...

View Full Version : Unwanted sumbmisson to the database



Jon W
01-09-2008, 09:04 AM
Alright, so here is the problem,

I have a Register form right now that I'm using to learn and get the feel for using PHP. I have a if statement to check in the database if a user has already submited the same users, and if there is already a user with that name, it comes back false, the same is for the email address. So heres the problem, if you say for eample type in a user name that is already in the database it will come back with the error, but it will also submit the info that you have already typed in if all of the fields are filled in. Which means that you get two users names that are the same and the persons email address so when he does go and find a name that isn't already been used, he wont be able to use his email address because it will be already in the database. How do I fix such problem? I've used the if(isset($_POST['submit'])) to make sure that, but it seems to ignore that script and go on through with its actions...





<?php

include("db.php");
include("function.php");

if(isset($_POST['submit']))
{

$query = mysql_query("SELECT username FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'") or die('Database error: ' .mysql_error());

$checkuser = mysql_fetch_row($query);

if(isset($_POST['submit']) && $checkuser > 0)
{
$error = 'This username is already being used.'; include("register.php");
}

$query1 = mysql_query("SELECT email FROM users WHERE email = '".mysql_real_escape_string($_POST['email'])."'") or die('Database error: ' .mysql_error());

$checkemail = mysql_fetch_row($query1);

if(isset($_POST['submit']) && $checkemail > 0)

{
$error = 'This Email is already being used.';
include("register.php");
}



if(isset($_POST['submit']) && empty($_POST['username']))
{
$error = 'Please fill in your username';
include("register.php");
}
elseif(isset($_POST['submit']) && empty($_POST['password']))
{
$error = 'Please fill in a password';
include("register.php");
}
elseif(isset($_POST['submit']) && $_POST['password'] != $_POST['comfirmed_password'])
{
$error = 'Your passwords do not match. Please retype them and try again';
include("register.php");
}
elseif(isset($_POST['submit']) && empty($_POST['email']))
{
$error = 'Please fill in your email';
include("register.php");
}
elseif(isset($_POST['submit']) && $_POST['email'] != $_POST['comfirmed_email'])
{
$error = 'Your emails do not match. Please retype them and try again';
include("register.php");
}


else

{

$query = mysql_query("INSERT INTO users(`id`, `username`, `password`, `email`, `random_key`) VALUES('', '".mysql_real_escape_string($_POST[username])."', '".mysql_real_escape_string(md5($_POST[password]))."', '".mysql_real_escape_string($_POST[email])."', '".random_string('alnum', 32)."')") or die('Database error: ' .mysql_error());

$getuser = mysql_query("SELECT id, username, email, random_key FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'") or die('Database error: ' .mysql_error());

if(mysql_num_rows($getuser)==1)

{

$row = mysql_fetch_assoc($getuser);

$header = "From: TopGameHQ";
$subject = "Account Registerion";

$message = "Dear ".$row['username'].",\r\n\r\n Your account is almost actived. To finish your activeion, please click this link: http://topgamehq.com/learn/comfirm.php?id=".$row['id']."&amp;key=".$row['random_key']."\r\n\r\n Thank you for joining TopGameHQ!";

if(mail($row['email'], $subject, $message, $header))

{
$msg = '<fieldset style=\"width:500px; height:100px;\"><legend>Comfirm email</legend>Account was created. Please login to your email and comfirme your account.</fieldset>';
?>

<html>
<head><title>TopGameHQ - Register</title>

<style type="text/css">

body { background-color:#000000;
margin-top:6px;
}

.main_table_border {
border: 1px solid #FF6600;
}

.input_table {
font-size:12px;
font-style:normal;
color:#000000;
}

fieldset {
border: 1px solid #FF6600;
}

.input {
border: 1px solid #FF6600;
font-size:12px;
font-weight:bold;
font-style:normal;
font-family:inherit;
}

</style></head>
<body>

<table width="750" align="center" cellpadding="0" cellspacing="0" class="main_table_border">
<tr>
<td align="center" valign="top" height="800" bgcolor="#FFFFFF">

<table width="750" align="center" cellpadding="0" cellspacing="0" bgcolor="#FF6600">
<tr>
<td height="70" align="center" valign="midddle"><span class="header">TopGameHQ - Register</span></td>
</tr>
</table>

<table width="700" align="center" cellpadding="0" cellspacing="0" class="input_table">
<tr>
<td>&nbsp;</td>
</tr>
<tr>
<td align="center" valign="top"><?php echo($msg); ?></td>
</tr>

</table>
</td></tr>
</table>
</body>
</html>

<?php

}
else
{
$error = 'We created your account, but failed to send a email out';
}
}



}

}
?>



I'm sure its something easy that I'm over looking. But with me not having that much knowledge and seeing that I'm still in the process of learning, its hard for me to find these errors.

Thanks for your help
Jon W

Jon W
01-09-2008, 10:26 AM
I figured it out I think. For the checkuser and checkemail I put:




$query = mysql_query("SELECT username FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'") or die('Database error: ' .mysql_error());

$checkuser = mysql_fetch_row($query);

if(isset($_POST['submit']) && $checkuser > 0)
{
$error = 'This username is already being used.'; include("register.php");
return false;
}

$query1 = mysql_query("SELECT email FROM users WHERE email = '".mysql_real_escape_string($_POST['email'])."'") or die('Database error: ' .mysql_error());

$checkemail = mysql_fetch_row($query1);

if(isset($_POST['submit']) && $checkemail > 0)

{
$error = 'This Email is already being used.';
include("register.php");
return false;
}





Notice that I put 'Return false'. I don't know if this is the right way I should do it or not, but it works. lol

If you have any suggestions or comments on this, please give me the most feedback as you want. Any info helps!

Thanks
Jon W

aedrin
01-09-2008, 03:29 PM
The return 'function' is in most cases used for 1) returning a value from a function or sometimes (rarely) used to 2) return a value from an include. You don't need to use return in this situation, because PHP does not expect a result out of the main script.

This code is a good candidate however to be put into a function. Look up the syntax on PHP functions and try implementing it.

As for your technique.


$checkuser = mysql_fetch_row($query);

if(isset($_POST['submit']) && $checkuser > 0)

It is more logical/efficient to check in this way:



if (isset($_POST['submit'])) {
$result = mysql_query("SELECT username FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'") or die('Database error: ' .mysql_error());
if (mysql_num_rows($result) > 0) {
$error = 'This username is already being used.';
include("register.php");
return false;
}
// repeat for email
}


What is contained in register.php? The registration form?

You probably should be setting it up a little differently.



if form was submitted
// perform other checks
if username is taken
error = 'username is taken'
if email is taken
error = 'email is taken'

if not submitted or error exists then
display form
else
display thank you


EDIT: Didn't read your initial post fully.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum