Mr_jmm Posted January 18, 2008 Share Posted January 18, 2008 Hi all, Having a problem with a registration form. I am using the following to check correct input of fields: <?php // Check for a first name: if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid... $fn = escape_data($_POST['first_name']); // ... create a new variable called '$fn' and give it the value of the entered escaped first_name. } else { // ELSE if the first name is too short or contains invalid characters... $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and... $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. ?> The other checks are just as above. The problem occurs when I press the submit button, the script goes to the last ELSE statement in the script showing that tha variables $fn, $ln, $u etc. are lost. If I take out the escape_date() function then it all works ok. $fn = $_POST[first_name]; Full script: <?php # This script contains the registration form and form checking code. # As we want all error messages to take up just one line we set the same variable name for all error messages # and we do not concatenate. If we want all error messages to appear seperately we can concatenate them by # using "$error_message .= '[error message]'" note the period (.) before the "=" sign. // - - - - - START SCRIPT - - - - - - - - - -> if (isset($_POST['register'])) { // Handle the form. require_once('../xxxxxxx/mysql_connect.php'); // Connect to database. (For live site this will go within the "if(isset)...". # The following function is used if the query was run after a user enters information into a form. # This normally lives in the mysql_connect script but here for error checking. // Create function for escaping and trimming form data. function escape_data($data) { // CREATE FUNCTION global $dbc; // Connect to the database; if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on; $data = stripslashes($data); // If so then strip the exisitng slashes to prevent over escaping. } // End IF statement return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered. } // END FUNCTION $message = NULL; // Create an empty new variable for the confirmation messages. $error_message = NULL; // Create an empty new variable for the error messages. $highlight = 'style="border:2px solid #f00;"'; // Check for a first name: if (eregi("^[[:alpha:].' -]{1,15}$", stripslashes(trim($_POST['first_name'])))) { // IF the entered text is valid... $fn = $_POST['first_name']; // ... create a new variable called '$fn' and give it the value of the entered escaped first_name. } else { // ELSE if the first name is too short or contains invalid characters... $fn = FALSE; // ... create a new variable called '$fn', set it to FALSE and... $fn_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a last name: if (eregi("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) { // IF the entered text is valid... $ln = escape_data($_POST['last_name']); // ... create a new variable called '$ln' and give it the value of the (entered) escaped last_name. } else { // ELSE if the last name is too short or contains invalid characters... $ln = FALSE; // ... create a new variable called '$ln', set it to FALSE and... $ln_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for an email address. if (eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z.]{2,6}$", stripslashes(trim($_POST['email'])))) { // IF the entered text is valid... [stripslashes(trim())] $e = escape_data($_POST['email']); // ... create a new variable called '$e' and give it the value of the entered (escaped) email address. } else { // ELSE if the email address is too short or contains invalid characters... $e = FALSE; // ... create a new variable called '$e', set it to FALSE and... $e_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a username: if (eregi("^[[:alnum:]_-]{4,20}$", stripslashes(trim($_POST['username'])))) { // IF the entered text is valid... $u = escape_data($_POST['username']); // ... create a new variable called '$u' and give it the value of the entered (escaped) username. } else { // ELSE if the username is too short or contains invalid characters... $u = FALSE; // ... create a new variable called '$u', set it to FALSE and... $u_error_message = 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. // Check for a password: if (eregi("^[[:alnum:]]{6,20}$", stripslashes(trim($_POST['password1'])))) { // IF the entered password (password1) is valid... // Check that the password matches the confirm password: if ($_POST['password1'] == $_POST['password2']) { // IF the two passwords match... $p = escape_data($_POST['password1']); // ...create a new variable '$p' and give it the value of the entered (escaped) password. } else { // ELSE if the passwords do not match... $p = FALSE; // ... create a new variable called '$p', set it to FALSE and... $p2_error_message .= 'Your passwords did not match.'; // ... set the error message. } // END ELSE. } else { // ELSE if the password is too short or contains invalid characters... $p = FALSE; // ... create a new variable called '$p', set it to FALSE and... $p1_error_message .= 'Invalid characters used or required field is empty.'; // ... set the error message. } // END ELSE. if ($fn && $ln && $e && $u && $p) { // If everythings OK... // Check to see if the username is available: $query = "SELECT user_id FROM xxxxxx WHERE username='$u'"; // Select the user from the database... $result = @mysql_query ($query); // ...and run the query. if (mysql_num_rows($result) == 0) { // Then, if the query doesn't return a result (the username doesn't already exist)... // Continue to register the new user: $query = "INSERT xxxxxx (username, first_name, last_name, email, password, registration_date) VALUES ('$u', '$fn', '$ln', '$e', '" .md5($p). "', NOW() )"; // Make the query. $result = @mysql_query ($query); // Run the query. if ($result) { // IF the query ran ok... include ('registered.inc.php'); // Confirmation screen. exit(); // Quit the script. } else { // ELSE if the query did not run ok... $message = 'You could not be registered due to a system error. We apologise for any inconvenience.<p>MySQL ERROR: ' . mysql_error() . '</p>'; } // END ELSE. } else { // ELSE if the query shows a result (the username already exists)... $message = 'That username is already taken. Please choose a different one.'; // mysql_close(); // Close the connection to the database. } // END mysql_close(); // Close the database connection. } else { // ELSE if there was a problem with the form... $message = 'Please try again.'; // ... add this additional message. mysql_close(); // Close the database connection. } // END ELSE. } // End of the main Submit conditional. // Handle any messages ($message): if (isset($message)) {// If there is an error message (if $message has a value)... echo '<font color="red">' .