How to stop people using symbols in username field

[farkewie]

Hey i have a small site where my friends login and can register. it all works fine has been for ages but i have just had a few people make usernames using the "&" symbol, for somereason i cant actvate the account delete it or anything i have to go in to php myadmin and change there username to something without the "&" in it.


so i have 2 questions..

1) why does it become "locked" when "&" is in it?

2) what do i need to add to the code below to check for it before it makes it past the registration proccess?


here is the code which handles the registration form.

[code]<?
?>
<? require_once ("signupconfig.php"); ?>
<HTML>
<HEAD>
<TITLE>vSignup 2.5</TITLE>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</HEAD>

<BODY bgcolor="#FFFFFF" text="#000000">
<?
include ("auth.php");
$connection = mysql_connect($dbhost, $dbusername, $dbpassword);
$db = mysql_select_db($dbname);

    // EDIT THIS IF YOU MODIFIED THE SIGNUP PAGE OR
    // IF YOU ARE USING YOUR OWN SIGNUP FORM
    // We  use the addslashes() function on some variables to prevent SQL Injection
    $username = addslashes($_POST['username']);
    $password = $_POST['password'];
    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $email = addslashes($_POST['email']);
    $country = $_POST['country'];
    $zipcode = $_POST['zipcode'];

// SIGNUP SETTINGS
$qSetup = mysql_query("SELECT * FROM signupsetup");
$SetupRow = mysql_fetch_array($qSetup);
$ValidEmailDomains = $SetupRow['validemail'];
$profile = $SetupRow['profile'];
$defaultgroup = $SetupRow['defaultgroup'];
$defaultlevel = $SetupRow['defaultlevel'];
$AutoApprove = $SetupRow['autoapprove'];
$AutoSend = $SetupRow['autosend'];
$AutoSendAdmin = $SetupRow['autosendadmin'];

// EMAILER SETTINGS
$qEmailer = mysql_query("SELECT * FROM emailer WHERE profile='$profile'");
$EmailerRow = mysql_fetch_array($qEmailer);
$EmailerName = $EmailerRow["name"];
$EmailerFrom = $EmailerRow["email"];
$EmailerSubject = $EmailerRow["subject"];
$EmailerMessage = $EmailerRow["emailmessage"];

// SIGNUP FORM PROCESSING
$EmailQuery = mysql_query("SELECT * FROM signup WHERE email='$email'");
$email = strtolower($email);
$EmailExist = mysql_num_rows($EmailQuery); // Returns 0 if not yet existing
$username = strtolower($username);
$UsernameQuery = mysql_query ("SELECT * FROM signup WHERE uname='$username'");
$UsernameExist = mysql_num_rows($UsernameQuery);

if (trim($ValidEmailDomains)=="")
{
$EmailArray = "";
}
else
{
$EmailArray = split (" ", $ValidEmailDomains);
}

// Generate confirmation key for settings which require one
$confirmkey =  md5(uniqid(rand()));

// CHECK FOR RESERVED USERNAMES
if (trim($username)=='sa' || trim($username)=='admin' || trim($username)=='test')
{
$UsernameExist = 1;
}

// CHECK FOR REQUIRED FIELDS
if (empty($username))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field cannot be left blank!</b></font></p>";
exit;
}
if (empty($password))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Password field cannot be left blank!</b></font></p>";
exit;
}
if (empty($fname))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>First Name field cannot be left blank!</b></font></p>";
exit;
}
if (empty($lname))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Last Name field cannot be left blank!</b></font></p>";
exit;
}
if (empty($email))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email field cannot be left blank!</b></font></p>";
exit;
}
if (empty($country))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Tell me where i know you from!!</b></font></p>";
exit;
}
// Validate Email Address String
  $good = ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
              '@'.
              '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
              '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
              $email);
if (!$good)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email field has invalid characters!</b></font></p>";
exit;
}



// Validate Email Address String - FOR VALID EMAIL DOMAINS
$found=false;
if ($EmailArray!="")
{
for ($ct=0;$ct<=sizeof($EmailArray)-1;$ct++)
{
if (eregi($EmailArray[$ct], $email))
{
$ct=sizeof($EmailArray);
$found=true;
}
else
{
$found=false;
}
}
}
else
{
$found = true;
}
if (!$found)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email address does not belong to the list of allowable email domains!</b></font></p>";
exit;
}

// Make sure username does not yet exist in the db
if ($UsernameExist>0)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username already exists in the database!</b></font></p>";
exit;
}

// Make sure email address does not yet exist in the db
if ($EmailExist>0)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email address already exists in the database!</b></font></p>";
exit;
}

// *********************************************************
// CHANGE THIS IF YOU WANT TO ADD FIELDS TO YOUR SIGNUP FORM
// *********************************************************
// Add new member to table signup
$addmember = mysql_query("INSERT INTO signup VALUES ('','$username','$fname','$lname','$email','$country','$zipcode',NOW(),'$confirmkey')");

