pwmusic@gmail.com Posted May 27, 2010 Share Posted May 27, 2010 Hi all I'm a relative newbie to PHP but have been programming for 15+ years. I have created a PHP page for users to register their details which works fine when a user enters their details correctly but if they enter an email address that is already in use and then correct it, none of the form fields are passed through to the form submission page. (I have included the relevant value="'<?php $_POST['forename']?>" where necessary and these values are displayed when the form redisplays.) Apologies if this is a very basic question but I've been stuck on this for a number of days now and although I can't really afford any more time trying to resolve this I know I have to get it right. Thanks in advance. My codes is as follows: <?php header("Cache-Control: no-cache, must-revalidate"); header("Expires: Fri, 31 Dec 1999 00:00:00 GMT"); include('/inc/db.php'); $email_msg = ''; if (!empty($_POST)) { $email = mysql_real_escape_string($_POST['email']); $query = mysql_query("SELECT * FROM table WHERE email = '$email'"); $check = mysql_num_rows($query); if ($check > 0) { $email_msg = "<label for='email' class='error'>This email address is already in use</label>"; $forename = mysql_real_escape_string($_POST['forename']); $surname = mysql_real_escape_string($_POST['surname']); $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $password2 = mysql_real_escape_string($_POST['password2']); $email = mysql_real_escape_string($_POST['email']); $dob = mysql_real_escape_string($_POST['dob']); } else { // register_db.php doesn't receive a value for $_POST['forename'] or any of the other fields header('location: /inc/register_db.php'); exit; } } echo " <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <script type='text/javascript' src='/js/jquery-1.3.2.min.js'></script> <script type='text/javascript' src='/js/jquery.validate.pack.js'></script> <link rel='stylesheet' type='text/css' media='projection, screen' href='/css/ui-lightness/jquery-ui-1.7.2.custom.css' /> </head> <body id='register-body'> <div id='page-header'> <div id='logo'> <h1><a accesskey='1' href='index.php'>HOMEPAGE</a></h1> </div> </div> <div id='register-page'> <form id='register-details' method='post' action='/inc/register_db.php'> <div id='column1'> <h3><label for='forename'>FORENAME</label></h3> <input type='text' id='forename' name='forename' class='required' tabindex='1000' value='$forename' /> <br /> <br /> <h3><label for='surname'>SURNAME</label></h3> <input type='text' id='surname' name='surname' class='required' tabindex='1010' value='$surname' /> <br /> <br /> <h3><label for='username'>USERNAME</label></h3> <input type='text' id='username' name='username' class='required' tabindex='1020' value='$username' /> <br /> <br /> <h3><label for='password'>PASSWORD</label></h3> <input type='password' id='password' name='password' class='required' tabindex='1030' value='$password' /> <br /> <br /> <h3><label for='password2'>RETYPE PASSWORD</label></h3> <input type='password' id='password2' name='password2' class='required' tabindex='1040' value='$password2' /> <br /> </div> <div id='column2'> <h3><label for='email'>EMAIL ADDRESS</label></h3> <input type='text' id='email' name='email' class='required email' tabindex='1050' value='$email' /> $email_msg <br /> </div> <div id='column3'> <h3><label for='country'>LOCATION</label></h3> <select id='country' name='country' class='required' tabindex='1060'> <option value=''>Please select</option> <option value='1'>United Kingdom</option> <option value='2'>United States</option> <option value='3'>Canada</option> </select><br /> </div> <div id='column4'> <h3><label for='dob'>DATE OF BIRTH</label></h3> <input type='text' id='dob' name='dob' class='required date' tabindex='1070' value='$dob' /> <br /> <input type='submit' id='register-button' name='register-button' value='register!' /> </div> </form> </div> </body> </html>"; ?> Quote Link to comment Share on other sites More sharing options...
