Trying to make a registration page...

I'm having a few problems. Further info inside...

Page 1 of 1

4 Replies - 812 Views - Last Post: 27 July 2009 - 07:36 PM Rate Topic: -----

#1 Exire  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 25-July 09

Trying to make a registration page...

Posted 27 July 2009 - 04:56 PM

Hi all,

I'm new around here and by the looks of the place this is the place to come with a programming problem so, here I am. I'm having a problem getting a registration page I've coded to work properly. I had it working as I followed a tutorial but I wanted to tweak it a bit and that's where the problem comes in. I believe I've structured my If/Else statement poorly, though I can't see where. PHP isn't giving me any errors, it's just not doing what I'd expect it to do. Here's the code:

<?php
	if(isset($_POST['username'])) {
		$username = $_POST['username'];
			if($username != htmlentities($username)) {
				?><center><span style='color:red'>ERROR: Username contains invalid characters.  Please try again.</center></span><?php
				}
		} else {

		if ($_POST) {
			$password = $_POST['password'];
			$confirm = $_POST['confirm'];
				if ($password != $confirm) { 
				?><center><span style='color:red'>Error: Passwords do not match</span></center><?php
		} else {
					require_once 'db_config.php';
					$conn = mysql_connect($dbhost, $dbuser, $dbpass)
								or die('Error connecting to the database.');
							mysql_select_db($dbname);
					$query = sprintf("SELECT COUNT(id) FROM users WHERE UPPER (username) = UPPER ('%s')",
							  mysql_real_escape_string($_POST['username']));
					$result = mysql_query($query);
					list($count) = mysql_fetch_row($result);
						if($count >= 1) { ?>
							<center><span style='color:red'>Error: Username already exists.  Please choose another.</span></center>
	<?php	} else {
					$query = sprintf("INSERT INTO users (username, password) VALUES ('%s','%s');",
					mysql_real_escape_string($_POST['username']),
					mysql_real_escape_string(sha1($password)));
					mysql_query($query);
					?>
					<center><span style='color:green'>Congratulations!  You have successfully registered!</span></center>
	<?php
					}
				}
			}
		}
?>


I have a standard HTML form above that in the actual PHP file with fields for Username, Password and a Password Confirmation. I have a test user already registered in the database (from before I started tweaking the code). The original code is after the first "} else {" and, if I comment out everything above it, and the last "}", it works as I expect it to. I can register a new user and if I enter a username that's taken I get an error. I was attempting, with the code I added at the top of it, to strip out all HTML markup characters and so on (to prevent XSS). It works, but the problem is once you enter a "normal" username (i.e., Joe rather than <4298"!je or some other ungodly combination) and a password nothing happens. Hitting enter, clicking the form button, whatever. The page simply refreshes and no user is entered into the database, no error are given, nothing. Also, if I try to register with the username of my test user, which is already registered in the database as I said, nothing happens there either. It should--and in fact does without my code at the top--give an error saying that the username already exists. With the code I've added nothing happens. Basically, unless you enter a username with HTML markup characters in it the script does nothing but refresh the page.

As I said, I assume I've screwed up the If/Else statement so the part after the "else" isn't firing but I can't for the life of me see where. I assume this is something glaringly obvious but I can't find it. So, any help you guys can give would be appreciated. I assume that the code I've added to the beginning is "correct" since it works and, if you remove it, the rest of the code works also so I don't think there are any major issues with the way it's coded, but if you see any point them out. I just can't get the two to play nice together...

Anyway, thanks in advance!

Is This A Good Question/Topic? 0
  • +

Replies To: Trying to make a registration page...

#2 JBrace1990  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 110
  • View blog
  • Posts: 760
  • Joined: 09-March 08

Re: Trying to make a registration page...

Posted 27 July 2009 - 05:50 PM

It probably has to do with this:
$query = sprintf("INSERT INTO users (username, password) VALUES ('%s','%s');",


Try changing it to this and let me know if it works:
$query = sprintf("INSERT INTO users (username, password) VALUES ('$username','$password');",


Make sure that you mysql_real_escape_string() everything that interacts with a database. I'm not completely sure what the %s is, or is for... >_>
Was This Post Helpful? 0
  • +
  • -

#3 Exire  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 25-July 09

Re: Trying to make a registration page...

Posted 27 July 2009 - 06:22 PM

View PostJBrace1990, on 27 Jul, 2009 - 04:50 PM, said:

It probably has to do with this:

Try changing it to this and let me know if it works:

Make sure that you mysql_real_escape_string() everything that interacts with a database. I'm not completely sure what the %s is, or is for... >_>


Thanks for the reply. I tried it but no dice. Replacing '%s' with either '$username' or '$password' doesn't do anything as that's what '%s' does anyway. Basically '%s' is just shorthand for "insert a string here". In this case the string that's inserted is 'username' or 'password' respectively. There's also a '%d' that can be used for digits, just so you know.:)

Like I said, if I comment out the code at the top of the PHP (everything above and including the first "} else {") it works fine. Users can be added to the database, duplicate usernames give errors to the user telling them it's already in taken, etc. I just can't get the two pieces of code to work together.

Again, thanks for the reply. Even though it didn't work I appreciate all the ideas I can get.
Was This Post Helpful? 0
  • +
  • -

#4 no2pencil  Icon User is offline

  • Toubabo Koomi
  • member icon

Reputation: 5247
  • View blog
  • Posts: 27,066
  • Joined: 10-May 07

Re: Trying to make a registration page...

Posted 27 July 2009 - 06:52 PM

Having a look at htmlentities, it doesn't look like it's output is designed for conditional testing.

I would just as soon assume that they screwed it up & correct it.

<?php
	if ($_POST) {
		$username = htmlentities($_POST['username']);
		$password = $_POST['password'];
		$confirm = $_POST['confirm'];
		if ($password != $confirm) {
			echo "<center><span style='color:red'>Error: Passwords do not match</span></center>";
		} else {
			require_once 'db_config.php';
			$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die('Error connecting to the database.');
			mysql_select_db($dbname);
			$query = sprintf("SELECT COUNT(id) FROM users WHERE UPPER (username) = UPPER ('%s')",
			mysql_real_escape_string($_POST['username']));
			$result = mysql_query($query);
			list($count) = mysql_fetch_row($result);
			if($count >= 1) { 
				echo "<center><span style='color:red'>Error: Username already exists.  Please choose another.</span></center>";
			} else {
				$query = sprintf("INSERT INTO users (username, password) VALUES ('%s','%s');",
				mysql_real_escape_string($_POST['username']),
				mysql_real_escape_string(sha1($password)));
				mysql_query($query);
				echo "<center><span style='color:green'>Congratulations!  You have successfully registered!</span></center>";
			}
		}
	}
?>

Was This Post Helpful? 1
  • +
  • -

#5 Exire  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 25-July 09

Re: Trying to make a registration page...

Posted 27 July 2009 - 07:36 PM

View Postno2pencil, on 27 Jul, 2009 - 05:52 PM, said:

Having a look at htmlentities, it doesn't look like it's output is designed for conditional testing.

I would just as soon assume that they screwed it up & correct it.

Beautiful! I made some minor adjustments to it (using strpos()) to actually prevent users from registering with odd characters in their username in the first place, as I'd rather they didn't, but other than that your code was perfect.

Thanks!
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1