Can you spot the problem in this code?

nexgen_x

I've filtered out most of the html to cut the size down a bit.

<?
if ($accept) { //if the user hit the accept button (see form at the bottom)
	//select needed data of user from table: "pending"
	$query = "SELECT username, email FROM pending WHERE pid='$pid'";
	$result = @mysql_query($query);
	if (! $result) {
		PrintTop();
		print "Database Error: " . mysql_error();
		PrintFoot();
		exit();
	}
	$row = mysql_fetch_array($result);
	$username = $row['username'];
	$email = $row['email'];

//generate a random password, md5 it, and insert it into a new row in table: "profiles" along with username & email
srand((double)microtime()*1000000);
$password = substr(md5(rand(0,9999999)), 0, 8); #generates an 8 char long password (mix of nums and letters)
$encryptedpass = md5($password);
$query = "INSERT INTO profiles SET username='$username', password='$encryptedpass', email='$email'";
if (! @mysql_query($query)) {
	PrintTop();
	print "Database Error: " . mysql_error();
	PrintFoot();
	exit();
}

//finally, delete new user from the pending table
$query = "DELETE FROM pending WHERE pid ='$pid'";
if (! @mysql_query($query)) {
	PrintTop();
	print "Database Error: " . mysql_error();
	PrintFoot();
	exit();
}
//databases changes successfully, let user know he is accepted.
//write e-mail to user
$to = $email;
$subject = "Lore League Account: Accepted";
$message =
"Hello, $username.

There were no problems with your sign up application, so you are now a member.

------
Username: $username
Password: $password
------

You can change your password from the member index page.  To log in, go to [url]www.lore-league.com/signup.php[/url] and enter the above user name and password (password is case sensitive).  If you have any questions, feel free to e-mail [email]silvermoon@lore-league.com[/email].

Thankyou,

Silvermoon,
Webmaster/Admin of Lore-League.com
Guild Leader of Templum Purgationis
Co-Founder of the Lore League"; 
	//send e-mail
	mail($to,$subject,$message,$from);
	//finally, print message to admin saying it was successful
	PrintTop();
	print "$username has been accepted as a member.<br>";
	print "<a href=\"../memberindex.php\">&lt;&lt;Back</a>";
	PrintFoot();
	exit();
}
?>

//load of unrelated html here

//then the form starts

<form action="<?= $PHP_SELF ?>" method="POST">
<table width=600 bgcolor="#FFFFFF" align="center" cellspacing="1" cellpadding="2">
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">Name:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $row['username'] ?></font></div></td>
</tr>
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">E-Mail Address:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $row['email'] ?></font></div></td>
</tr>
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">Guild:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $row['guild'] ?></font></div></td>
</tr>
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">IP Address:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $row['ip'] ?></font></div></td>
</tr>
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">Sign-Up Date:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $row['date'] ?></font></div></td>
</tr>
<tr>
	<td bgcolor="#222222" width=290><div align="right"><font class="default">Other Information:</font></div></td>
	<td bgcolor="#222222" width=290><div align="left"><font class="default"><?= $other ?></font></div></td>
</tr>
<? //print form allowing admin to accept or reject the user ?>
<tr>
	<td bgcolor="#222222" width=290><div align="center"><input type="submit" value="Accept User" name="accept" class="mainoption"></div></td>
	<td bgcolor="#222222" width=290><div align="center"><input type="submit" value="Reject User" name="reject" class="mainoption"></div></td>
</tr>
</table>
<input type="hidden" name="pid" value="<?= $id ?>"> //got a feeling the problem lies here.
</form>

Basically I've narrowed the problem down to the $id variable not being passed from the form, to the if ($accept) condition. I tried putting constants into the MySQL queries for pid= , and it worked fine.

So, is the following line:

<input type="hidden" name="pid" value="<?= $id ?>">

the problem causer? I can't think of anything else, but at the same time I don't see why this hidden field shouldn't pass on pid=$id...

Any help appreciated,

diego25

Do you have register globals on? If not, then you'll have to use $GET['id'] or $HTTP_GET_VARS['id'] (depending on your PHP version) for ALL your GET variables. If you have any POST variables, you need to use $POST or $HTTP_POST_VARS. Similarly, there's $SERVER, $COOKIE, $SESSION, $ENV, and their correspndent $HTTP*VARS.

Diego

hunterford

I believe the problem started in the email... just around "To log in, go to <a href="http..."

You need to escape the quote mark with a backslash, as with all quote marks that are to be printed.

So it should read something like...

<a href=\"http://www.lore-league.com/signup.php\" target=\"_blank\">www.lore-league.com/signup.php</a>

The same with...

print "<a href="../memberindex.php\"><<Back</a>";

Should be...

print "<a href=\"../memberindex.php\"><<Back</a>";

nexgen_x

Hmm I think dreamweaver must have inserted the link in the e-mail (all I wrote was the www.lore-league.com, because I havn't put an option in yet to check if the user has html email)

But for the second one, you're right - i forgot to escape the first quotes, i'll see if that makes any difference.

nexgen_x

Ok forget that:
the forum added the link in the email, its not in my code
and for some reason the forum got rid of the backslash before the first quotes on the Back link - that WAS in my code.

Diego, the server I'm on has register globals on, so I don't need to use any of those arrays...

Hmm, still no idea whats wrong...

barand

In you initial query you use a variable $pid so should your hidden field be

nexgen_x

no because the "initial" (actually the top one) isn't intitial, its called only if $accept = true (meaning the user has clicked the Accept button on the form, at the bottom). So the bottom half is carried out first, then the top half - and the bottom half should carry the variable pid to the top half... In the bottom half the variable is definately $id, which is why I use the hidden field to convert it into $pid...

nexgen_x

No-one can help?

rIkLuNd

In the MySQL query you call the id variable '$pid', and in the other case (bottom of code), you call i '$id'. I don't know if that's the thing that is wrong, but... 😕

nexgen_x

Thats because the number thats passed to the form (by a link with a ?id=# at the end) is in the variable $id not $pid.