-Karl- Posted May 27, 2010 Share Posted May 27, 2010 <?php header("Cache-Control: no-cache, must-revalidate"); header("Expires: Fri, 31 Dec 1999 00:00:00 GMT"); include('/inc/db.php'); $email_msg = ''; if (!empty($_POST)) { $email = mysql_real_escape_string($_POST['email']); $query = mysql_query("SELECT * FROM table WHERE email = '$email'"); $check = mysql_num_rows($query); if ($check > 0) { $email_msg = "<label for='email' class='error'>This email address is already in use</label>"; $forename = mysql_real_escape_string($_POST['forename']); $surname = mysql_real_escape_string($_POST['surname']); $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $password2 = mysql_real_escape_string($_POST['password2']); $email = mysql_real_escape_string($_POST['email']); $dob = mysql_real_escape_string($_POST['dob']); } else { // register_db.php doesn't receive a value for $_POST['forename'] or any of the other fields header('location: /inc/register_db.php'); exit; } } echo " <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> <script type='text/javascript' src='/js/jquery-1.3.2.min.js'></script> <script type='text/javascript' src='/js/jquery.validate.pack.js'></script> <link rel='stylesheet' type='text/css' media='projection, screen' href='/css/ui-lightness/jquery-ui-1.7.2.custom.css' /> </head> <body id='register-body'> <div id='page-header'> <div id='logo'> <h1><a accesskey='1' href='index.php'>HOMEPAGE</a></h1> </div> </div> <div id='register-page'> <form id='register-details' method='post' action='/inc/register_db.php'> <div id='column1'> <h3><label for='forename'>FORENAME</label></h3> <input type='text' id='forename' name='forename' class='required' tabindex='1000' value='".$forename."' /> <br /> <br /> <h3><label for='surname'>SURNAME</label></h3> <input type='text' id='surname' name='surname' class='required' tabindex='1010' value='".$surname."' /> <br /> <br /> <h3><label for='username'>USERNAME</label></h3> <input type='text' id='username' name='username' class='required' tabindex='1020' value='".$username."' /> <br /> <br /> <h3><label for='password'>PASSWORD</label></h3> <input type='password' id='password' name='password' class='required' tabindex='1030' value='".$password."' /> <br /> <br /> <h3><label for='password2'>RETYPE PASSWORD</label></h3> <input type='password' id='password2' name='password2' class='required' tabindex='1040' value='".$password2."' /> <br /> </div> <div id='column2'> <h3><label for='email'>EMAIL ADDRESS</label></h3> <input type='text' id='email' name='email' class='required email' tabindex='1050' value='".$email."' /> $email_msg <br /> </div> <div id='column3'> <h3><label for='country'>LOCATION</label></h3> <select id='country' name='country' class='required' tabindex='1060'> <option value=''>Please select</option> <option value='1'>United Kingdom</option> <option value='2'>United States</option> <option value='3'>Canada</option> </select><br /> </div> <div id='column4'> <h3><label for='dob'>DATE OF BIRTH</label></h3> <input type='text' id='dob' name='dob' class='required date' tabindex='1070' value='".$dob."' /> <br /> <input type='submit' id='register-button' name='register-button' value='register!' /> </div> </form> </div> </body> </html>"; ?> Try that. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 27, 2010 Share Posted May 27, 2010 Why are you posting the form to /inc/register_db.php and performing a header redirect to that page when the form data is correct? The postdata will not be passed to the page in a header redirect. And in the case that the form is filled out incorrectly, the page will still be directed to /inc/register_db.php because of the form action. Also, you don't need to mysql_real_escape_string the data if you aren't using it for a query, to protect it from javascript injection use htmlentities Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 27, 2010 Share Posted May 27, 2010 When you do a header() to redirct to another page it is considered a new request from the server - POST values are not sent. Instead, you should simply do an include. Here is the page