Jump to content

Variables losing values if escape_data() applied

Mr_jmm

By Mr_jmm
in PHP Coding Help

 Share

Recommended Posts

Mr_jmm Newbie

Mr_jmm

Posted
Posted

Hi all,

 

Having a problem with a registration form.

I am using the following to check correct input of fields:

<?php
// Check for a first name:
if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid...
  $fn = escape_data($_POST['first_name']); // ... create a new variable called '$fn' and give it the value of the entered escaped first_name.
  } else { // ELSE if the first name is too short or contains invalid characters...
    $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and...
    $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.
?>

 

The other checks are just as above. The problem occurs when I press the submit button, the script goes to the last ELSE statement in the script showing that tha variables $fn, $ln, $u etc. are lost. If I take out the escape_date() function then it all works ok.

$fn = $_POST[first_name];

 

Full script:

<?php
# This script contains the registration form and form checking code.
# As we want all error messages to take up just one line we set the same variable name for all error messages
# and we do not concatenate. If we want all error messages to appear seperately we can concatenate them by
# using "$error_message .= '[error message]'" note the period (.) before the "=" sign.

// - - - - - START SCRIPT - - - - - - - - - ->
if (isset($_POST['register'])) { // Handle the form.

  require_once('../xxxxxxx/mysql_connect.php'); // Connect to database. (For live site this will go within the "if(isset)...".

# The following function is used if the query was run after a user enters information into a form.
# This normally lives in the mysql_connect script but here for error checking.
// Create function for escaping and trimming form data.
function escape_data($data) { // CREATE FUNCTION
  global $dbc; // Connect to the database;
  if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on;
    $data = stripslashes($data); // If so then strip the exisitng slashes to prevent over escaping.
    } // End IF statement
  return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered.
  } // END FUNCTION

$message = NULL; // Create an empty new variable for the confirmation messages.
$error_message = NULL; // Create an empty new variable for the error messages.
$highlight = 'style="border:2px solid #f00;"';

// Check for a first name:
if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid...
  $fn = $_POST['first_name']; // ... create a new variable called '$fn' and give it the value of the entered escaped first_name.
  } else { // ELSE if the first name is too short or contains invalid characters...
    $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and...
    $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.

// Check for a last name:
if (eregi("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) { // IF the entered text is valid...
  $ln = escape_data($_POST['last_name']); // ... create a new variable called '$ln' and give it the value of the (entered) escaped last_name.
  } else { // ELSE if the last name is too short or contains invalid characters...
    $ln = FALSE; // ... create a new variable called '$ln', set it to FALSE and...
    $ln_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.

// Check for an email address.
if (eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z.]{2,6}$", stripslashes(trim($_POST['email'])))) { // IF the entered text is valid... [stripslashes(trim())]
  $e = escape_data($_POST['email']); // ... create a new variable called '$e' and give it the value of the entered (escaped) email address.
  } else { // ELSE if the email address is too short or contains invalid characters...
    $e = FALSE; // ... create a new variable called '$e', set it to FALSE and...
    $e_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.

// Check for a username:
if (eregi("^[[:alnum:]_-]{4,20}$", stripslashes(trim($_POST['username'])))) { // IF the entered text is valid...
  $u = escape_data($_POST['username']); // ... create a new variable called '$u' and give it the value of the entered (escaped) username.
  } else { // ELSE if the username is too short or contains invalid characters...
    $u = FALSE; // ... create a new variable called '$u', set it to FALSE and...
    $u_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.

// Check for a password:
if (eregi("^[[:alnum:]]{6,20}$", stripslashes(trim($_POST['password1'])))) { // IF the entered password (password1) is valid...
  // Check that the password matches the confirm password:
  if ($_POST['password1'] == $_POST['password2']) { // IF the two passwords match...
    $p = escape_data($_POST['password1']); // ...create a new variable '$p' and give it the value of the entered (escaped) password.
    } else { // ELSE if the passwords do not match...
      $p = FALSE; // ... create a new variable called '$p', set it to FALSE and...
      $p2_error_message .= 'Your passwords did not match.'; // ... set the error message.
      } // END ELSE.
  } else { // ELSE if the password is too short or contains invalid characters...
    $p = FALSE; // ... create a new variable called '$p', set it to FALSE and...
    $p1_error_message .= 'Invalid characters used or required field is empty.'; // ... set the error message.
    } // END ELSE.

if ($fn && $ln && $e && $u && $p) { // If everythings OK...
  // Check to see if the username is available:
  $query = "SELECT user_id FROM xxxxxx WHERE username='$u'"; // Select the user from the database...
  $result = @mysql_query ($query); // ...and run the query.
  if (mysql_num_rows($result) == 0) { // Then, if the query doesn't return a result (the username doesn't already exist)...
    // Continue to register the new user:
    $query = "INSERT xxxxxx (username, first_name, last_name, email, password, registration_date) VALUES ('$u', '$fn', '$ln', '$e', '" .md5($p). "', NOW() )"; // Make the query.
    $result = @mysql_query ($query); // Run the query.
    if ($result) { // IF the query ran ok...
      include ('registered.inc.php'); // Confirmation screen.
      exit(); // Quit the script.
  } else { // ELSE if the query did not run ok...
  $message = 'You could not be registered due to a system error. We apologise for any inconvenience.<p>MySQL ERROR: ' . mysql_error() . '</p>';
  } // END ELSE.
} else { // ELSE if the query shows a result (the username already exists)...
  $message = 'That username is already taken. Please choose a different one.'; // 
  mysql_close(); // Close the connection to the database.
  } // END
  mysql_close(); // Close the database connection.
} else { // ELSE if there was a problem with the form...
  $message = 'Please try again.'; // ... add this additional message.
  mysql_close(); // Close the database connection.
  } // END ELSE.

