xkrazykidx

Thanks for the help, after looking at your edits I noticed what i was missing. I added alot of more validation since writing this post, but I edited the way I was checking for the key and added $msg at the very top. Top: if (isset($_POST['submit'])) { $msg = ""; //Initialize errors //Check For Invalid Keys $sql="SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'"; //$code = mysql_query("SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'") or die(mysql_error()); $result=mysql_query($sql); $row=mysql_fetch_array($result); if(mysql_num_rows($result)==0) { $msg = '<div class="statusmsg">The invitation code is invalid.</div>'; //die; } Then from what I noticed in your edit Instead of else { // Return Success - Valid Email $msg = 'Your account has been made, <br /> please verify it by clicking the activation link that has been sent to your email.'; $hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable. if(empty($msg) I removed the first else as it would return the message saying your account is valid even if it did fail. I replaced it with your suggestion elseif(empty($msg)) { and now the page is running successfully checking the database for the codes as well as updating the used column. Thank you so much! I wish you could understand how happy I am now. This was bugging me for the past 3 days.

Even if I change it to this $code = mysql_query("SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'") or die(mysql_error()); if(mysql_num_rows($code) > 0) { mysql_query("UPDATE %table% SET used='1' WHERE invite_codes='".$invite_code."'") or die(mysql_error()); } else {$msg = '<div class="statusmsg">The invitation code is invalid.</div>';} The code is still bypassed and the user is registered. All other validation works.

I tried having all my code after the form but all that happens is the page refreshes. Also the code actually worked properly before I added $code = mysql_query("SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'") or die(mysql_error()); elseif(mysql_num_rows($code) < 0) {$msg = '<div class="statusmsg">The invitation code is invalid.</div>';} those lines. So I doubt its the actual order thats messing the process up. The querying would stop if the user failed any other validation. But when I tried to add the invite code section, it just ignores that one.

I actually am, I am just not showing all the code as it works, the only issue I am having is that the validation for invite code is failing Full code below: <?php get_header(); ?> <div id="wrapper"> <?php // If the form is submitted // if (isset($_POST['submit'])) { //First Name Validation $first_name_d = $_POST['first_name']; if(empty($first_name_d)) {$msg = 'We\'re sorry but the First Name is missing';} //Last Name Validation $last_name_d = $_POST['last_name']; if(empty($last_name_d)) {$msg = 'We\'re sorry but the Last Name is missing';} //Email Validation $email_d = $_POST['email']; if(empty($email_d)) {$msg = 'We\'re sorry but the Email field is missing';} //Sex Validation $sex_d = $_POST['sex']; if(empty($sex_d)) {$msg = 'We\'re sorry but the Sex field is missing';} //Password Validation $password_d = $_POST['password']; if(empty($password_d)) {$msg = 'Please insert a password';} //Password Check Validation $confirm_password_d = $_POST['password_check']; if(empty($confirm_password_d)) {$msg = 'Please confirm your password';} //Password Check Validation $invite_code_d = $_POST['invite_code']; if(empty($invite_code_d)) {$msg = 'Please insert Invite Code';} //All Empty Validation if(empty($first_name_d) AND empty($last_name_d) AND empty($email_d) AND empty($sex_d) AND empty($password_d) AND empty($confirm_password_d) AND empty($invite_code_d)) {$msg = 'It seems like all the fields are empty';} //Check if mandatory fields are set if(isset($first_name_d) && !empty($first_name_d) AND isset($last_name_d) && !empty($last_name_d) AND isset($email_d) && !empty($email_d) AND isset($password_d) && !empty($password_d) AND isset($confirm_password_d) && !empty($confirm_password_d) AND isset($invite_code_d) && !empty($invite_code_d)) { //BIRTHDATE not required if(empty($_POST['birth_month'])) {$birth_month = '';} else {$birth_month = mysql_escape_string($_POST['birth_month']);} if(empty($_POST['birth_day'])) {$birth_day = '';} else {$birth_day = mysql_escape_string($_POST['birth_day']);} if(empty($_POST['birth_year'])) {$birth_year = '';} else {$birth_year = mysql_escape_string($_POST['birth_year']);} //ZIP not required if(empty($_POST['zip'])) {$zip = '';} else {$zip = mysql_escape_string($_POST['zip']);} //Clean Mandatory Fields $firstname = mysql_escape_string($first_name_d); $lastname = mysql_escape_string($last_name_d); $email = mysql_escape_string($email_d); $password = mysql_escape_string($password_d); $password_check = mysql_escape_string($confirm_password_d); $invite_code = mysql_escape_string($invite_code_d); $join_date = date("F j, Y"); //Check For Duplicates $code = mysql_query("SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'") or die(mysql_error()); $dup = mysql_query("SELECT email FROM %table% WHERE email='".$email."'") or die(mysql_error()); if(mysql_num_rows($dup) >0) {$msg = 'You already have an account! Try logging in.';} elseif($password != $password_check) {$msg = 'Passwords do not match!';} elseif(mysql_num_rows($code) < 0) {$msg = '<div class="statusmsg">The invitation code is invalid.</div>';} else { if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){ // Return Error - Invalid Email $msg = 'The email you have entered is invalid, please try again.';} else { // Return Success - Valid Email $msg = 'Your account has been made, <br /> please verify it by clicking the activation link that has been send to your email.'; $hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable. mysql_query("INSERT INTO %table% (first_name, last_name, password, email, zip, sex, birth_month, birth_day, birth_year, join_date, hash) VALUES( '". mysql_escape_string($firstname) ."', '". mysql_escape_string($lastname) ."', '". mysql_escape_string(md5($password)) ."', '". mysql_escape_string($email) ."', '". mysql_escape_string($zip) ."', '". mysql_escape_string($sex) ."', '". mysql_escape_string($birth_month) ."', '". mysql_escape_string($birth_day) ."', '". mysql_escape_string($birth_year) ."', '". mysql_escape_string($join_date) ."', '". mysql_escape_string($hash) ."') ") or die(mysql_error()); mysql_query("UPDATE %table% SET used='1' WHERE invite_codes='".$invite_code."'") or die(mysql_error()); $to = $email; //Send email to our user $subject = 'Signup | Verification'; //// Give the email a subject $message = ' Thanks for signing up! Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below. ------------------------ Name: '.$firstname.' Password: '.$password.' ------------------------ Please click this link to activate your account: %website%/verify.php?email='.$email.'&hash='.$hash.' '; // Our message above including the link //$headers = 'From:%email%' . "\r\n". // Set from headers //'errors-to: webmaster@example.com' . "\r\n" . //'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers, '-f %email%'); // Send the email } } } } ?> <?php if(isset($msg)){ // Check if $msg is not empty echo '<div class="statusmsg">'.$msg.'</div>'; // Display our message and add a div around it with the class statusmsg } ?> <form action="" method="post"> <label for="first_name"><em>*</em>First Name:</label> <input type="text" name="first_name" value="" /> <br> <label for="last_name"><em>*</em>Last Name:</label> <input type="text" name="last_name" value="" /> <br> <label for="email"><em>*</em>Email:</label> <input type="text" name="email" value="" /> <br> <label for="signup-birthdate">Birthdate</label> <select name="birth_month"> <option value="">---</option> <option value="1">January</option> <option value="2">February</option> <option value="3">March</option> <option value="4">April</option> <option value="5">May</option> <option value="6">June</option> <option value="7">July</option> <option value="8">August</option> <option value="9">September</option> <option value="10">October</option> <option value="11">November</option> <option value="12">December</option> </select> <select name="birth_day"> <?php {echo "<option value=''>---</option>";} for ($i=1; $i<=31; $i++) {echo "<option value='$i'>$i</option>";} ?> </select> <select name="birth_year"> <?php {echo "<option value=''>---</option>";} for ($i=2006; $i>=1900; $i=$i-1) {echo "<option value='$i'>$i</option>";} ?> </select> <br> <label for="zip">Zip:</label> <input type="text" name="zip" value="" /> <br> <label for="sex">Sex:</label> <select name="sex"> <option value="male">Male</option> <option value="female">Female</option> </select> <br> <label for="password"><em>*</em>Password:</label> <input type="password" name="password" value="" /> <br> <label for="password_check"><em>*</em>Password:</label> <input type="password" name="password_check" value="" /> <br> <br> <label for="invite_code"><em>*</em>Invitation Code:</label> <input type="text" name="invite_code" value="" /> <input type="submit" name="submit" class="submit_button" value="Sign up" /> </form> </div> <!--/wrapper --> </div> <!-- /PAGE -->

