Mr_jmm Posted January 18, 2008 Share Posted January 18, 2008 Hi all, Having a problem with a registration form. I am using the following to check correct input of fields: <?php // Check for a first name: if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid... $fn = escape_data($_POST['first_name']); // ... create a new variable called '$fn' and give it the value of the entered escaped first_name. } else { // ELSE if the first name is too short or contains invalid characters... $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and... $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. ?> The other checks are just as above. The problem occurs when I press the submit button, the script goes to the last ELSE statement in the script showing that tha variables $fn, $ln, $u etc. are lost. If I take out the escape_date() function then it all works ok. $fn = $_POST[first_name]; Full script: <?php # This script contains the registration form and form checking code. # As we want all error messages to take up just one line we set the same variable name for all error messages # and we do not concatenate. If we want all error messages to appear seperately we can concatenate them by # using "$error_message .= '[error message]'" note the period (.) before the "=" sign. // - - - - - START SCRIPT - - - - - - - - - -> if (isset($_POST['register'])) { // Handle the form. require_once('../xxxxxxx/mysql_connect.php'); // Connect to database. (For live site this will go within the "if(isset)...". # The following function is used if the query was run after a user enters information into a form. # This normally lives in the mysql_connect script but here for error checking. // Create function for escaping and trimming form data. function escape_data($data) { // CREATE FUNCTION global $dbc; // Connect to the database; if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on; $data = stripslashes($data); // If so then strip the exisitng slashes to prevent over escaping. } // End IF statement return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered. } // END FUNCTION $message = NULL; // Create an empty new variable for the confirmation messages. $error_message = NULL; // Create an empty new variable for the error messages. $highlight = 'style="border:2px solid #f00;"'; // Check for a first name: if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid... $fn = $_POST['first_name']; // ... create a new variable called '$fn' and give it the value of the entered escaped first_name. } else { // ELSE if the first name is too short or contains invalid characters... $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and... $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a last name: if (eregi("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) { // IF the entered text is valid... $ln = escape_data($_POST['last_name']); // ... create a new variable called '$ln' and give it the value of the (entered) escaped last_name. } else { // ELSE if the last name is too short or contains invalid characters... $ln = FALSE; // ... create a new variable called '$ln', set it to FALSE and... $ln_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for an email address. if (eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z.]{2,6}$", stripslashes(trim($_POST['email'])))) { // IF the entered text is valid... [stripslashes(trim())] $e = escape_data($_POST['email']); // ... create a new variable called '$e' and give it the value of the entered (escaped) email address. } else { // ELSE if the email address is too short or contains invalid characters... $e = FALSE; // ... create a new variable called '$e', set it to FALSE and... $e_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a username: if (eregi("^[[:alnum:]_-]{4,20}$", stripslashes(trim($_POST['username'])))) { // IF the entered text is valid... $u = escape_data($_POST['username']); // ... create a new variable called '$u' and give it the value of the entered (escaped) username. } else { // ELSE if the username is too short or contains invalid characters... $u = FALSE; // ... create a new variable called '$u', set it to FALSE and... $u_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a password: if (eregi("^[[:alnum:]]{6,20}$", stripslashes(trim($_POST['password1'])))) { // IF the entered password (password1) is valid... // Check that the password matches the confirm password: if ($_POST['password1'] == $_POST['password2']) { // IF the two passwords match... $p = escape_data($_POST['password1']); // ...create a new variable '$p' and give it the value of the entered (escaped) password. } else { // ELSE if the passwords do not match... $p = FALSE; // ... create a new variable called '$p', set it to FALSE and... $p2_error_message .= 'Your passwords did not match.'; // ... set the error message. } // END ELSE. } else { // ELSE if the password is too short or contains invalid characters... $p = FALSE; // ... create a new variable called '$p', set it to FALSE and... $p1_error_message .= 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. if ($fn && $ln && $e && $u && $p) { // If everythings OK... // Check to see if the username is available: $query = "SELECT user_id FROM xxxxxx WHERE username='$u'"; // Select the user from the database... $result = @mysql_query ($query); // ...and run the query. if (mysql_num_rows($result) == 0) { // Then, if the query doesn't return a result (the username doesn't already exist)... // Continue to register the new user: $query = "INSERT xxxxxx (username, first_name, last_name, email, password, registration_date) VALUES ('$u', '$fn', '$ln', '$e', '" .md5($p). "', NOW() )"; // Make the query. $result = @mysql_query ($query); // Run the query. if ($result) { // IF the query ran ok... include ('registered.inc.php'); // Confirmation screen. exit(); // Quit the script. } else { // ELSE if the query did not run ok... $message = 'You could not be registered due to a system error. We apologise for any inconvenience.