Help with PHP registration script

[chunkymonkey11]

Hey Guys!

 

I have ran into a problem that is above my level of PHP knowledge.

 

I have been working on a registration script. My database is XAMPP and my table name is member. The fields inside member are as follow: id, businessname, username, password, sign_up_date, email, taxnumber, account_permissions, email_activation

 

(I am working on helping my Uncle create a website for his consulting company, and he said he needs these fields)

 

Anyways, I went on to create this php file (code below) called register.php it has html in it and I saved the file in htdocs.

 

When I saved it, I went on to test it, and for some strange reason when I put nothing in the fields is should say: All fields are required, but for some strange reason when I click Create Account nothing happens. Just seems like it takes a second to refresh and that's it. It does not even tell me: All fields are required. Any help would be appreciated, and I'm a newbie so an explanation would also be great.

 

<?php

error_reporting(0);

if($_POST['submit'])

{

$businessname= $_POST['businessname'];

$username = $_POST['username'];

$password = $_POST['password'];

$password1 = $_POST['password1'];

$email = $_POST['email'];

$taxnumber = $_POST['taxnumber'];

 

$enc_password = md5($password);

 

if($businessname && $username && $password && $password1 && $email && $taxnumber)

{

if(strlen($businessname)>40)

{

echo "Your Business Name is too long";

}

 

if(strlen($username)>15)

{

echo "Your username is too long";

}

else

{

if(strlen($password)>15 || strlen($password)<6)

{

echo "Your password must be between 6 and 15 characters";

}

if($password == $password1)

{

$connect = mysql_connect("127.0.0.1","root","") or die ("Couldnt connect to database");

mysql_select_db("test_database") or die ("Couldnt find database");

$query = mysql_query ("INSERT INTO member VALUES ('','$businessname','$usersname','$enc_password','$email','taxnumber')");

die("Registration Complete! <a href='index.html'>Click here to login</a>");

}

else

{

echo "Passwords must match";

}

}

}

else echo "All fields are required";

}

 

?>

 

<style type="text/css">

#apDiv1 {

position:absolute;

left:739px;

top:79px;

width:313px;

height:325px;

z-index:1;

}

</style>

<div id="apDiv1">

  <form action="register.php" method="POST">

    Business Name:

    <input type="text" name="businessname" value="">

    <p> Username:

      <input type="text" name="username" value"">

    <p> Password:

      <input type="password" name="password">

    <p> Re-Enter Password:

      <input type="password1" name="password1">

    <p> Email:

      <input type"text" name="email">

    <p> Federal Tax ID:

      <input type="text" name="taxnumber" value="">

    <p>

      <input type="submit" value="Create Account">

    <p> 

  </form>

</div>

 

 

[krash11554]

The last } needs to be above the else

 echo 'All fields are required'

.

[chunkymonkey11]

Hey krash11554, thanks for replying.

 

When I put the } above else

 

  }

    }

    else echo "All fields are required";

 

 

and reload the page; the page says All fields are required when I have not clicked Create Account (I want that message to appear if somebody has not filled out the required fields and clicked Create Account), also for some reason when I put two passwords that are not the same it should say: Passwords must match

 

Also I have been looking at some PHP books and there seems to be PHP tags in the html like:

 

  <form action="register.php" method="POST">

    Business Name:

    <input type="text" name="businessname" value="<?php echo "$businessname"; ?>">

    <p> Username:

      <input type="text" name="username" value"<?php echo "$username"; ?>">

 

Any help on identifying the issues on this script would be appreciated

 

[MMDE]

Please use the code tags when you post code.

Thank you!

[krash11554]

Srry about the wrong answer.

and its saying the two passwords match bc the value dosent have an = sign.

<input type="text" name="username" value""> 

[krash11554]

Ah ha! the reason its not working is because you didnt name the submit button.

[Jessica]

Ah ha! the reason its not working is because you didnt name the submit button.

That is one of the problems with the script, the biggest one.

 

OP: Enable error reporting. And use code tags here.

[chunkymonkey11]

I am sorry guys, but I am honestly confused about what's wrong (newbie at it's finest). I put the = by the value, but I lost you guys at naming the submit button. How would you do that?

 

Also thanks again for responding and helping me, the other forums I went to only gave me one answer: "give up".

[Jessica]

See how all of your other form elements have a name="name goes here"? You need one on submit. Preferably it should be submit since that's what you're testing for.

if($_POST['submit'])

[chunkymonkey11]

jesirose & krash11554 you guys ROCK!! I spent soo much time trying to fix this issue that I thought of just giving up!!! Thanks for the help! This case is solved 

[Christian F.]

