Jump to content

Modifying code written by colleague, help!

pcjackson06

By pcjackson06
in PHP Coding Help

 Share

Recommended Posts

pcjackson06 Newbie

pcjackson06

Posted
Posted

Here's the code she wrote:

<?php 	include_once('includes/global.php');

mysql_connect ($dbhost, $dbusername, $dbuserpass);
mysql_select_db($dbname) or die('Cannot select database');

// Modify User
if(isset($_POST['save']))
{
$err = array();
$insertvalue = array();

if ($_POST['user_id'] == "") {
	array_push($err, "Error: Username cannot be blank.");
} else {
	array_push($insertvalue, "user_id='" . $_POST['user_id'] . "'");
}

if ($_POST['newpass1'] != "" && $_POST['newpass2'] != "") {
	if (strcmp($_POST['newpass1'], $_POST['newpass2']) != 0) {
		array_push($err, "Passwords do not match.");
	} else {
		array_push($insertvalue, ", user_password=MD5('" . $_POST['newpass1'] . "')");
	}
} else {
  	array_push($err, "Error: Password cannot be blank.");
}

if (count($err) == 0 && count($insertvalue) > 0) { // make sure no errors were found
	$query = "INSERT tbl_auth_user SET ";
	foreach ($insertvalue as $theValue) { $query .= $theValue; }
	mysql_query($query) or array_push($err, "This username already exists.  If you've forgotten your password, click <a href=\"forgot.php\">here</a>.");
	if (count($err) == 0 ) {
		array_push($err, "Congratulations, you may now <a href=\"login.php\">login</a>.");
	}
}

}

?>
<html>
<head>
<title>User Management Menu</title>
<link rel="stylesheet" href="includes/style.css" type="text/css">
</head>
<body>
<h1>recordsone™</h1>
Soon you will be managing your own medical record!
<form action="register.php" method="post">
<?php if ((isset($err)) && (count($err) > 0)) { ?>
<p><?php foreach ($err as $theError) { ?><li class="error"><?php echo $theError; ?></li><?php }?></p>
<?php } ?>
<p>Preferred Username: <input type="text" id="user_id" name="user_id" /></p>
<p>New Password: <input id="newpass1" name="newpass1" type="password" /></p>
<p>Confirm Password: <input id="newpass2" name="newpass2" type="password" /></p>

<input type="submit" id="save" name="save" value="Register" /> <FORM><INPUT TYPE="BUTTON" VALUE="Go Back" ONCLICK="history.go(-1)"></FORM>
</form>
</fieldset>
</p>
</body>

 

I wanted to add another form field and database item (email) so I updated the mySQL database, and the code now looks like this:

 

<?php 	include_once('includes/global.php');

mysql_connect ($dbhost, $dbusername, $dbuserpass);
mysql_select_db($dbname) or die('Cannot select database');

// Modify User
if(isset($_POST['save']))
{
$err = array();
$insertvalue = array();

if ($_POST['user_id'] == "") {
	array_push($err, "Error: Username cannot be blank.");
} else {
	array_push($insertvalue, "user_id='" . $_POST['user_id'] . "'");
}

if ($_POST['email'] == "") {
	array_push($err, "Error: Email cannot be blank.");
} else {
	array_push($insertvalue, "email='" . $_POST['email'] . "'");
}

if ($_POST['newpass1'] != "" && $_POST['newpass2'] != "") {
	if (strcmp($_POST['newpass1'], $_POST['newpass2']) != 0) {
		array_push($err, "Passwords do not match.");
	} else {
		array_push($insertvalue, ", user_password=MD5('" . $_POST['newpass1'] . "')");
	}
} else {
  	array_push($err, "Error: Password cannot be blank.");
}

if (count($err) == 0 && count($insertvalue) > 0) { // make sure no errors were found
	$query = "INSERT tbl_auth_user SET ";
	foreach ($insertvalue as $theValue) { $query .= $theValue; }
	mysql_query($query) or array_push($err, "This username already exists.  If you've forgotten your password, click <a href=\"forgot.php\">here</a>.");
	if (count($err) == 0 ) {
		array_push($err, "Congratulations, you may now <a href=\"login.php\">login</a>.");
	}
}