<p>MySQL ERROR: ' . mysql_error() . '</p>'; } // END ELSE. } else { // ELSE if the query shows a result (the username already exists)... $message = 'That username is already taken. Please choose a different one.'; // mysql_close(); // Close the connection to the database. } // END mysql_close(); // Close the database connection. } else { // ELSE if there was a problem with the form... $message = 'Please try again.'; // ... add this additional message. mysql_close(); // Close the database connection. } // END ELSE. } // End of the main Submit conditional. // Handle any messages ($message): if (isset($message)) {// If there is an error message (if $message has a value)... echo '<font color="red">' .$message .'</font>'; // ... print it in red. } ?> <!-- START FORM WRAPPER (this ensures form is correctly placed) --> <div style="float:left;"> <!-- START REGISTER USER FORM --> <form action="<?php echo $_SERVER[REQUEST_URI]; ?>" method="post"> <fieldset><legend> Enter user info: </legend> <br /> <p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" <?php if ($fn_error_message) echo $highlight; ?> value="<?php if (isset($_POST['first_name'])) echo stripslashes($_POST['first_name']); ?>" /> <?php if ($fn_error_message) echo '<span class="errors">' .$fn_error_message .'</span>'; ?></p> <br /> <p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" <?php if ($ln_error_message) echo $highlight; ?> value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /> <?php if ($ln_error_message) echo '<span class="errors">' .$ln_error_message .'</span>'; ?></p> <br /> <p><b>Email address:</b> <input type="text" name="email" size="30" maxlength="40" <?php if ($e_error_message) echo $highlight; ?> value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> <?php if ($e_error_message) echo '<span class="errors">' .$e_error_message .'</span>'; ?></p> <br /> <p><b>User Name:</b> <input type="text" name="username" size="20" maxlength="20" <?php if ($u_error_message) echo $highlight; ?> value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <?php if ($u_error_message) echo '<span class="errors">' .$u_error_message .'</span>'; ?></p> <p class="style3">4 - 20 characters and must only contain letters, numbers, underscore (_) and dash (-).</p> <br /> <p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if ($p1_error_message) echo '<span class="errors">' .$p1_error_message .'</span>'; ?></p> <p class="style3">6 - 20 characters and must only contain letters and numbers. We don't recommend using real words.</p> <br /> <p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if (($p1_error_messsage) || ($p2_error_message)) echo '<span class="errors">' .$p2_error_message .'</span>'; ?></p> <p class="style3">The password confirmation is an added safety measure. Passwords must match.</p> <br> <div align="center"><input type="submit" name="register" value="Register" /></div> </fieldset> </form> <!-- END FORM --> <?php echo $p; ?> </div> <!-- END FORM WRAPPER --> I know the password should be salted etc. but I try to startsimple then build on scripts. All advice greatly appreciated. Many thanks. James. Quote Link to comment Share on other sites More sharing options...
papaface Posted January 18, 2008 Share Posted January 18, 2008 Where is your escape_data function? Edit: Ignore me, I didnt see it in your code. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 18, 2008 Share Posted January 18, 2008 If your database connection fails, the mysql_real_escape_string() function will fail and return a FALSE value. Posting mysql_connect.php without your connection details would help. Check your web server log for errors and/or turn on full php error reporting to get php to help you find out what might be happening in your code. Quote Link to comment Share on other sites More sharing options...
Mr_jmm Posted January 18, 2008 Author Share Posted January 18, 2008 Database connection is fine. Like I did point out, if I remove the escape_data() function then it all works. As you asked though: <?php # ################################################################################################# # # This file contains the database access info. # This file also establishes a connection to MySQL and selects the database. # This file contains important information such as passwords and usernames and MUST be kept secure. # It is recommended to have this file placed above the root. # If it is not possble to place above root, place file in a .htaccess / .htpasswd protected folder. # Additionally, the folder should be made invisable to robots and access denied rules created. # ################################################################################################# # /* - - - - - - - - - - START - - - - - - - - - - */ // Set the database access information as constants. define ('DB_USER', 'xxxxxx'); // Define the username required to access the database define ('DB_PASSWORD', 'xxxxxx'); // Define the password to required access the database define ('DB_HOST', 'xxxxxx'); // Define the database host name define ('DB_NAME', 'xxxxxx'); // Define the name of the database. // Make the connection and then select the database. if ($dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD)) { if (!mysql_select_db (DB_NAME)) { my_error_handler(mysql_errno(), 'Could not select the database: ' .mysql_error()); echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>'; exit(); } } else { my_error_handler(mysql_errno(), 'Could not connect to the database: ' .mysql_error()); echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>'; exit(); } /* TEMPORARILY COMMENTED OUT # The following function is used if the query was run after a user enters information into a form. // Create function for escaping and trimming form data. function escape_data($data) { // CREATE FUNCTION global $dbc; // Connect to the database; if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on; $data = stripslashes($data); // If so then strip the exisitng slashes to prevent over-run. } // End IF statement return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered. } // END FUNCTION */ /* - - - - - - - - - - FINISH - - - - - - - - - - */ ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.