// If SUCCESSFUL, add to vAuthenticate tables too
if ($addmember)
{
// Is the member auto-approved or not?
if ($AutoApprove==1)
{
$MemberStatus = "active";
}
else
{
$MemberStatus = "inactive";
}

$AddToAuth = new auth();
$add = $AddToAuth->add_user($username,$password,$defaultgroup,$defaultlevel,$MemberStatus,'', 0);
}

// Do we automatically send email notification to member or not?
if ($AutoSend == 1)
{
// if successful in adding to vAuthenticate, send confirmation email
if ($add==1)
{
// Replace all occurrences of the keys
// AVAILABLE KEYS: [[UNAME]], [[LNAME]], [[FNAME]], [[PASSWD]], [[EMAIL]], [[CONFIRM]]
$EmailerMessage = str_replace("[[UNAME]]", $username, $EmailerMessage);
$EmailerMessage = str_replace("[[PASSWD]]", $password, $EmailerMessage);
$EmailerMessage = str_replace("[[FNAME]]", $fname, $EmailerMessage);
$EmailerMessage = str_replace("[[LNAME]]", $lname, $EmailerMessage);
$EmailerMessage = str_replace("[[EMAIL]]", $email, $EmailerMessage);
$EmailerMessage = str_replace("[[CONFIRM]]", $confirm . '?confirmkey=' . $confirmkey, $EmailerMessage);

$sent = @mail($email, $EmailerSubject, $EmailerMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom");
// $sent = @mail($email, $EmailerSubject, $EmailerMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom\nContent-Type: text/html; charset=iso-8859-15");
}
}
// echo $EmailerMessage; // DEBUGGER

// Do we automatically send notification message to the admin's email address (see signupconfig.php)?
if ($AutoSendAdmin == 1)
{
if ($add==1)
{
$AdminSubject = "New Membership Application!";
$AdminMessage = "This is to inform you that " . $fname . " with the username " . $username . " has applied for membership to our site. ypu  know them from -------------- " .$country. "******************  you can reply to " . $email . " click here to activate " . $$confirm . " "  . $confirmkey . "    [[CONFIRM]]";
$sent = @mail($adminemail, $AdminSubject, $AdminMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom");
}
}
?>

<P><FONT size="3" face="Verdana, Arial, Helvetica, sans-serif" color="#FF0000"><B>Thank
  you for signing up!</B></FONT></P>

<P>
  <?
if ($AutoSend == 1)
{
print "<p><font size=\"2\" face=\"Verdana, Arial, Helvetica, sans-serif\">";
print "A confirmation email was sent to the email address you specified. <br>";
print "Please confirm your membership as soon as you receive the email.";
  print "</font></p>";
}
else
{
print "<p><font size=\"2\" face=\"Verdana, Arial, Helvetica, sans-serif\">";
print "Please click <a href=\"$RelLogin\">here</a> to go back to the login area";
  print "</font></p>";
}
?>
</P>
<P>Click <STRONG><A href="login.php">here</A></STRONG> to login </P>
<P>Or you can piss off!!</P>
<FORM method="get" action="http://www.google.com/custom">
  <TABLE bgcolor="#FFFFFF" cellspacing="0" cellpadding="0" border="0">
    <TR>
      <TD><A href="http://www.google.com/custom/"><IMG src="http://www.google.com/logos/Logo_40wht.gif" border="0" alt="Google" align="absmiddle"></A></TD>
      <TD><INPUT type="text" name="q" size="25" maxlength="255" value="">
          <INPUT type="submit" name="btnG" value="Google Search">
          <INPUT type="hidden" name="cof" value="L:/public_html/FLASH/logo.swf;AH:center;GL:2;BGC:#000000;BIMG:www.tyspics.com;T:#FF0000;GALT:#CCFF33;GIMP:#FF00FF;GFNT:#339900;LC:#FF00CC;ALC:#CC6600;VLC:#00FF00;">
      </TD>
    </TR>
  </TABLE>
</FORM>
<P>&nbsp; </P>
</BODY>
</HTML>
[/code]


i tried to add this code but it kept saying i had invalid characters in it no matter what i put in

[code] // Validate username Address String
  $good = ereg('&+/',

               $username);
if (!$good)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field has invalid characters!</b></font></p>";
exit;
}[/code]


thanksin advance for any help..


[tt]cheers[/tt]

[HuggieBear]

Try this code:

[code=php:0]if (!preg_match("/[a-z0-9]/i", $username){
  print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field has invalid characters!</b></font></p>";
  exit;
}[/code]

This should allow only numbers and letters, if you want a few additional characters, like underscore(_) period(.) or hyphen(-) then this needs to be altered slightly.

Regards
Huggie