$message .'</font>'; // ... print it in red. } ?> <!-- START FORM WRAPPER (this ensures form is correctly placed) --> <div style="float:left;"> <!-- START REGISTER USER FORM --> <form action="<?php echo $_SERVER[REQUEST_URI]; ?>" method="post"> <fieldset><legend> Enter user info: </legend> <br /> <p><b>First Name:</b> <input type="text" name="first_name" size="15" maxlength="15" <?php if ($fn_error_message) echo $highlight; ?> value="<?php if (isset($_POST['first_name'])) echo stripslashes($_POST['first_name']); ?>" /> <?php if ($fn_error_message) echo '<span class="errors">' .$fn_error_message .'</span>'; ?></p> <br /> <p><b>Last Name:</b> <input type="text" name="last_name" size="30" maxlength="30" <?php if ($ln_error_message) echo $highlight; ?> value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /> <?php if ($ln_error_message) echo '<span class="errors">' .$ln_error_message .'</span>'; ?></p> <br /> <p><b>Email address:</b> <input type="text" name="email" size="30" maxlength="40" <?php if ($e_error_message) echo $highlight; ?> value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> <?php if ($e_error_message) echo '<span class="errors">' .$e_error_message .'</span>'; ?></p> <br /> <p><b>User Name:</b> <input type="text" name="username" size="20" maxlength="20" <?php if ($u_error_message) echo $highlight; ?> value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <?php if ($u_error_message) echo '<span class="errors">' .$u_error_message .'</span>'; ?></p> <p class="style3">4 - 20 characters and must only contain letters, numbers, underscore (_) and dash (-).</p> <br /> <p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if ($p1_error_message) echo '<span class="errors">' .$p1_error_message .'</span>'; ?></p> <p class="style3">6 - 20 characters and must only contain letters and numbers. We don't recommend using real words.</p> <br /> <p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" <?php if (($p1_error_message) || ($p2_error_message)) echo $highlight; ?> /> <?php if (($p1_error_messsage) || ($p2_error_message)) echo '<span class="errors">' .$p2_error_message .'</span>'; ?></p> <p class="style3">The password confirmation is an added safety measure. Passwords must match.</p> <br> <div align="center"><input type="submit" name="register" value="Register" /></div> </fieldset> </form> <!-- END FORM --> <?php echo $p; ?> </div> <!-- END FORM WRAPPER --> I know the password should be salted etc. but I try to startsimple then build on scripts. All advice greatly appreciated. Many thanks. James. Link to comment https://forums.phpfreaks.com/topic/86640-variables-losing-values-if-escape_data-applied/ Share on other sites More sharing options...
papaface Posted January 18, 2008 Share Posted January 18, 2008 Where is your escape_data function? Edit: Ignore me, I didnt see it in your code. Link to comment https://forums.phpfreaks.com/topic/86640-variables-losing-values-if-escape_data-applied/#findComment-442733 Share on other sites More sharing options...
PFMaBiSmAd Posted January 18, 2008 Share Posted January 18, 2008 If your database connection fails, the mysql_real_escape_string() function will fail and return a FALSE value. Posting mysql_connect.php without your connection details would help. Check your web server log for errors and/or turn on full php error reporting to get php to help you find out what might be happening in your code. Link to comment https://forums.phpfreaks.com/topic/86640-variables-losing-values-if-escape_data-applied/#findComment-442764 Share on other sites More sharing options...
Mr_jmm Posted January 18, 2008 Author Share Posted January 18, 2008 Database connection is fine. Like I did point out, if I remove the escape_data() function then it all works. As you asked though: <?php # ################################################################################################# # # This file contains the database access info. # This file also establishes a connection to MySQL and selects the database. # This file contains important information such as passwords and usernames and MUST be kept secure. # It is recommended to have this file placed above the root. # If it is not possble to place above root, place file in a .htaccess / .htpasswd protected folder. # Additionally, the folder should be made invisable to robots and access denied rules created. # ################################################################################################# # /* - - - - - - - - - - START - - - - - - - - - - */ // Set the database access information as constants. define ('DB_USER', 'xxxxxx'); // Define the username required to access the database define ('DB_PASSWORD', 'xxxxxx'); // Define the password to required access the database define ('DB_HOST', 'xxxxxx'); // Define the database host name define ('DB_NAME', 'xxxxxx'); // Define the name of the database. // Make the connection and then select the database. if ($dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD)) { if (!mysql_select_db (DB_NAME)) { my_error_handler(mysql_errno(), 'Could not select the database: ' .mysql_error()); echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>'; exit(); } } else { my_error_handler(mysql_errno(), 'Could not connect to the database: ' .mysql_error()); echo '<p style="color:#f00;">The site is currently experiencing technical difficulties. We apologise for any inconvenience.</p>'; exit(); } /* TEMPORARILY COMMENTED OUT # The following function is used if the query was run after a user enters information into a form. // Create function for escaping and trimming form data. function escape_data($data) { // CREATE FUNCTION global $dbc; // Connect to the database; if (ini_get('magic_quotes_gpc')) { // Check to see if magicquotes are turned on; $data = stripslashes($data); // If so then strip the exisitng slashes to prevent over-run. } // End IF statement return mysql_real_escape_string($data, $dbc); // Use the mysql function to escape the text entered. } // END FUNCTION */ /* - - - - - - - - - - FINISH - - - - - - - - - - */ ?> Link to comment https://forums.phpfreaks.com/topic/86640-variables-losing-values-if-escape_data-applied/#findComment-442773 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.