with that correction and a little more rewrite as well. <?php header("Cache-Control: no-cache, must-revalidate"); header("Expires: Fri, 31 Dec 1999 00:00:00 GMT"); include('/inc/db.php'); $email_msg = ''; if (!empty($_POST)) { $email = trim($_POST['email']); $sql_email = mysql_real_escape_string($email); $query = "SELECT email FROM table WHERE email = '{$sql_email}'"; $result = mysql_query($query); $check = mysql_num_rows($result); if ($check > 0) { $email_msg = "<label for='email' class='error'>This email address is already in use</label>"; //The following lines should NOT use mysql_real_escape_string() as they //will change the values if any characters are escaped. Instead, you //should use trim $forename = trim($_POST['forename']); $surname = trim($_POST['surname']); $username = trim($_POST['username']); $password = trim($_POST['password']); $password2 = trim($_POST['password2']); $email = trim($_POST['email']); $dob = trim($_POST['dob']); } else { // register_db.php doesn't receive a value for $_POST['forename'] or any of the other fields include('/inc/register_db.php'); exit(); } } ?> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <script type="text/javascript" src="/js/jquery-1.3.2.min.js"></script> <script type="text/javascript" src="/js/jquery.validate.pack.js"></script> <link rel="stylesheet" type="text/css" media="projection, screen" href="/css/ui-lightness/jquery-ui-1.7.2.custom.css" /> </head> <body id="register-body"> <div id="page-header"> <div id="logo"> <h1><a accesskey="1" href="index.php">HOMEPAGE</a></h1> </div> </div> <div id="register-page"> <form id="register-details" method="post" action="/inc/register_db.php"> <div id="column1"> <h3><label for="forename">FORENAME</label></h3> <input type="text" id="forename" name="forename" class="required" tabindex="1000" value="<?php $forename; ?>" /> <br /><br /> <h3><label for="surname">SURNAME</label></h3> <input type="text" id="surname" name="surname" class="required" tabindex="1010" value="<?php $surname; ?>" /> <br /><br /> <h3><label for="username">USERNAME</label></h3> <input type="text" id="username" name="username" class="required" tabindex="1020" value="<?php $username; ?>" /> <br /><br /> <h3><label for="password">PASSWORD</label></h3> <input type="password" id="password" name="password" class="required" tabindex="1030" value="<?php $password; ?>" /> <br /><br /> <h3><label for="password2">RETYPE PASSWORD</label></h3> <input type="password" id="password2" name="password2" class="required" tabindex="1040" value="<?php $password2; ?>" /> <br /> </div> <div id="column2"> <h3><label for="email">EMAIL ADDRESS</label></h3> <input type="text" id="email" name="email" class="required email" tabindex="1050" value="<?php $email; ?>" /> <?php $email_msg; ?> <br /> </div> <div id="column3"> <h3><label for="country">LOCATION</label></h3> <select id="country" name="country" class="required" tabindex="1060"> <option value="">Please select</option> <option value="1">United Kingdom</option> <option value="2">United States</option> <option value="3">Canada</option> </select><br /> </div> <div id="column4"> <h3><label for="dob">DATE OF BIRTH</label></h3> <input type="text" id="dob" name="dob" class="required date" tabindex="1070" value="<?php $dob; ?>" /> <br /> <input type="submit" id="register-button" name="register-button" value="register!" /> </div> </form> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 27, 2010 Share Posted May 27, 2010 @mjdamato You also need to change the form action to $_SERVER['PHP_SELF']; Quote Link to comment Share on other sites More sharing options...
Alex Posted May 27, 2010 Share Posted May 27, 2010 @mjdamato You also need to change the form action to $_SERVER['PHP_SELF']; You should never use $_SERVER['PHP_SELF'] as your form action, it leaves you vulnerable to XSS attacks. It's a better idea to just type the name of the file. Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 27, 2010 Share Posted May 27, 2010 Then use htmlentities($_SERVER['PHP_SELF']) ? Quote Link to comment Share on other sites More sharing options...
