Jump to content

What could I possibly be doing wrong this time???

Modernvox

By Modernvox
in PHP Coding Help

 Share

Recommended Posts

Modernvox Regular Member

Modernvox

Posted
Posted

This was a straight forward as possible tutorial, so why won't it work?

 

No matter what I do guys the form echo's "congrats you have successfully registered"???

Even if i enter no values in the form? What the hell, man?

 

My form

<form name= "register" action="reg_success.php" method="POST">

 

<table>

<tr>    <td><font face= "tahoma" size= "2">Name</font></td>

<td><input type= "text" name= "regname" size= "35" /></td>

<td><br><br></td>

</tr>

<tr>  <td><font face= "tahoma" size= "2">State</font></td>

<td><input type= "text" name= "regstate" size= "35" /></td>

<td><br><br></td>

</tr>

</tr>  <td><font face= "tahoma" size= "2">City</font></td>

<td><input type="text" name= "regcity" size= "35" /></td>

<td><br><br></td>

</tr>

<tr>  <td><font face= "tahoma" size= "2">Email</font></td>

<td><input type="text" name= "regemail" size= "35" /></td>

</tr>

<tr>  <td><br></td>

</tr>

<tr>  <td><br></td>

</tr>

<tr>  <td><br></td>

</tr>

<tr>  <td><br></td>

</tr>

<tr>  <td><font face= "tahoma" size= "2">Choose a username</font></td>

<td><input type= "text" name= "username" size "35"/></td> 

</tr>

<tr> <td><br></td> </tr>

 

<tr>  <td><font face= "tahoma" size= "2">Choose a password</font></td>

<td><input type= "password" name= "password" size "35"/></td> 

</tr>

<tr>  <td><font face= "tahoma" size= "2">Confirm password</font></td>

<td><input type= "password" name= "confirmpass" size "35"/></td> 

</tr> 

<tr> <td><br></td> </tr>

<tr> <td><br></td> </tr>

</table>

 

 

<center><input type="submit" name="submit" value= "submit" /></form></center>

</font>

 

Processing:

<?php
$reg_name= $_POST['regname'];
$reg_state= $_POST['regstate'];
$reg_city= $_POST['regcity'];
$reg_email= $_POST['regemail'];
$reg_username= $_POST['username'];
$reg_password= $_POST['password'];
$reg_confirmpass= $_POST['confirmpass'];
if($password != $confirmpass)
{
echo "passwords don't match";
exit();

if (strlen($username) > 30)
{
echo "username is too long";
echo "error";
exit();
}
}
$hash = sha1($password);
//creates a 3 character sequence
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
include("DB_cred.inc");
$conn = mysql_connect($dbhost, $dbuser);
mysql_select_db($dbname, $conn);

//sanitize username
$username = mysql_real_escape_string($username);

$query = "INSERT INTO users ( regname,
                              regstate,
                              regcity,
                              regemail,
                              username, 
                              password, 
                                  salt )
	              
                    VALUES ( $reg_name',
                           '$reg_state',
                            '$reg_city',
                           '$reg_email',
                        '$reg_username', 
                               '$hash' , 
                               '$salt' );";
mysql_query($query);

mysql_close();

echo "Congrats you have succesfully registered!";


$salt = createSalt();

$hash = sha1($salt . $hash);
?>

{/code]

gwolgamott Member

gwolgamott

Posted
Posted

At a quick glance... I'd say your echo is in an area that is going to execute no matter what, meaning you are not breaking when you want to first off. Make sure you have brackets and whatnot. Second if it is not getting access, logging in and whatever and still displaying instead of the echo just sitting there use something like this:

if( ($password == $confirmpass) &&  ((strlen($username) < 30) )
{
echo "Congrats! You've successfully registered!";
}

 

Better yet put all the code you want to execute on success inside that if statement is what'd I do anyways just to be safe.

Omirion Member

Omirion

Posted
Posted

I'm a newbie as well but

 

 

$reg_password= $_POST['password'];
$reg_confirmpass= $_POST['confirmpass'];
if($password != $confirmpass)

 

Seems to me you are checking the vars $password and $confirmpass

And the vars you put the POST values in are $reg_password and $reg_confirmpass

 

if (strlen($username) > 30)
{
echo "username is too long";
echo "error";
exit();
}
}

 

Same thing, $reg_username is the var you are looking for.

 

Also you might want to a check if the username and/or pass field is empty.

 

Hope this helps to some extent.

Modernvox Regular Member

Modernvox

Posted
  • Author
Posted

Thanks guyz,

I will check this now, also though one more question is this.....

 

I'm using a wysiwyg editor/site builder and it has all this stuff in it i.e. login, registartion and even file uploads , but I have been reluctant to use it in fear I will never learn how to create these things raw.

 

Am I correct in this projection??

 

Thanks again, guyz:-)

gwolgamott Member

gwolgamott

Posted
Posted

Seems to me you are checking the vars $password and $confirmpass

And the vars you put the POST values in are $reg_password and $reg_confirmpass

 

Overlooked that too, Omirion is right.

 

Thats why I'd structure my code as I mentioned above going something like this that way you know if your checks are even working. My bad for just glancing at that. Hope we helped you. 

if(check for success here){yay it works do something now}
if(check for failure here){if it didn't work it should go here... tell me what went wrong..(ie bad password)}
else{General fail code goes here saying it somehow didn't go to either of my checks that it should go to! FATAL ERROR!}

gwolgamott Member

gwolgamott

Posted
Posted

Thanks guyz,

I will check this now, also though one more question is this.....

 

I'm using a wysiwyg editor/site builder and it has all this stuff in it i.e. login, registartion and even file uploads , but I have been reluctant to use it in fear I will never learn how to create these things raw.

 

Am I correct in this projection??

 

Thanks again, guyz:-)

 

I still code using nothing but a straightup notepad style editors. Or sometimes an editor that highlights the language I'm using. Like the code when using this page. But start playing around with code created by that program to see what it does. Sometimes a WYSIWYG will teach you bad habits, and still it's a hard to learn I find with something as complex as PHP and I started out being trained with C++ and PERL and still tripped up with PHP at times.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
This was a straight forward as possible

 

It is a little too minimal.

 

You should also be learning php, developing php code, and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php would help you by displaying all the errors it detects (for example there is no code setting the variables you are using in the body of your script, you are however setting variables starting with $reg_xxxxxx.)

 

The form processing code (in a real application) would check a bunch of things that the code you posted is not doing -

 

1) That the form has been submitted before doing anything (is the submit button $_POST variable set?)

 

2) That $password and $confirmpass actually has something in them before testing if they are not equal (an empty string is equal to an empty string and will pass the current test.)

 

3) Check if the username is empty.

 

4) Have error checking logic on all the mysql_ function calls (check if they worked or failed, output a meaningful user error message when they fail and log and/or display system information so that you can find and fix the problem that is causing them to fail, and take appropriate action upon an error so that you don't produce other errors or insert non-existent data...

 

5) Escape all the string data being put into a query. Only one variable is being escaped now.

 

6) After testing if the mysql_query() executed without error (see my item #4 above), use mysql_affected_rows() to determine if the INSERT query actually inserted the row before echoing a message that the registration was successful.

 

7) You would also want to check (or enforce using unique indexes in the table) if some of the values are unique, such as the username and email address.

Modernvox Regular Member

Modernvox

Posted
  • Author
Posted

This was a straight forward as possible

 

It is a little too minimal.

 

You should also be learning php, developing php code, and debugging php code on a system with error_reporting set to E_ALL and display_errors set to ON in your master php.ini so that php would help you by displaying all the errors it detects (for example there is no code setting the variables you are using in the body of your script, you are however setting variables starting with $reg_xxxxxx.)

 

The form processing code (in a real application) would check a bunch of things that the code you posted is not doing -

 

1) That the form has been submitted before doing anything (is the submit button $_POST variable set?)

 

2) That $password and $confirmpass actually has something in them before testing if they are not equal (an empty string is equal to an empty string and will pass the current test.)

 

3) Check if the username is empty.

 

4) Have error checking logic on all the mysql_ function calls (check if they worked or failed, output a meaningful user error message when they fail and log and/or display system information so that you can find and fix the problem that is causing them to fail, and take appropriate action upon an error so that you don't produce other errors or insert non-existent data...

 

5) Escape all the string data being put into a query. Only one variable is being escaped now.

 

6) After testing if the mysql_query() executed without error (see my item #4 above), use mysql_affected_rows() to determine if the INSERT query actually inserted the row before echoing a message that the registration was successful.

 

7) You would also want to check (or enforce using unique indexes in the table) if some of the values are unique, such as the username and email address.

 

Very well said....Thanks a bunch. I will now go edit my php.ini file and read, write, debug and repeat these steps until i am confident in my coding. I have been learning this php stuff for about 4 months now, i feel I am learning at a very poor pace?

 

Thanks guyz

Omirion Member

Omirion

Posted
Posted

Am I correct in this projection??

 

I have never used site builders so I can't tell you if it's sufficent.

 

But you are 100% right.

My advise is if you HAVE to use them do it.

But start building your own piece by piece. Because in terms of security i think that a personally coded logins and whatnot is better.

 

When/if you start building your own go heavy on the security factor, ask for good books on the subject.

Sorry i can't give you a link to some but i haven't really gotten to that point myself yet.

 

Some ideas on your code.

1: 30 chars is alot. go 10-12 max (username)

2:Separate form details from DB update. (error handling) If form is a go echo Farm is correct. If everything is OK "success"

2A: Check if fields are empty. ( if (empty($var))

    2Aa: An idea for easy way. Insert all vars into array and do a foreach loop.

  2B: Check if database connection is established. Error handle it like say. Echo Database connection error. ;  exit() ;

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.