}

?>
<html>
<head>
<title>User Management Menu</title>
<link rel="stylesheet" href="includes/style.css" type="text/css">
</head>
<body>
<h1>recordsone™</h1>
Soon you will be managing your own medical record!
<form action="register.php" method="post">
<?php if ((isset($err)) && (count($err) > 0)) { ?>
<p><?php foreach ($err as $theError) { ?><li class="error"><?php echo $theError; ?></li><?php }?></p>
<?php } ?>
<p>Preferred Username: <input type="text" id="user_id" name="user_id" /></p>
<p>E-mail Address: <input type="text" id="email" name="email" /></p>
<p>New Password: <input id="newpass1" name="newpass1" type="password" /></p>
<p>Confirm Password: <input id="newpass2" name="newpass2" type="password" /></p>

<input type="submit" id="save" name="save" value="Register" /> <FORM><INPUT TYPE="BUTTON" VALUE="Go Back" ONCLICK="history.go(-1)"></FORM>
</form>
</fieldset>
</p>
</body>

 

The PHP stopped working and always errors out (This username already exists...)

 

Does anyone know how to help me?

 

Thanks in advance,

Phil

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Well you error is on this line, just add a comma as indicated

		array_push($insertvalue, ", email='" . $_POST['email'] . "'");

 

However, there is a LOT more wrong with that code. For example, you are using the POSTed values directly within the SQL statements. That's just an open invitation for SQL injection. Hope you back up that database very frequently.

 

Also, the error you are getting is because the query is failing. Basically the writer of that code "assumed" that the code would only fail if the username was not new since the value is apparently set as unique in the database. That is very poor methodology in my opinion. You should first check if the name is unique to determine if that is a problem. If not, then attempt the insert. If the insert fails then you need to find out why.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

I think this will work better. [Not tested so there may be some syntax errors, but the logic should be sound]

 

<?php

include_once('includes/global.php');

// Modify User
if(isset($_POST['save']))
{
    $err = array();
    $userID = trim($_POST['user_id']);
    $email  = trim($_POST['email']);
    $pass1 = trim($_POST['newpass1']);
    $pass2 = trim($_POST['newpass2']);

    //Validate form input
    if ($userID == '') { $err[] = "Error: Username cannot be blank." }
    if ($email == '') { $err[] = "Error: Email cannot be blank."; }
    if ($pass1 == '' && $pass2 == '') { $err[] = "Error: Password cannot be blank."; }
    else if (strcmp($pass1, $pass2) != 0) { $err[] = "Passwords do not match."; }

    //Basic form validatin passed, connect to DB
    mysql_connect ($dbhost, $dbusername, $dbuserpass);
    mysql_select_db($dbname) or die('Cannot select database');

    //Check for duplicate username
    $query = "SELECT FROM tbl_auth_user WHERE user_id = '" . mysql_real_escape_string($userID) . "'";
    $result = mysql_query($query) or die(mysql_error());
    if ((mysql_num_rows($result)==0))
    {
        $err[] = "This username already exists.  If you've forgotten your password, click <a href=\"forgot.php\">here</a>.";
    }

    // make sure no errors were found
    if (count($err) == 0)
    {
        //Insert the new record
        $query = "INSERT tbl_auth_user SET
                    user_id = '" . mysql_real_escape_string($userID) . "',
                    email = '" . mysql_real_escape_string($email) . "',
                    user_password = '" . md5($pass1) . "'";
        $result = mysql_query($query);
        if (!$result)
        {
            //There was a problem running the Insert query
            $message = "Database query failed: <br />\n" . mysql_error();
        }
        else
        {
            //Insert completed successfully
            $message = "Congratulations, you may now <a href=\"login.php\">login</a>.";
        }
    }
    else
    {
        //There were errors
        $message = "<ul><li>" . implode("</li><li>", $err) . "</li></ul>";
    }
}
?>
<html>
<head>
<title>User Management Menu</title>
<link rel="stylesheet" href="includes/style.css" type="text/css">
</head>
<body>
<h1>recordsone™</h1>
Soon you will be managing your own medical record!
<form action="register.php" method="post">
<p><?php echo $message; ?></p>
<p>Preferred Username: <input type="text" id="user_id" name="user_id" /></p>
<p>E-mail Address: <input type="text" id="email" name="email" /></p>
<p>New Password: <input id="newpass1" name="newpass1" type="password" /></p>
<p>Confirm Password: <input id="newpass2" name="newpass2" type="password" /></p>

<input type="submit" id="save" name="save" value="Register" /> <FORM><INPUT TYPE="BUTTON" VALUE="Go Back" ONCLICK="history.go(-1)"></FORM>
</form>
</fieldset>
</p>
</body>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.