...

View Full Version : user registration email + input validation



Armondo
03-21-2007, 01:48 AM
i was messing around with a user registration code and i got it to work! the user registration sends the user's "name", "password", and "email" to the database. the username and password are hard to screw up, but i can't seem to get the email validation to work. i overlooked this because most of my users put in honest email addresses that i was able to contact. but one user that recently registered put as his email address..."whatever@fergetyou" obviously this isn't a real email. and while deleting this account from the database, i also found that there was some of blank entries. like they didn't put anything in, and then pressed submit. how would i verify the email and check that all the form fields are filled in? i found this tutorial on email verification but it returns errors for me...
here be meh codes:

<?
//replace username and password with your mysql name and password
$conn = mysql_connect("***","***","***");

//select the database
$db = mysql_select_db("flashanims_db");

$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];

//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");

echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
?>

Fou-Lu
03-21-2007, 02:58 AM
You can validate by checking for if its empty or not:


if (empty($var))
{
// Do something when its empty
}

You will want to probably trim the variables as well to remove any white spaces, this prevents the user from typing in nothing but spaces.
Also, this:


INSERT INTO .... VALUES ($_POST['values']

Is not a good idea. Granted you have dumped it into a local variable, but you should be validating the data itself, mysql_real_escape_string, datatyping, email validation, etc, as these will help prevent an sql injection - which is very bad.
Oh, and on a quick side note, assuming the id is an autoincrementing field, leave it out completely. Null is not of an integer datatype, so the newer versions of sql will reject the insertion attempt. I learned that the hard way.

aedrin
03-21-2007, 03:14 PM
If you don't want to get into the hairy zone of validating email addresses, you could always just look for: text, @, text containing at least 1 period (use a regular expression).

It won't get you 100% valid email addresses, but it'll get you some decent input.

The easiest (although sometimes most bothersome for the user) way of validating the email is to actually require them to activate the account through an email. Or send the generated password to them in an email.

Armondo
03-21-2007, 03:36 PM
yeah, but how would i be able to do that? like check for it? and i keep getting errors when i try to put my insert the values into the database inside of the if statment. can anyone redirect me to some resources or give me an example? google is giving me bogus stuff :(.

aedrin
03-21-2007, 04:03 PM
Post those "errors" that you keep getting, so that we may see what the problem is.

And also post the code that you are attempting to run.

Armondo
03-22-2007, 12:37 AM
ok i now have it to where it you have to enter an email in the right format...witch will at least prevent totally bogus emails :).
and i also got it to only post the data to the database if the email is valid. but umm...how would be able to check if the fields are all filled in? and trim spaces out side of the text? like this:

_ = space
_ = trimmed space

username:__Cool_guy89832121_
password: ___poop__iscool__
my code:

<?
//replace username and password with your mysql name and password
$conn = mysql_connect("p41mysql5.secureserver.net","flashanims_db","allnumeric132");

//select the database
$db = mysql_select_db("flashanims_db");

$username = $_POST["username"];
$password = $_POST["password"];
$email = $_POST["email"];

function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("^[^@]{1,64}@[^@]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}

if(check_email_address($email)) {
//insert the values
$result= MYSQL_QUERY("INSERT INTO users (id, username, password, email)".
"VALUES ('NULL', '$username', '$password', '$email')");
echo "<span>Your name and password have been submitted into our database! <a href=\"/comboard/login.php\">Click Here To Login</a></span>";
} else { echo"<span>oh poop...there was an error</span>"; }
?>

added a email validation function.

Fou-Lu
03-22-2007, 05:11 AM
'NULL', '$username', '$password', '$email'
These are string literals, not variables. Remove the quotations and you will get some values to work with. Trim will remove spaces on both sides of the string, if you want to use it on only one side, you can use ltrim or rtrim. You really should add some escaping on your $_POST inputs as well - you want to perserve your database after all ;)

aedrin
03-22-2007, 04:25 PM
These are string literals, not variables. Remove the quotations and you will get some values to work with

You are correct on his use of 'NULL', however the other values are correctly quoted as they are strings.

Armondo
03-22-2007, 10:05 PM
'NULL', '$username', '$password', '$email'
These are string literals, not variables. Remove the quotations and you will get some values to work with. Trim will remove spaces on both sides of the string, if you want to use it on only one side, you can use ltrim or rtrim. You really should add some escaping on your $_POST inputs as well - you want to perserve your database after all ;)

that is great, but how do i do it? lol? i can't find any good results on google. could you direct me to your resource that you use? i have some php books, but they don't really say anything about trimming data. and how do i escape characters that could harm mysql? what could harm mysql?

Fou-Lu
03-23-2007, 03:55 AM
You are correct on his use of 'NULL', however the other values are correctly quoted as they are strings.
o.O
You're right, what was I thinking with that one? Maybe off of the select statement (you'll have to help me out its been awhile, lol).


that is great, but how do i do it? lol? i can't find any good results on google. could you direct me to your resource that you use? i have some php books, but they don't really say anything about trimming data. and how do i escape characters that could harm mysql? what could harm mysql?

Trimming is simple:


$string = ' This is my string to trim '; // Notice both sides need trimming
$leftTrimmed = ltrim($string);
echo $leftTrimmed . "<br />\n";
$rightTrimmed = rtrim($string);
echo $rightTrimmed ."<br />\n";
$allTrimmed = trim($string);
echo $allTrimmed . "<br />\n";
echo $string . "<br />\n";

Output (need to monospace this so you can see, also adding \n but it won't actually display):


[ltrim]: This is my string to trim \n
[rtrim]: This is my string to trim\n
[trim]: This is my string to trim\n
[notrim]: This is my string to trim \n


To escape your input, most people use mysql_real_escape_string (http://ca3.php.net/manual/en/function.mysql-real-escape-string.php).
This function adds a backslash to the following characters: \x00, \n, \r, \, ', " and \x1a.
Here's where the fun comes from. magic_quote_gpc (http://ca3.php.net/manual/en/security.magicquotes.php) directive may already be escaping some of these strings if its enabled. Which means, attempting any type of escaping, be it mysql_real_escape_string or addslashes or whatever you are using, it will provide a double escaping:
O'Reily (hey did I spell his name right!?)
escaped:
O\'Reily
Escaped with magic_quotes_gpc enabled:
O\\\'Reily [you don't want this]
So you may need to configure your directives. Its simple, just use an ini_set on your magic_quotes_gpc directive, as I'm almost 100% that its a PHP_INI_ALL direct, meaning you can change it anywhere.
Why escape input into your database? SQL-Injections can be used to overtake or modify your database. No matter what the degree, any type of injection is not favorable. Here (http://ca3.php.net/manual/en/security.database.sql-injection.php) is a link to an injection article on the php website.

Hope I nailed it down for you there!

iLLin
03-23-2007, 04:03 AM
$error = false;
if(empty($username)) {
$error = true;
$message .= "Username is Blank";
}

if($error == false) {
//insert into the database
} else {
echo $message;
}


You can also check the char count on your fields you want to check by using strlen($field) > 0 (Or however many chars you are looking for.

-Dennis

Armondo
03-24-2007, 04:41 AM
cool, i implemented it and i am just working out the bugs. thanks guys, i will post if i have further trouble :)

Fou-Lu
03-24-2007, 06:34 AM
NP mate, glad to help.




You can also check the char count on your fields you want to check by using strlen($field) > 0 (Or however many chars you are looking for.

-Dennis

Good point, this is especially useful if you are requiring minimum lengths for usernames and / or passwords. Doesn't really help with validation, but is a great base starting point, and I'm glad you pointed it out.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum