestions?

Answer 1

To see if you are experiencing a MySQL error, put this code after your INSERT query.

printf("Errormessage: %s\n", $mysqli->error);

If that doesn't work, I would highly recommend putting messages inside your die() lines, because then you know exactly where the errors are coming up. Do it like this:

die('This error happened!');

If you have unique messages at each die(), you can tell what part of the code is causing it to stop - if any.

FInally, put something like echo "FINISHED!"; at the bottom of your script, so you can see if the script even gets executed all the way through.

The combination of the above error-finding methods should point you in the right direction for figuring out what the problem is.

Good luck!