ou8jonesy Posted June 5, 2014 Share Posted June 5, 2014 I have this working code except I can't redirect to a thank you page when a new user registers. When they login it works without issue. I just don't know where or what to put for the registration part. Here is my Code. Any help would be much appreciated. <?php include_once('config.php'); // Reset errors and success messages $errors = array(); $success = array(); // Login attempt if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){ $loginEmail = trim($_POST['email']); $loginPassword = trim($_POST['password']); if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $loginEmail)) $errors['loginEmail'] = 'Your email address is invalid.'; if(strlen($loginPassword) < 6 || strlen($loginPassword) > 12) $errors['loginPassword'] = 'Your password must be between 6-12 characters.'; if(!$errors){ $query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1'; $result = mysql_query($query); if(mysql_num_rows($result) == 1){ $user = mysql_fetch_assoc($result); $query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1'; mysql_query($query); header('Location: index.php'); exit; }else{ $errors['login'] = 'No user was found with the details provided.'; } } } // Register attempt if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){ $registerEmail = trim($_POST['email']); $registerPassword = trim($_POST['password']); $registerConfirmPassword = trim($_POST['confirmPassword']); if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $registerEmail)) $errors['registerEmail'] = 'Your email address is invalid.'; if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12) $errors['registerPassword'] = 'Your password must be between 6-12 characters.'; if($registerPassword != $registerConfirmPassword) $errors['registerConfirmPassword'] = 'Your passwords did not match.'; // Check to see if we have a user registered with this email address already $query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1'; $result = mysql_query($query); if(mysql_num_rows($result) == 1) $errors['registerEmail'] = 'This email address already exists.'; if(!$errors){ $query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '", password = MD5("' . mysql_real_escape_string($registerPassword) . '"), date_registered = "' . date('Y-m-d H:i:s') . '"'; if(mysql_query($query)){ $success[header('Location: index.php')]; }else{ $errors['register'] = 'There was a problem registering you. Please check your details and try again.'; } } } ?> //login code <form class="box400" name="loginForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <h2>Login</h2> <?php if($errors['login']) print '<div class="invalid">' . $errors['login'] . '</div>'; ?> <label for="email">Email Address</label> <input type="text" name="email" value="<?php echo htmlspecialchars($loginEmail); ?>" /> <?php if($errors['loginEmail']) print '<div class="invalid">' . $errors['loginEmail'] . '</div>'; ?> <label for="password">Password <span class="info">6-12 chars</span></label> <input type="password" name="password" value="" /> <?php if($errors['loginPassword']) print '<div class="invalid">' . $errors['loginPassword'] . '</div>'; ?> <label for="loginSubmit"> </label> <input type="hidden" name="loginSubmit" id="loginSubmit" value="true" /> <input type="submit" value="Login" /> </form> //registration code <form class="box400" name="registerForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <h2>Register</h2> <?php if($success['register']) print '<div class="valid">' . $success['register'] . '</div>'; ?> <?php if($errors['register']) print '<div class="invalid">' . $errors['register'] . '</div>'; ?> <label for="email">Email Address</label> <input type="text" name="email" value="<?php echo htmlspecialchars($registerEmail); ?>" /> <?php if($errors['registerEmail']) print '<div class="invalid">' . $errors['registerEmail'] . '</div>'; ?> <label for="password">Password</label> <input type="password" name="password" value="" /> <?php if($errors['registerPassword']) print '<div class="invalid">' . $errors['registerPassword'] . '</div>'; ?> <label for="confirmPassword">Confirm Password</label> <input type="password" name="confirmPassword" value="" /> <?php if($errors['registerConfirmPassword']) print '<div class="invalid">' . $errors['registerConfirmPassword'] . '</div>'; ?> <label for="registerSubmit"> </label> <input type="hidden" name="registerSubmit" id="registerSubmit" value="true" /> <input type="submit" value="Register" /> </form> Quote Link to comment Share on other sites More sharing options...
trq Posted June 5, 2014 Share Posted June 5, 2014 Replace: $success[header('Location: index.php')]; with: header('Location: thankyou.php'); Then create the thankyou.php page. Quote Link to comment Share on other sites More sharing options...
ou8jonesy Posted June 5, 2014 Author Share Posted June 5, 2014 Thanks trq for the quick reply. My question on top of that then is the ('Location: index.php') is where my users are pointed after they login. If I replace it then when logging in they would be pointed to the wrong page - correct? Quote Link to comment Share on other sites More sharing options...
ou8jonesy Posted June 5, 2014 Author Share Posted June 5, 2014 Replace: $success[header('Location: index.php')]; with: header('Location: thankyou.php'); Then create the thankyou.php page. Thanks trq for the quick reply. My question on top of that then is the ('Location: index.php') is where my users are pointed after they login. If I replace it then when logging in they would be pointed to the wrong page - correct? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 5, 2014 Share Posted June 5, 2014 I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse. I don't even know where to start: The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions. The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time. MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes. You have SQL injection vulnerabilities via the password parameter. You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF'] The e-mail check is ... weird. Should “0@0” really be accepted? The check if the e-mail address is already registered doesn't work for simultaneous requests. I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you. But this definitely needs an update. PHP today is very different from the PHP of the 90s. Quote Link to comment Share on other sites More sharing options...
ou8jonesy Posted June 5, 2014 Author Share Posted June 5, 2014 I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse. I don't even know where to start: The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions. The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time. MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes. You have SQL injection vulnerabilities via the password parameter. You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF'] The e-mail check is ... weird. Should “0@0” really be accepted? The check if the e-mail address is already registered doesn't work for simultaneous requests. I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you. But this definitely needs an update. PHP today is very different from the PHP of the 90s. Damn that sucks. Yes it was a Tutorial. Plus it's live and working. How do I start fresh without messing up my sql database? Or better yet where do I start? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 5, 2014 Share Posted June 5, 2014 You should take the form offline. It took me 2 minutes to find your website, and you've just invited all script kiddies to give it a try. Start by learning to use the PDO interface. This is the “new” database interface for PHP. It also supports parameterized queries as a solution to the dreaded SQL injection problem. It's also crucial that you understand the basics of web security, in particular how to prevent cross-site scripting and how to store passwords. Escape everything, including variables like $_SERVER['PHP_SELF']. This will already be a huge step forward. Quote Link to comment Share on other sites More sharing options...
Solution ou8jonesy Posted June 5, 2014 Author Solution Share Posted June 5, 2014 You should take the form offline. It took me 2 minutes to find your website, and you've just invited all script kiddies to give it a try. Start by learning to use the PDO interface. This is the “new” database interface for PHP. It also supports parameterized queries as a solution to the dreaded SQL injection problem. It's also crucial that you understand the basics of web security, in particular how to prevent cross-site scripting and how to store passwords. Escape everything, including variables like $_SERVER['PHP_SELF']. This will already be a huge step forward. Thanks Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.