help getting register.php to work

fearfx

ok I have created a register page the code is as follows:

<?php
require_once ('lib/register_functions.php');

if ($submit == 'Mail confirmation')
	{
		$feedback = user_register();

	$feedback_str = "<P class=\"errormess\">$feedback</p>";
}
else
{
	$feedback_str ='';
}

$php_self = $_SERVER['PHP_SELF'];

$reg_str = <<< EOREGSTR

<table cellpadding=0 cellspacing=0 border=0 align=center width=621>
<tr>
	<td rowspan=10><img width=15 height=1 src=../images/spacer.gif></td>
	<td width=606></td>
</tr>
<tr>
	<td>

$feedback_str

<p class="left"><b>REGISTER</b><br>
Fill out this form and a confirmation email will be sent to you.
Once you click on the link in the email your account will be
confirmed and you can begin to contribute to the community.</P>

<FORM ACTION="$php_self" METHOD="POST">

<p class ="bold">First Name<br>
<INPUT TYPE="text" NAME="first_name" VALUE="$first_name" size="20" maxlength="25"></p>

<p class ="bold">Last Name<br>
<INPUT TYPE="text" NAME="last_name" VALUE="$last_name" size="20" maxlength="25"></p>

<p class ="bold">User Name<br>
<INPUT TYPE="text" NAME="user_name" VALUE="$user_name" size="10" maxlength="25"></p>

<p class ="bold">Password<br>
<INPUT TYPE="text" NAME="password1" VALUE="" size="10" maxlength="25"></p>

<p class ="bold">Password Again<br>
<INPUT TYPE="text" NAME="password2" VALUE="" size="10" maxlength="25"></p>

<p class ="bold">Email - Required<br>
<INPUT TYPE="text" NAME="email" VALUE="$email" size="30" maxlength="50"></p>

<p><INPUT TYPE="SUBMIT" NAME="submit" VALUE ="Mail confirmation"></p>

</FORM>

</td>
</tr>
</table>

EOREGSTR;

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Register for an Account</title>
</head>

<body>
<?php echo $reg_str; ?>
</body>
</html>

Now my include page of register_functions - code is below:

<?php
include_once('config.php');

$supersecret_hash_padding = 'A string that is used to pad' . 'out short strings for md5 encryption.';

function user_regester() {
	global $supersecret_hash_padding;

//Are all VARS present and do passwords MATCH

if (strlen($_POST['user_name']) <= 25 &&
strlen($_POST['password1']) <= 25 && ($_POST['password1'] == 
$_POST['password2']) && strlen($_POST['email']) <= 50 &&
validate_email($_POST['email'])) {

	//Validate UserName and PassWord

	if(account_namevalid($_POST['user_name'])  ||
	strlen($_POST['password1'] >= 6 )) {

		$user_name = strtolower($_POST['user_name']);
		$user_name = trim($user_name);
		$email = $_POST['email'];

		$query = "SELECT user_id
					FROM user
					WHERE user_name = '$user_name'
					AND email = '$email'";
		$result = mysql_query($query);

		if ($result && mysql_num_rows($result) > 0) {
			$feedback = 'ERROR - - UserName and or EMAIL is already taken';
			return $feedback;
			} else {
				$first_name = $_POST['first_name'];
				$last_name = $_POST['last_name'];
				$password = md5($_POST['password1']);
				$user_ip = $_SERVER['REMOTE_ADDR'];

				//Create new HASH to insert into DB and the Conformation EMAIL

				$hash = md5($email.$supersecret_hash_padding);

				$query = "INSERT INTO user (user_name, first_name, last_name, password, email, remote_addr, confirm_hash, is_confirmed, date_created)
				VALUES ('$user_name', '$first_name', '$last_name', '$password', '$email', '$user_ip', '$hash', '0', NOW())";

				$result = mysql_query($query);
				if (!$result) {
					$feedback = 'ERROR - - Database ERROR';
					return $feedback;
					} else {

					//Send Conformation EMAIL

					$encoded_email = urlencode($_POST['email']);
					$mail_body = <<< EOMAILBODY

				Thank you for registering at www.okaucheewi.com! Click this link below to confirm registration.

				http://localhost/confirm.php?hash=$hash$email=$encoded_email

				Once you see a confirmation message, you will be logged into www.okacuheewi.com

EOMAILBODY;
								mail ($email, 'OkaucheeWI Registration Confirmation' , $mail_body, 'FROM: noreply@okaucheewi.com');

					// Give a successfull registration message
						$feedback = 'YOU HAVE SUCCESSFULLY REGISTER. You will receive a confirmation email shortly';
						return $feedback;
						}
					}

				} else {
					$feedback = 'ERROR - - UserName or PassWord Invalid';
					return $feedback;
					}
				} else {
					$feedback = 'ERROR - - Please fill in all required fields correctly';
					return $feedback;
					}
				}


function account_namevalid() {

	$span_str = "abcdefghijklmnopqrstuvwxyz" . "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-";

	//Must have at least 1 character

	if(strspn($_POST['user_name'],$span_str) == 0) {
		return false;
		}

	//Must contain legal characters

	if(strspn($_POST['user_name'],$span_str)  != strlen($name)) {
		return false;
		}

