...

View Full Version : Form help



Cyber
04-09-2008, 06:00 PM
Im trying to validate a form, i have two field, one called MemberRef and the other is "Password". I have a code that validates the form if no values are entered, i need the form to check the MemberRef against the password, i have added a check for the username and password but it isnt correct. I also need to check that the user exists in the database when the submit button is selected, i have the code kind of working:


<?php


if (isset($_POST['submit'])) {

$error_stat = 0;
$MemberRef_message = '';
$Password_message = '';
$Password2_message = '';
$User_message = '';
$Walk_message = '';

$MemberRef = mysql_real_escape_string(stripslashes($_POST['MemberRef']));
$Password = mysql_real_escape_string(stripslashes($_POST['Password']));

//Error checking

// MemberRef Check)
if (!$MemberRef) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a MemberRef
$MemberRef_message = '*Please enter MemberRef*';
}

else if (!ctype_digit($MemberRef)) {
$error_stat = 1;
$MemberRef_message .= '*MemberRef must be a number*';
}

if (!$Password) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a password
$Password_message = '*Please enter a Password*';

}



$account = mysql_query("SELECT * FROM members WHERE MemberRef='$MemberRef' && Password='$Password'");


if ($Password != $MemberRef) {

$error_stat = 1;
$Password2_message .= '*Password incorrect*';
}
else if(mysql_num_rows($account) == 0){
$error_stat = 1;
//Set the message to tell the user MemberRef does not exist
$User_message = '*MemberRef does not exist*';

}
}

?>


<hr class="hr_blue"/></p><font face="Arial" size="3">Join Walk</font><form method="post" class="addwalkerform" action="">
</font>
<fieldset>
<label for="MemberRef">MemberRef:</label>
<input name="MemberRef" type="text" id="MemberRef" value="<?php echo $_POST['MemberRef']; ?>"/>
<span class="redboldtxt"><?php echo "$MemberRef_message";?></fieldset></span>
</fieldset>

<fieldset>
<label for="Password">Password:</label>
<input name="Password" type="text" id="Password" value="<?php echo $_POST['Password']; ?>"/>
<span class="redboldtxt"><?php echo "$Password_message";?></fieldset></span>
<span class="redboldtxt"><?php echo "$Password2_message";?></fieldset></span>
<p></p>
<fieldset>
<p class="submit"><input type="submit" name="submit" value="Join Walk" />

<span class="redboldtxt"><?php echo "$User_message";?></fieldset></span>

<span class="redboldtxt"><?php echo "$Walk_message";?></fieldset></span>


</fieldset>


</fieldset>
</form>

<?php
}
?>

Fumigator
04-09-2008, 07:05 PM
How is your current code behaving that isn't what you want?

Cyber
04-09-2008, 07:12 PM
How is your current code behaving that isn't what you want?


I have the code working up until the last query in the code, i need it to look up a table called "walker" which has the fields "WalkNo" and "MemberRef", i want to check that the member has not been added to the walk.

The code is working fine up until the last query:


if (isset($_POST['submit'])) {

$error_stat = 0;
$MemberRef_message = '';
$Password_message = '';
$Password2_message = '';
$User_message = '';
$Walk_message = '';

$MemberRef = mysql_real_escape_string(stripslashes($_POST['MemberRef']));
$Password = mysql_real_escape_string(stripslashes($_POST['Password']));

//Error checking

// MemberRef Check)
if (!$MemberRef) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$MemberRef_message = '*Please enter MemberRef*';
}

else if (!ctype_digit($MemberRef)) {
$error_stat = 1;
$MemberRef_message .= '*MemberRef must be a number*';
}

if (!$Password) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a password
$Password_message = '*Please enter a Password*';

}

if (isset($_POST['submit']) && $error_stat == 0) {


$account = mysql_query("SELECT * FROM members WHERE MemberRef='$MemberRef' && Password='$Password'");

if(mysql_num_rows($account) == 0){
$error_stat = 1;
//Set the message to tell the user MemberRef does not exist
$User_message = '*Member does not exist*';

if (isset($_POST['submit']) && $error_stat == 0) {


$account = mysql_query("SELECT * FROM walker WHERE MemberRef='$MemberRef' && WalkNo='$WalkNo'");

if(mysql_num_rows($account) == 1){
$error_stat = 1;
//Set the message to tell the user they have already joined the walk
$Walk_message = '*Member has already joined this walk*';


