Jump to content

Server side validation problem

StevenJacobs

By StevenJacobs
in PHP Coding Help

 Share

Recommended Posts

jazzman1 Member

jazzman1

Posted
Posted (edited)

Change:

$check_email = sprintf("SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = '%s'", GetSQLValueString($_POST['email'], "text"));

to

$check_email = sprintf("SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = %s", GetSQLValueString($_POST['email'], "text"));

and

$insertSQL = sprintf("INSERT INTO subscribers (`EMAIL`) VALUES ('%s')", GetSQLValueString($_POST['email'], "text"))

to

$insertSQL = sprintf("INSERT INTO subscribers (`ID`,`EMAIL`) VALUES (NULL, %s)", GetSQLValueString($_POST['email'], "text"))

 

Make sure that ID is capital letters

Edited by jazzman1
StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

Still no luck, didnt change anything..

 

just saw your edit a few replys ago. not sure what you mean by what action im getting.

but after i hit submit, its going to a blank page with the following error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'art.stevenacobs@yahoo.com'')' at line 1

Edited by StevenJacobs
jazzman1 Member

jazzman1

Posted
Posted (edited)

Just comment a Select statement for a minute:

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {

 mysql_select_db($database_subscribers, $subscribers);

 /*
 $check_email = sprintf("SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = %s", GetSQLValueString($_POST['email'], "text"));

 $result = mysql_query($check_email, $subscribers) or die(mysql_error());

 if(mysql_num_rows($result) > 0) {

	 echo 'Sorry, but this email has beed already taken';

	 return false;

 }
 */

   $insertSQL = sprintf("INSERT INTO subscribers (`ID`,`EMAIL`) VALUES (NULL, %s)", GetSQLValueString($_POST['email'], "text"));


 $Result1 = mysql_query($insertSQL, $subscribers) or die(mysql_error());
}

Edited by jazzman1
Love2c0de Regular Member

Love2c0de

Posted
Posted

ok well when i comment that section it stops giving any errors.

 

it also enters valid emails into the database now, but back to the problem, it allows same emails to keep being entered.

 

Change your email field in your database to be unique. By doing this, if you someone tries to enter an email address which is already in the table, it will return either -1 or 0 for mysql_num_rows(), in which you know it didnt get inserted so you can show an error saying it's already in use.

 

Regards,

 

L2c.

jazzman1 Member

jazzman1

Posted
Posted

Hm.....it's weird :confused:

 

Could you echo $check_email before to send a string to database?

 

$check_email = sprintf("SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = %s", GetSQLValueString($_POST['email'], "text"));

echo $check_email; exit;

etc......

StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

Change your email field in your database to be unique. By doing this, if you someone tries to enter an email address which is already in the table, it will return either -1 or 0 for mysql_num_rows(), in which you know it didnt get inserted so you can show an error saying it's already in use.

 

Regards,

 

L2c.

 

 

awesome! that worked!.. lol i feel so stupid, that was very simple..

 

one question tho, how do i change the message that comes up?

its saying:

 

Duplicate entry 'art.stevenacobs@yahoo.com' for key 'EMAIL'

 

 

Thank everybody again for all the help, i really appreciate it!

Edited by StevenJacobs
Love2c0de Regular Member

Love2c0de

Posted
Posted (edited)

Can you post your updated code?

 

I remember getting that error but I think it was only when I was printing $stmt which is an array.

 

Rather than doing this:

$Result1 = mysql_query($insertSQL,$subscribers) or die(mysql_error());

 

do this:

$Result1 = mysql_query($insertSQL,$subscribers);

$rows = mysql_num_rows($Result1);

if(!$rows)
{
 echo "Username and/or password already in use.";
}
else
{
echo "You have successfully registered.";
}

 

If it failed, it returns false. If it is then send an error, if its anything else, it inserted ok. Note if it returns the number of rows, for instance 1 or above, the if statement will interpret that as being TRUE. Just like FALSE can be associated with 0 or -1 in some cases, at least in JS.

 

Edit: try putting just the $Result1 in the if statement as well and coment out the num_rows and see what you get.

 

Regards,

 

l2c

Edited by Love2c0de
StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

yeah no problem.. i used one of the first codes that jazzman gave me. and its working like a charm now.

 

<?php
include ('Connections/subscribers.php');
date_default_timezone_set('America/Chicago');



if (isset($_POST['Submit'])) {


if ($_POST['email'] != "") {
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors = "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
}
} else {
$errors .= 'Please enter your email address.<br/>';
}

if (isset($errors)) {
echo '<div style="color: red">' . $errors . '<br/></div>';
return false;
}



if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}


$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);


switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO subscribers (EMAIL) VALUES (%s)", GetSQLValueString($_POST['email'], "text"));


mysql_select_db($database_subscribers, $subscribers);
$Result1 = mysql_query($insertSQL, $subscribers) or die(mysql_error());
}
} else { ?>




<form action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form1" method="POST">
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
<input type="submit" name="Submit" />
<input type="hidden" name="MM_insert" value="form1" />
</form>
<?php } ?>

Edited by StevenJacobs
Love2c0de Regular Member

Love2c0de

Posted
Posted (edited)

See my post above, I think it should get rid of your error message when the email is invalid.

 

Edit: sorry you should be using mysql_affected_rows() with an INSERT query.

 

Regards,

 

L2c

Edited by Love2c0de
StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

See my post above, I think it should get rid of your error message when the email is invalid.

 

Regards,

 

L2c

 

 

yea i just tried it, unless if im doing something wrong it is not working.

 

Its now giving this error if i type in a new email or a email already in the database.

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/steven/public_html/testing.php on line 63

Username and/or password already in use.

 

Line 63 would be this part of the code you gave me:

 

$rows = mysql_num_rows($Result1);

Edited by StevenJacobs
StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

See my post above, I think it should get rid of your error message when the email is invalid.

 

Edit: sorry you should be using mysql_affected_rows() with an INSERT query.

 

Regards,

 

L2c

 

 

Nevermind! i solved it buy doing what you said in your edit, heres what worked:

 

 

$Result1 = mysql_query($insertSQL,$subscribers);


$insert = mysql_affected_rows();


if(!$Result1)
{
echo "Username and/or password already in use.";
}
else
{
echo "You have successfully registered.";
}

 

Its working perfectly now!

Again thank you everybody! i cant thank you enough for all the help!

Edited by StevenJacobs
StevenJacobs Newbie

StevenJacobs

Posted
  • Author
Posted (edited)

@StevenJacobs, you're going to other direction!

 

Could you give me a result back of my reply #35?

 

sure.

 

well i used ur original code matched with love2code and its working nice.

if i add the section you gave me with the echo it doesnt work, but this is what it gives me:

 

SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = ''art.stevenjacobs@yahoo.com''

Edited by StevenJacobs
jazzman1 Member

jazzman1

Posted
Posted (edited)

No, rid single quotes off '%s'.

 

Try that one and give me a result back:

 

$check_email = sprintf("SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = %s", GetSQLValueString($_POST['email'], "text"));

echo $check_email; exit;

 

EDIT: That one has a correct sql syntax - SELECT `EMAIL` FROM `subscribers` WHERE `EMAIL` = ''art.stevenjacobs@yahoo.com''

 

Why do you get a Sql Syntax Error Message?

Edited by jazzman1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.