All-in-one PHP / MySQL registration/login form isn't working

Question

I am making an all in one registration / login script, which will first display the registration form if $_POST is not set. If it is, but the required fields are not filled, it redirects to the page again, re-setting $_POST. If all the fields are filled in, then if the name of the submit button $_POST["login"] is set, the form confirms the login and sets a block of text, which is a page redirecting the user to their shopping basket or back to the store. If the submit button $_POST["register"] is set, then the user wants to register and an insert query is built and submitted. If this query returns no affected rows, then the script checks if the user is already registered. If so, logs them in and shows them the redirect page as per normal login. Otherwise, if the script returns 1 row affected, then I assume the insert was successful (I have the script break if the queries fail).

Logging in works if you hit login, and if you miss a required field the redirects work, but that's it. I can't see the problem and I get no errors - I just get a blank screen in the event of the other circumstances. It's a big chunk of code, I'm afraid...

    <?php
if(!$_POST) {
  //hasn't seen the registration form
  //display registration form
      $display_block = "
      <form method=\"POST\" action=\"".$_SERVER["PHP_SELF"]."\">
      <p>Please fill in the registration field (required fields marked with <span class=\"req\"><</span>)<br />
      First name: <input type=\"text\" name=\"f_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />
      Last name: <input type=\"text\" name=\"l_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />
      Address: <input type=\"text\" name=\"address\" size=\"50\" maxlength=\"150\" /><br />
      Town: <input type=\"text\" name=\"town\" size=\"50\" maxlength=\"150\" /><br />
      City: <input type=\"text\" name=\"city\" size=\"50\" maxlength=\"150\" /><br />
      Post Code: <input type=\"text\" name=\"postcode\" size=\"10\" maxlength=\"10\" /><br />
      Username: <input type=\"text\" name=\"username\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Confirm username: <input type=\"text\" name=\"usernameConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Password: <input type=\"password\" name=\"password\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Confirm password: <input type=\"password\" name=\"passwordConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      <br />
      <input type=\"submit\" name=\"register\" value=\"Register\" /><br /><br />
      Already a member? <input type=\"submit\" name=\"login\" value=\"Login\" />
      </p>";

} else if ((!isset($_POST["username"])) || (!isset($_POST["usernameConfirm"])) || (!isset($_POST["password"])) || (!isset($_POST["passwordConfirm"]))) {
  //hasn't filled out all the fields
  header("Location: ".$_SERVER["PHP_SELF"]."");
  exit;
} else if($_POST["login"]) {

  //user is logging in, so connect to server and select database, check they are registered and their details are right
          $mysqli = mysqli_connect(hostname,username,pass,dbname);

    //create and issue the query
    $sql = "SELECT f_name, l_name FROM auth_users WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";
    $sql_res =mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

    //get the number of rows in the result set; should be 1 if a match
    if(mysqli_num_rows($sql_res) == 1) {
      //if authorized, get the values of f_name, l_name
      while($info = mysqli_fetch_array($sql_res)) {
        $f_name = stripslashes($info["f_name"]);
        $l_name = stripslashes($info["l_name"]);
      }
      //set authorization cookie
      setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);

      //create display string
      $display_block = "<p>".$f_name." ".$l_name." is authorized.</p>
      <p>You are now logged in.</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";

    } else if($_POST["register"]) {

      //connect to db and issue registration query
          $mysqli = mysqli_connect(hostname,username,pass,dbname);

          $register_sql = "INSERT INTO aromaMaster (username, password, date_registered) VALUES ('".$_POST["username"]."',PASSWORD('".$_POST["password"]."'),now())";
          $register_res = mysqli_query($mysqli, $register_sql) or die(mysqli_error($mysqli));

          if (mysqli_num_rows($register_res) != 1) {
            //registration failed - perhaps duplicate account

            $check_sql = "SELECT username, password FROM aromaMaster WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";
            $check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));

            if(mysqli_num_rows($check_res) == 1) {
              //already a member

              //set cookie
                    //set authorization cookie
      setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);

              $display_block = "
              <p>You are already registered.</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";
            }
          } else {
            //success
            $display_block = "
            <p>You are registered!</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";
          }


    }
    mysqli_close($mysqli);
    }
?>
<html>
<head>
<title>Login / Register</title>
</head>
<body>
<?php echo "$display_block"; ?>
</body>
</html>

Answer 1

you DONT want to put strings from the user directly into your queries. http://php.net/manual/en/security.database.sql-injection.php

Answer 2

Sorted it now..