I've rewritten the code a bit for you, to showcase what I think you should have done. Note how I'm using functions to cut up the code, so that I have a lot more control over what gets executed and what gets output to the browser (and when).

There are also a few extra security measures in place here, which you will need before pushing the script to production. I've escaped all of the output for you, but I've left the input validation part up to you. Not to mention that you'll need to write the salt generation function as well, which I think will be a nice exercise for you.

<?php

function show_form ($business = '', $username = '', $email = '', $taxID = '') {
// Escape output to prevent HTML injection attacks.
$business = htmlspecialchars ($business);
$username = htmlspecialchars ($username);
$email = htmlspecialchars ($email);
$taxID = htmlspecialchars ($taxID);

// Build and return the completed form.
return <<<FormData
<form id="apDiv1" action="register.php" method="post">
<fieldset>
	<label for="bname">Business Name:</label>
	<input id="bname" type="text" name="businessname" value="$business">

	<label for="uname">Username:</label>
	<input id="uname" type="text" name="username" value="$username">

	<label for="passwd">Password:</label>
	<input id="passwd" type="password" name="password">

	<label for="passrp">Re-Enter Password:</label>
	<input id="passrp" type="password" name="password1">

	<label for="email">Email:</label>
	<input id="email" type="text" name="email" value="$email">

	<label for="ftid">Federal Tax ID:</label>
	<input id="ftid" type="text" name="taxnumber" value="$taxID">
</fieldset>
<fieldset class="buttons">
	<input type="submit" value="Create Account">
</fieldset>
</form>

FormData;
}

function parse_form () {
// TODO: Validate input.
$businessname = $_POST['businessname'];
$username = $_POST['username'];
$password = $_POST['password'];
$password1 = $_POST['password1'];
$email = $_POST['email'];
$taxnumber = $_POST['taxnumber'];

// Define an array to hold any potential error messages.
$error = array ();

if (!$businessname || !$username || !$password || !$password1 || !$email || !$taxnumber) {
	$error[] = "All fields are required";
}

if (strlen ($businessname) > 40) {
	$error[] = "Your Business Name is too long.";
}

if (strlen ($username) > 15) {
	$error[] = "Your username is too long.";
}

// NEVER set a maximum length on passwords! Especially not when you hash it.
if (strlen ($password) < 6) {
	$error[] = "Your password must be minimum 6 characters long.";
}

if ($password != $password1) {
	$error[] = "Passwords must match.";
}

// Has there been any errors inthe validation?
if (!empty ($error)) {
	// Generate list of faults, and show the form again.
	$output = '<p>'.implode ("<br>\n", $error)."</p>\n";
	return $output.show_form ($business, $username, $email, $taxnumber);
}

// Generate a new 16-char long salt for the user, to use when hashing the password.
// TODO: Add gen_salt () yourself.
$salt = '$5$'.gen_salt ();

// Hash the password, '$5$' at the start of the salt signals that it should be hashed with SHA256.
$pwHash = crypt ($password, $salt);

// Connect to the database, using MySQLi.
$db = new mysqli ("127.0.0.1", "root", "", "test_database") or die ("Couldnt connect to database");

// Build the query. Using sprintf () and real_escape_string () to prevent SQL injections.
$query = "INSERT INTO member VALUES ('','%s','%s','%s','%s','%s', %s)";
$query = sprintf ($query, $db->real_escape_string ($businessname), $db->real_escape_string ($username),
				$db->real_escape_string ($pwHash), $db->real_escape_string ($salt),
				$db->real_escape_string ($email), $db->real_escape_string ($taxnumber));

// Execute the query, and check for errors.
if (!$db->query ($query)) {
	die ('Failed to save data');
}

// Send user to confirmation page.
header ("Location: ?reg=ok");
die ();
}

/**
* This code below is executed upon page load, and determines what
* the user has done prior to opening this page.
*/
$regForm = '';

// Determine what actions to take.
if ($_POST['submit']) {
// User has submitted data, check it and capture any returning output in case of errors.
$regForm .= parse_form ();
} elseif (isset ($_GET['reg']) && $_GET['reg'] == 'ok') {
// Form was submitted sucessfully.
$regForm .= "<p>Registration Complete! <a href='index.html'>Click here to login</a></p>";
} else {
// No content submitted, show the form without any content.
$regForm .= show_form ();
}

 

Now all you need to do, is to echo $regForm where you want the form, and/or the messages related to it.