Register isn't working.

[qubit]

Here is the .php:

 

 

 

<?php
 include 'config.php';


 $username = $_POST['username'];
 $password = $_POST['password'];
 $email = $_POST['email'];


 $ip = $_SERVER['REMOTE_ADDR'];


 $res = mysql_num_rows(mysql_query("SELECT * FROM users WHERE username = '$username'"));


 if(strlen($username < 4)) {
      echo "Error 5215: Username contains less than 4 characters. ";
 }


 if(strlen($password < 4 )) {
       echo "Error 5215-1: Password contains less than 4 characters. ";
}


 if(strlen($email < 4)) {
       echo "Error 5215-2: Email contains less than 4 characters. ";
}


 if($res == 1) {
    echo "Error 21663: Username already exists in database. ";
} else {
  mysql_query("INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')");
  echo "Success! Redirecting....";
  header("refresh:5;url=login.html");
 }
?>

 

 

 

The problem here is, I registered fine but then it shows all the errors at once and then it adds it anyways. I tried less than 4 and it still added it in the database. I also tried more than 4 and then it showed all the < 4 errors, What do I do?

 

[jazzman1]

Use exit() or die() after every error.

 

For instance:

if(strlen($username < 4)) {
      echo "Error 5215: Username contains less than 4 characters. "; exit;
 }

[Psycho]

 

Use exit() or die() after every error.

 

For instance:

if(strlen($username < 4)) {
      echo "Error 5215: Username contains less than 4 characters. "; exit;
 }

 

 

I have to disagree with that. That makes it difficult to gracefully handle errors and can result in invalid output. Also, it makes it so execution stops on the first error encountered instead of telling the user all the errors that need to be resolved. A better approach, IMHO, is to perform all the necessary validations and use a flag or some other process to make a determination as to whether or not to process the results or to show the errors.

 

Also, no need to run the query to check if the username is a duplicate if it doesn't meet the format test. There are other problems as well. For example, you can't send content to the page and then do a header(). Also, you are not escaping your input for use in queries. And, the password is not being hashed. I didn't fix all the problems below.

 

 

<?php

include 'config.php';

//Preprocess input
$username = isset($_POST['username']) ? trim($_POST['username']) : '';
$password = isset($_POST['password']) ? $_POST['password']: '';
$email = isset($_POST['email']) ? trim($_POST['email']) : '';
$ip = $_SERVER['REMOTE_ADDR'];



//Create array to hold the errors
$errors = array();

if(strlen($username < 4))
{
    $errors[] = "Error 5215: Username contains less than 4 characters.";
}
else
{
    $usernameSqlSafe = mysql_real_escape_string($username);
    $sql = "SELECT username FROM users WHERE username = '$usernameSqlSafe'";
    $res = mysql_query($sql);
    if(mysql_num_rows($res))
    {
        $errors[] = "Error 21663: Username already exists in database.";
    }
}

if(strlen($password < 4 ))
{
    $errors[] = "Error 5215-1: Password contains less than 4 characters.";
}


if(strlen($email < 4))
{
    $errors[] = "Error 5215-2: Email contains less than 4 characters. ";
}


if(count($errors)
{
    echo "The following error(s) occured:<br><ul>\n";
    foreach($errors as $err)
    {
        echo "<li>{$err}<li>\n";
    }
}
else
{
    $passwordSqlSafe = mysql_real_escape_string($username);
    $emailSqlSafe = mysql_real_escape_string($email);
    $sql = "INSERT INTO users (username, password, email)
            VALUES ('$usernameSqlSafe', '$passwordSqlSafe', '$emailSqlSafe')"
    mysql_query($sql);
    header("refresh:5;url=login.html");
    echo "Success! Redirecting....";
}
?>

[jazzman1]

@psycho, I have to disagree with my reply too, but that was the first working thing that was jumped on the top of my head reading that post -easy and fast  

 

Sorry, if I disappoint you