The invitation code part seems to get bypassed. If I fill out the form correctly with any invitation code it will still sign up the user. As in the code I want $msg to echo out 'The Invitation code is invalid' when the user inserts in a code that's not in my database. Later down the code if the user does end up inserting in a correct code I have the database update the table used from 0 to 1 to know that that current code has been used. Not sure if my if statement is wrong or something else is goofing up. //Clean Mandatory Fields $firstname = mysql_escape_string($first_name_d); $lastname = mysql_escape_string($last_name_d); $email = mysql_escape_string($email_d); $password = mysql_escape_string($password_d); $password_check = mysql_escape_string($confirm_password_d); $invite_code = mysql_escape_string($invite_code_d); $join_date = date("F j, Y"); //Check For Duplicates $code = mysql_query("SELECT invite_codes FROM %table% WHERE invite_codes='".$invite_code."' AND used='0'") or die(mysql_error()); $dup = mysql_query("SELECT email FROM %table% WHERE email='".$email."'"); if(mysql_num_rows($dup) >0) {$msg = 'You already have an account! Try logging in.';} elseif($password != $password_check) {$msg = 'Passwords do not match!';} elseif(mysql_num_rows($code) < 0) {$msg = '<div class="statusmsg">The invitation code is invalid.</div>';} else { if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){ // Return Error - Invalid Email $msg = 'The email you have entered is invalid, please try again.';} else { // Return Success - Valid Email $msg = 'Your account has been made, <br /> please verify it by clicking the activation link that has been send to your email.'; $hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable. mysql_query("INSERT INTO %table% (first_name, last_name, password, email, zip, sex, birth_month, birth_day, birth_year, join_date, hash) VALUES( '". mysql_escape_string($firstname) ."', '". mysql_escape_string($lastname) ."', '". mysql_escape_string(md5($password)) ."', '". mysql_escape_string($email) ."', '". mysql_escape_string($zip) ."', '". mysql_escape_string($sex) ."', '". mysql_escape_string($birth_month) ."', '". mysql_escape_string($birth_day) ."', '". mysql_escape_string($birth_year) ."', '". mysql_escape_string($join_date) ."', '". mysql_escape_string($hash) ."') ") or die(mysql_error()); mysql_query("UPDATE %table% SET used='1' WHERE invite_codes='".$invite_code."'") or die(mysql_error()); $to = $email; //Send email to our user $subject = 'Signup | Verification'; //// Give the email a subject $message = ' Thanks for signing up! Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below. ------------------------ Name: '.$firstname.' Password: '.$password.' ------------------------ Please click this link to activate your account: http://%site%/verify.php?email='.$email.'&hash='.$hash.' '; // Our message above including the link //$headers = 'From:%email%' . "\r\n". // Set from headers //'errors-to: webmaster@example.com' . "\r\n" . //'X-Mailer: PHP/' . phpversion(); mail($to, $subject, $message, $headers, '-f %email%'); // Send the email } } } }