pwmusic@gmail.com Posted May 29, 2010 Author Share Posted May 29, 2010 Hey guys Many thanks for your suggestions. I've changed the form to attempt to incorporate them but have had no success at all so tonight I created a minimal version so that I can post it here. Hopefully someone will be able to see whatever stupid mistake I've made... The version of reg.php as it currently exists doesn't seem to hit any of the php code that performs validation. If I change it to post to itself (form action='reg.php') nothing ever gets submitted and the php validation code never seems to be run either. If anyone could help I'd be extremely grateful. Many thanks <?php header("Cache-Control: no-cache, must-revalidate"); header("Expires: Fri, 31 Dec 1999 00:00:00 GMT"); include('/inc/db.php'); $email_msg = ''; $forename = ''; $surname = ''; $email = ''; if (!empty($_POST)) { $email = mysql_real_escape_string($_POST['email']); $query = mysql_query("SELECT mem_email FROM member WHERE mem_email = '$email'"); $check = mysql_num_rows($query); if ($check > 0) { $email_msg = "<label for='email' class='error'>This email address is already in use</label>"; $forename = $_POST['forename']; $surname = $_POST['surname']; $email = $_POST['email']; } else { // register_db.php doesn't receive a value for $_POST['forename'] or any of the other fields $email_msg = "It's all ok!"; include('/inc/register_db.php'); exit(); } } ?> <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> </head> <body id='register-body'> <div id='register-page'> <form id='register-details' method='post' action='/inc/register_db.php'> <div id='column1'> <h3><label for='forename'>FORENAME</label></h3> <input type='text' id='forename' name='forename' class='required' tabindex='1000' value='<?php $forename;?>' /> <h3><label for='surname'>SURNAME</label></h3> <input type='text' id='surname' name='surname' class='required' tabindex='1010' value='<?php $surname;?>' /> <h3><label for='email'>EMAIL ADDRESS</label></h3> <input type='text' id='email' name='email' class='required email' tabindex='1050' value='<?php $email;?>' /> <?php $email_msg;?> <br /> <input type='submit' id='register-button' name='register-button' value='register!' /> </div> </form> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Andy-H Posted May 29, 2010 Share Posted May 29, 2010 <?php header("Cache-Control: no-cache, must-revalidate"); header("Expires: Fri, 31 Dec 1999 00:00:00 GMT"); include('/inc/db.php'); $email_msg = ''; $forename = isset($_POST['forename']) ? $_POST['forename'] : ''; $surname = isset($_POST['surname']) ? $_POST['surname'] : ''; $email = isset($_POST['email']) ? $_POST['email'] : ''; if (!empty($_POST)) { if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) { $email_msg = "<label for='email' class='error'>This email address is not a valid email address</label>"; } else { $email = mysql_real_escape_string($email); $query = mysql_query("SELECT mem_email FROM member WHERE mem_email = '$email' LIMIT 1"); $check = mysql_num_rows($query); if ($check > 0) { $email_msg = "<label for='email' class='error'>This email address is already in use</label>"; } else { // register_db.php doesn't receive a value for $_POST['forename'] or any of the other fields $email_msg = "It's all ok!"; $forename = mysql_real_escape_string($forename); $surname = mysql_real_escape_string($surname); include('/inc/register_db.php'); exit(); } } } ?> <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'> <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'> <head> </head> <body id='register-body'> <div id='register-page'> <form id='register-details' method='post' action='<?php echo htmlentities($_SERVER['PHP_SELF']); ?>'> <div id='column1'> <h3><label for='forename'>FORENAME</label></h3> <input type='text' id='forename' name='forename' class='required' tabindex='1000' value='<?php $forename;?>' /> <h3><label for='surname'>SURNAME</label></h3> <input type='text' id='surname' name='surname' class='required' tabindex='1010' value='<?php $surname;?>' /> <h3><label for='email'>EMAIL ADDRESS</label></h3> <input type='text' id='email' name='email' class='required email' tabindex='1050' value='<?php $email;?>' /> <?php $email_msg;?> <br /> <input type='submit' id='register-button' name='register-button' value='register!' /> </div> </form> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
The Eagle Posted May 29, 2010 Share Posted May 29, 2010 Also, you don't need to mysql_real_escape_string the data if you aren't using it for a query, to protect it from javascript injection use htmlentities Andy-H is right. You should stop using these for safety precautions. Quote Link to comment Share on other sites More sharing options...
pwmusic@gmail.com Posted May 29, 2010 Author Share Posted May 29, 2010 Hi all Many thanks for your help and suggestions with this problem. I have now got it working! The changes I made (and I appreciate some of them might not have had any effect on the original problem!) were: [*]Removing the calls to mysql_real_escape_string() and replacing them with trim() [*]Replacing header("location:/inc/register_db.php") with include("inc/register_db.php") [*]Changing form action from /inc/register_db.php to <?php echo htmlentities($_SERVER['PHP_SELF']); ?> [*]Changing all html value clauses from value='$forename' to value='<?php echo $forename?>' [*]Removing 'echo ' from around all html (only a newbie would have thought they were necessary;-) Unfortunately I couldn't incorporate filter_input() as I'm running on PHP version 4. (I think there may be a few more changes that I made but it's late and I've spent a week of late nights trying to fix this so I'm off to bed ) Many many thanks again to all of those who helped and have improved my php coding immensely in just a few short days. Patrick Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.