Jump to content

Recommended Posts

Hey, I just started scripting in PHP, and I ran into a few problems.

<?php
include('config.php');
if (isset($_POST['set'])){
$user=mysql_real_escape_string($_POST['user']);
$pass=mysql_real_escape_string(md5($_POST['pass']));
if ($user="" or $pass=""){
echo 'Invalid Username/Password';
}
else{
mysql_select_db("db_mycountdown",$db_connect);
$sql=mysql_query("SELECT * FROM users WHERE username='$user'",$db_connect);
$fetch = mysql_num_rows($sql);
if ($fetch>0){
unset($user);
echo 'Error: This user already exists!<br>';
}
else{
mysql_select_db("db_mycountdown",$db_connect);
  $sql = mysql_query("INSERT INTO users (username, password) 
  VALUES ('$user','$pass')",$db_connect);
  echo 'Account Successfully Created!';
  }
}
}

echo '<a href="Index.php">Already have an account? Log in!</a>
<form action="" method="post">
Username:<br/>
<input type="text" name="user"/><br />
Password:<br/>
<input type="password" name="pass"/><br />
Confirm Password:<br/>
<input type="password" name="passconfirm"/><br /><br />

<input type="submit" name="set" value="Register" /> <br />
</form>';
?>

 

my php code here seems really buggy. Can anyone point out any errors? Thanks.

 

Link to comment
https://forums.phpfreaks.com/topic/183498-buggy-registration-system/
Share on other sites

change:

 

$pass=mysql_real_escape_string(md5($_POST['pass']));

 

to:

 

$pass=md5($_POST['pass']);

 

and, i'm not following the question.  do you want people to fix a mistake?  if so, what's the problem?  or, do you just want some advice on a better way of forming things?

First, Indent your code, it makes it much easier to see what is happening

<?php
include('config.php');
if (isset($_POST['set'])){
  $user=mysql_real_escape_string($_POST['user']);
  $pass=mysql_real_escape_string(md5($_POST['pass']));
  if ($user="" or $pass=""){
    echo 'Invalid Username/Password';
  }
  else{
    mysql_select_db("db_mycountdown",$db_connect);
    $sql=mysql_query("SELECT * FROM users WHERE username='$user'",$db_connect);
    $fetch = mysql_num_rows($sql);
    if ($fetch>0){
      unset($user);
      echo 'Error: This user already exists!<br>';
    }
    else{
      mysql_select_db("db_mycountdown",$db_connect);
      $sql = mysql_query("INSERT INTO users (username, password) 
      VALUES ('$user','$pass')",$db_connect);
      echo 'Account Successfully Created!';
    }
  }
}

echo '<a href="Index.php">Already have an account? Log in!</a>
<form action="" method="post">
Username:<br/>
<input type="text" name="user"/><br />
Password:<br/>
<input type="password" name="pass"/><br />
Confirm Password:<br/>
<input type="password" name="passconfirm"/><br /><br />

<input type="submit" name="set" value="Register" /> <br />
</form>';
?>

 

2) $pass is never going to be empty.  You ran MD5 on a possibly empty string, and it will produce results (maybe).  I would test for empty($_POST['user']) or empty($_POST['pass']) before processing them.

 

3) there is no database connection, unless you do that in config.php

4) you do not need to select the database before every query (I do it immediately after connecting and it stays that way unless I select a different one).

5) you should check that pass and passconfirm have the same value before you insert into the database.  That's the whole reason for having two password fields.

 

6) (Actually, this should always be first!) Turn on error reporting to see if any errors are being thrown and ignored:  Add error_reporting(E_ALL); at the beginning of your scripts.  Also, add  ini_set('display_errors', 1); if it is not set in the ini file.

 

7) After $sql = mysql_query(...), try adding this line:

$sql = mysql_query(...);
if ($sql === false) {
  echo mysql_error();
}

to see if the query is failing.

 

 

Let us know how things go and post any error messages you get so we can help further.

I actually added the password=passwordconfirm statement, but it kept on saying that my "passwords were different", so I just got rid of that for now.

 

I also previously had problems with parse errors in my else statements and querys.

 

Anyways, it still says that the user still exists, and the query doesn't seem to be failing.

try echoing $fetch before the if statement and see if its value is what you expect it to be. It seems OK to me, but without more information, I can't really say. You are sure you are trying to register with a username that doesn't exist on the database already right?

try this:

 

<?php
include('config.php');
$report = "Fill out the fields below";

if(isset($_POST['set'])){
  $user = $_POST['user'];
  $pass = md5($_POST['pass']);
  $passconfirm = md5($_POST['passconfirm']);
  
    mysql_select_db("db_mycountdown",$db_connect);
    $sql = mysql_query("SELECT * FROM users WHERE username='$user'",$db_connect);
    $result = mysql_num_rows($sql);

	if($result['username'] == $user) {
      $report = 'Error: This user already exists!<br>';
  }
  
	if($user="" or $pass=""){
    $report = 'Invalid Username/Password';

  }
	if($pass == $passconfirm) {
      mysql_select_db("db_mycountdown",$db_connect);
      $sql = mysql_query("INSERT INTO users (username, password) 
      VALUES ('$user','$pass')",$db_connect);
      $report = 'Account Successfully Created!';
  
    }


  }
?>

<?php echo "$report <br>"; ?>

<a href="Index.php">Already have an account? Log in!</a>
<form action="" method="post">
Username:<br/>
<input type="text" name="user"/><br />
Password:<br/>
<input type="password" name="pass"/><br />
Confirm Password:<br/>
<input type="password" name="passconfirm"/><br /><br />
<input type="submit" name="set" value="Register" /> <br />
</form>

this doesn't make sense

$result = mysql_num_rows($sql);

	if($result['username'] == $user) {
      $report = 'Error: This user already exists!<br>';
  }

$result is an integer, not a result set.

 

But you probably meant

$result = mysql_fetch_array($sql);

	if($result['username'] == $user) {
      $report = 'Error: This user already exists!<br>';
  }

 

That might help, but its essentially the same thing as what OP had because of the WHERE clause, and the fact that the query will only return rows with the username equal to the $user variable.

 

Also, if that does prove false, you will get an undefined index notice. This isn't bad but if you have error reporting turned on (as was suggested earlier) you will see the error whenever the form was submitted successfully.

Man you really had me going!  Sometimes I hate PHP and equality tests.  You are missing two characters

 

//This code actually CHANGES these two variables to empty strings
if ($user="" or $pass=""){

// it should be this (two equal-signs to test for equality)
if ($user=="" or $pass==""){

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.