} // End of the main Submit conditional.

// Handle any messages ($message):
if (isset($message)) {// If there is an error message (if $message has a value)...
echo '<font color="red">' .$message .'</font>'; // ... print it in red.
}
?>
<!-- START FORM WRAPPER (this ensures form is correctly placed) -->
<div style="float:left;">
<!-- START REGISTER USER FORM -->
<form action="<?php echo $_SERVER[REQUEST_URI]; ?>" method="post">
<fieldset><legend> Enter user info: </legend>
<br />
<p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" <?php if ($fn_error_message) echo $highlight; ?> value="<?php if (isset($_POST['first_name'])) echo stripslashes($_POST['first_name']); ?>" /> <?php if ($fn_error_message) echo '<span class="errors">' .$fn_error_message .'</span>'; ?></p>
<br />
<p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" <?php if ($ln_error_message) echo $highlight; ?> value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /> <?php if ($ln_error_message) echo '<span class="errors">' .$ln_error_message .'</span>'; ?></p>
<br />
<p><b>Email address:</b> <input type="text" name="email" size="30" maxlength="40" <?php if ($e_error_message) echo $highlight; ?> value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> <?php if ($e_error_message) echo '<span class="errors">' .$e_error_message .'</span>'; ?></p>
<br />
<p><b>User Name:</b> <input type="text" name="username" size="20" maxlength="20" <?php if ($u_error_message) echo $highlight; ?> value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <?php if ($u_error_message) echo '<span class="errors">' .$u_error_message .'</span>'; ?></p>
<p class="style3">4 - 20 characters and must only contain letters, numbers, underscore (_) and dash (-).</p>
<br />
<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if ($p1_error_message) echo '<span class="errors">' .$p1_error_message .'</span>'; ?></p>
<p class="style3">6 - 20 characters and must only contain letters and numbers. We don't recommend using real words.</p>
<br />
<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if (($p1_error_messsage) || ($p2_error_message)) echo '<span class="errors">' .$p2_error_message .'</span>'; ?></p>
<p class="style3">The password confirmation is an added safety measure. Passwords must match.</p>
<br>
<div align="center"><input type="submit" name="register" value="Register" /></div>
</fieldset>
</form>
<!-- END FORM -->
<?php echo $p; ?>
</div>
<!-- END FORM WRAPPER -->

 

I know the password should be salted etc. but I try to startsimple then build on scripts.

 

All advice greatly appreciated.

 

Many thanks.

 

James.

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

If your database connection fails, the mysql_real_escape_string() function will fail and return a FALSE value. Posting mysql_connect.php without your connection details would help.

 

Check your web server log for errors and/or turn on full php error reporting to get php to help you find out what might be happening in your code.

Mr_jmm Newbie

Mr_jmm

Posted
  • Author
Posted

Database connection is fine. Like I did point out, if I remove the escape_data() function then it all works.

 

As you asked though:

<?php
# ################################################################################################# #
# This file contains the database access info.											
# This file also establishes a connection to MySQL and selects the database.						
# This file contains important information such as passwords and usernames and MUST be kept secure.	
# It is recommended to have this file placed above the root.									
# If it is not possble to place above root, place file in a .htaccess / .htpasswd protected folder.
# Additionally, the folder should be made invisable to robots and access denied rules created.
# ################################################################################################# #

/* - - - - - - - - - - START - - - - - - - - - - */

// Set the database access information as constants.
define ('DB_USER', 'xxxxxx'); // Define the username required to access the database
define ('DB_PASSWORD', 'xxxxxx'); // Define the password to required access the database
define ('DB_HOST', 'xxxxxx'); // Define the database host name
define ('DB_NAME', 'xxxxxx'); // Define the name of the database.


// Make the connection and then select the database.
if ($dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD)) {
if (!mysql_select_db (DB_NAME)) {
	my_error_handler(mysql_errno(), 'Could not select the database: ' .mysql_error());
	echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>';
	exit();
	}
} else {
	my_error_handler(mysql_errno(), 'Could not connect to the database: ' .mysql_error());
	echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>';
	exit();
	}
/* TEMPORARILY COMMENTED OUT
# The following function is used if the query was run after a user enters information into a form.
// Create function for escaping and trimming form data.
function escape_data($data) { // CREATE FUNCTION
global $dbc; // Connect to the database;
if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on;
	$data = stripslashes($data); // If so then strip the exisitng slashes to prevent over-run.
	} // End IF statement
return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered.
} // END FUNCTION
*/
/* - - - - - - - - - - FINISH - - - - - - - - - - */
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.