}
}
}
}
}

?>


<hr class="hr_blue"/></p><font face="Arial" size="3">Join Walk</font><form method="post" class="addwalkerform" action="">
</font>
<fieldset>
<label for="MemberRef">MemberRef:</label>
<input name="MemberRef" type="text" id="MemberRef" value="<?php echo $_POST['MemberRef']; ?>"/>
<span class="redboldtxt"><?php echo "$MemberRef_message";?></fieldset></span>
</fieldset>

<fieldset>
<label for="Password">Password:</label>
<input name="Password" type="text" id="Password" value="<?php echo $_POST['Password']; ?>"/>
<span class="redboldtxt"><?php echo "$Password_message";?></fieldset></span>
<span class="redboldtxt"><?php echo "$Password2_message";?></fieldset></span>

<fieldset>
<p class="submit"><input type="submit" name="submit" value="Join Walk" />

<span class="redboldtxt"><?php echo "$User_message";?></fieldset></span>

<span class="redboldtxt"><?php echo "$Walk_message";?></fieldset></span>


</fieldset>


</fieldset>
</form>

<?php
}
?>

_Aerospace_Eng_
04-09-2008, 08:49 PM
You aren't doing any error checking and I think you need to use AND rather than &&

$account = mysql_query("SELECT * FROM walker WHERE MemberRef='$MemberRef' AND WalkNo='$WalkNo'") or die(mysql_error());

Cyber
04-09-2008, 09:33 PM
You aren't doing any error checking and I think you need to use AND rather than &&

$account = mysql_query("SELECT * FROM walker WHERE MemberRef='$MemberRef' AND WalkNo='$WalkNo'") or die(mysql_error());

Hi, i have changed the code to check the MemberRef and password are correct, im having a problem now when i enter an existing username and an incorrect password, the code is outputting that the username does not exist, is there anyway i can fix this?


if (isset($_POST['submit'])) {

$error_stat = 0;
$MemberRef_message = '';
$Password_message = '';
$Password2_message = '';
$User_message = '';
$Walk_message = '';

$MemberRef = mysql_real_escape_string(stripslashes($_POST['MemberRef']));
$Password = mysql_real_escape_string(stripslashes($_POST['Password']));

//Error checking

// MemberRef Check)
if (!$MemberRef) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$MemberRef_message = '*Please enter MemberRef*';
}

else if (!ctype_digit($MemberRef)) {
$error_stat = 1;
$MemberRef_message .= '*MemberRef must be a number*';
}

if (!$Password) {
//Set the error_stat to 1, which means that an error has occurred
$error_stat = 1;

//Set the message to tell the user to enter a username
$Password_message = '*Please enter a Password*';

}


if (isset($_POST['submit']) && $error_stat == 0) {

$account = mysql_query("SELECT * FROM members WHERE MemberRef='$MemberRef' AND Password='$Password'");
$numrows = mysql_num_rows($account); //get rows returned

if(mysql_num_rows($account) == 0){
$error_stat = 1;
//Set the message to tell the user MemberRef does not exist
$User_message = '*Member does not exist*';

}

else if ($numrows < 1)// if more than 0 its in database, if not throw new error message
{
$row = mysql_fetch_assoc($result);
$dbpassword = $row['Password']; //get the password from the database
if ($dbpassword != $Password) { // check it agains the inputted password, if not the same

$error_stat = 1;

//Set the message to tell the user to enter a username
$Password2_message = '*Incorrect Password*';

}
}

}
}



?>

Fumigator
04-09-2008, 09:49 PM
Split the query into two queries, but it's usually a good idea to not be all that specific with that sort of thing; if someone's trying to hack in by guessing usernames and passwords, the last thing you want to do is let them know they've stumbled upon a valid username and just the password is wrong. So I'd just change the error to "username or password incorrect".

Cyber
04-09-2008, 09:53 PM
Split the query into two queries, but it's usually a good idea to not be all that specific with that sort of thing; if someone's trying to hack in by guessing usernames and passwords, the last thing you want to do is let them know they've stumbled upon a valid username and just the password is wrong. So I'd just change the error to "username or password incorrect".

Can u help me with this, im lost now?

Inigoesdr
04-09-2008, 10:56 PM
Can u help me with this, im lost now?
What he's saying is don't check for EITHER username OR password individually; Check for BOTH, and output a general error like "Username and/or Password are invalid" if either one is incorrect. For example:

$account = mysql_query("SELECT * FROM members WHERE MemberRef='$MemberRef' AND Password='$Password'");
$numrows = mysql_num_rows($account); //get rows returned

if($numrows == 0)
{
$error_stat = 1;
$User_message = 'Username and/or Password are invalid';
}



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum