Dark57 Posted April 13, 2010 Share Posted April 13, 2010 Ok so for some reason my code is allowing duplicate entries to be submitted and even blank entries. I'm not sure why, its like its skipping the entire checking process and going straight to entering it into the database. I've been fiddling with it for a day or two, trying different things and this is what I have right now, this set of code comes after it checks to see if the input fields are empty. Can anyone see anything wrong with this? //If not empty, compare emails to database $sql = "SELECT COUNT(*) FROM mytable WHERE email = '$email'"; $result = mysql_query($sql); if($result) { if(mysql_num_rows($result) == 1) { $count = (int)mysql_result($result, 0, 0); if($count > 0) { $_SESSION['emailfail']=1; header("location:register_fail.php"); } } } $sql = "SELECT COUNT(*) FROM mytable WHERE username = '$username'"; $result = mysql_query($sql); if($result) { if(mysql_num_rows($result) == 1) { $count = (int)mysql_result($result, 0, 0); if($count > 0) { $_SESSION['usernamefail']=1; header("location:register_fail.php"); } } } else { //If emails arent duplicates, write to file. // To protect MySQL injection $username = stripslashes($username); $password = stripslashes($password); $email = stripslashes($email); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $password = mysql_real_escape_string($email); $password = md5($password); $register="INSERT INTO $tbl_name (username, password, email) VALUES ('$username','$password','$email')"; if (!mysql_query($register,$con)) { die('Error: ' . mysql_error()); } header("location:register_success.php"); } Quote Link to comment Share on other sites More sharing options...
trq Posted April 13, 2010 Share Posted April 13, 2010 You need to call exit after any calls to header to prevent the script from continuing to execute. [ot] This piece of logic might also want looking at. $password = mysql_real_escape_string($password); $password = mysql_real_escape_string($email); $password = md5($password); [/ot] Quote Link to comment Share on other sites More sharing options...
Dark57 Posted April 13, 2010 Author Share Posted April 13, 2010 So after each header() I should put exit();? That won't affect the rest of the script from running correct? Quote Link to comment Share on other sites More sharing options...
ddubs Posted April 14, 2010 Share Posted April 14, 2010 Having the statements in if()'s is fine, have you tried echoing out the data you are "if'ing" to see what's actually in it? Have you tested your queries to verify they return the proper results you are expecting? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 14, 2010 Share Posted April 14, 2010 Also, your else{} clause that contains the INSERT query will be executed when the query that is testing the username fails due to an error in the query (i.e. $result is false), so I would guess that there is some problem with your database server or the query has a problem with the table or column name. Both of the if($result) tests should have an else{} clause that handles your error reporting for when the queries fail. For debugging purposes, you could echo mysql_error() in the else{} code to determine why the query is failing. Quote Link to comment Share on other sites More sharing options...
Dark57 Posted April 14, 2010 Author Share Posted April 14, 2010 Hrm, well I changed something and now I can't get a successful login. Now it always fails, I will have to play with it some more tomorrow. Quote Link to comment Share on other sites More sharing options...
trq Posted April 14, 2010 Share Posted April 14, 2010 Hrm, well I changed something and now I can't get a successful login. Now it always fails, I will have to play with it some more tomorrow. Likely because of the password logic I pointed out originally. Quote Link to comment Share on other sites More sharing options...
Dark57 Posted April 14, 2010 Author Share Posted April 14, 2010 No I mean registration success. I changed the $password = mysql_real_escape_string($email); to $email = mysql_real_escape_string($email); Now every time I try to register any name it says I can't complete it for every reason I told it to detect. Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 14, 2010 Share Posted April 14, 2010 Psuedo code... $t_user = sanitized user name from form $t_emal = sanitized email from form querys = select * from table where username = '$t_user' OR email = '$t_email' $num_records = count of querys results if $num_records >0 send back to form page else enter data in table and move to login success page <?PHP session_start(); /* check to see if form submitted check to see if form data is present get and sanitize the form data connect to database */ $_SESSION['emailfail'] = 0; $_SESSION['usenamefail'] = 0; $sql = "SELECT * FROM mytable WHERE email = '$email'"; $result = mysql_query($sql); $number=mysql_num_rows($result); if($number>0) { $_SESSION['emailfail']=1; } $sql = "SELECT * FROM mytable WHERE username = '$usename'"; $result = mysql_query($sql); $number=mysql_num_rows($result); if($number>0) { $_SESSION['usernamefail']=1; } if($_SESSION['emailfail']>0 OR $_SESSION['usernamefail']>0} { ?> <meta http-equiv="Refresh" content="0;url=register_fail.php"> <?PHP exit(); } /* process and insert data into data base here then... */ ?> <meta http-equiv="Refresh" content="0;url=register_success.php"> <?PHP exit(); ?> Quote Link to comment Share on other sites More sharing options...
Dark57 Posted April 14, 2010 Author Share Posted April 14, 2010 litebearer, in your code I don't see where its comparing the strings entered into the form and the entries in the database. I don't see what your code is accomplishing without this. Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 14, 2010 Share Posted April 14, 2010 Dark... this portion /* check to see if form submitted check to see if form data is present get and sanitize the form data connect to database*/ was meant for him to acutually do. He was to replace that comment with the actual code for doing so. When that is accomplished, then $email and $username will contain the values from his form page. Therefore the queries WILL check to see if either the username and/or the email are already in the database (make sens or am I missing something) Quote Link to comment Share on other sites More sharing options...
Dark57 Posted April 14, 2010 Author Share Posted April 14, 2010 Oh I didn't get that part from your comment. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.