	//Min and Max Length

	if (strlen($_POST['user_name']) <5) {
		return false;
		}
	if (strlen($_POST['user_name']) > 25) {
		return false;
		}


	//Illegal names

	if
	(eregi("^((root) | (bin) | (daemon) | (adm) | (lp) | (sync) | (shutdown) | 
	(halt) | (mail) | (news) | (uucp) | (operator) | (games) | (mysql) | 
	(httpd) | (nobody) | (dummy) | (www) | (cvs) | (shell) | (ftp) | (irc) |
	(debian) | (ns) | ( donwload))$", $_POST['user_name'])) {
		return false;
		}
	if (eregi("^(anoncvs_)", $_POST['user_name'])) {
		return false;
		}
	return false;

}

function validate_email() {
	return (ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@' . '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.' . '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $_POST['email']));
	}

function user_confirm() {

	global $supersecret_hash_padding;

	//Verify no tampering with email address

	$new_hash = md5($_GET['email'].$supersecret_hash_padding);

		if ($new_hash && ($new_hash == $_GET['hash'])) {
			$query = "SELECT user_name
					  FROM user
					  WHERE confirm_hash = '$new_hash'";
			$result = mysql_query($query);

			if (!$result || mysql_num_rows($result) < 1) {
				$feedback = 'ERROR - - Hash not found';
				return $feedback;
				} else {
					//Confirm email and set account active

					$email = $_GET['email'];
					$hash = $_GET['hash'];
					$query = "UPDATE user SET email ='$email', is_confirmed='1' WHERE confirm_hash = '$hash'";
					$result = mysql_query($query);
					return 1;
					}
				} else { 
					$feedback = 'ERROR - - Values do not match';
					return $feedback;
					}

				}
?>

Now when I go to register.php and submit, it does nothing but reload the page.
Also, if I were to put in passwords that don't match, my error msgs don't come up.

http://www.fearfx.com/OkaucheeWI/register.php

The link above is a live demonstration of what I am working on.

I really would appreciate the help!

Thank you.

etully

The print statement is your best friend in troubleshooting.

Put some print statements in your code to show which blocks of code are actually getting executed. For example, just after this line:

if ($submit == 'Mail confirmation')

Add a print statement that says, "Am now going to register the user<br>";

Also put some print statements inside your register function so that you can track where the script is going. Include variables in your print statements so that you can see what the script is working with.

Lastly, your script is assuming that register globals is on. If it's off, then that's your problem. Either turn it on or convert your code to work when RG is off. (Better to write your code to work when RG is off so that your code will work on other servers in the future where you might not have the option to turn them on).

fearfx

ok, where in my script does it assume register globals is on, because I thought I wrote it to work with them off...

etully

In your register page, you check the value of $submit without first obtaining it from the $POST array. And that works fine if RG are turned on. But if they are off (and that might be your problem), you have to say this:

$submit = $_POST['submit'];

before you can work with the $submit variable.

There may be other variables that you are assuming you have access to, I didn't check.

fearfx

I really need to know how to fix my script so It doesn't use RegisterGlobals

because everyone keeps telling me that using them is a bad idea!

So any help would be much appreciated!

Thanks again PHP Builder.Com

🙂

etully

Umm... I just told you?

fearfx

thats the only then, ok thanks, now one last question, so in the future I don't use Register globals,

do I just make sure I'm not calling a variable thats not been set yet?

or is their more?

etully

That's all you have to do.

It's good that you have a healthy fear of Register Globals. It's good that you want to program assuming that they're turned off. But it would probably be a good idea to understand why they're bad and why setting the variable solves the problem.

There's tons of people who have explained the problem at length. For a very long explanation, see here: http://php.net/register_globals

For a short explanation: Imagine that RG are turn ON and you write a script that looks like this:

$x = (read user's salary from database)
$salary += $x;
$y = (read user's monthly bonus from database)
$salary += $y;
print "Bob's salary is $salary";

Notice that we never set $salary to zero before we started. If RG was ON, then whoever called the script might have tricked us by calling: script.php?salary=10000

Now when the script runs, since RG is ON, $salary has a starting value of $10,000. This person just gave themselves a $10,000 raise.

But if RG had been turned off, then $salary starts at zero even if the user tried to trick us by passing in a value for salary (that we didn't expect them to pass in).

etully

Further explanaton: Turning RG off helps protect bad programmers by making sure that outside users can't set variables that we assume start at zero (or null).

The programmer should never assume it starts at zero... but if they DO assume it starts at zero, then RG being turned off will help protect that bad programmer.

Unfortunately, even if you're a great programmer, you might install code that you downloaded somewhere from the net... and that programmer might have assumed that some variable started at zero. So if word spreads that Application X was written by a bad programmer, then hackers start looking for web sites that use Application X and they can exploit those web sites by passing in values that the web site didn't expect them to.

fearfx

thank you very much, now if you don't mind one more question.

when I actually test the register page everything works.

only problem I keep having is my error msg 'username or password invalid' keeps coming up, but what I input into the input forms follows the criteria i set up.

any idea

test is at http://www.fearfx.com/OkaucheeWI/register.php

fearfx

etully wrote:
Further explanaton: Turning RG off helps protect bad programmers by making sure that outside users can't set variables that we assume start at zero (or null).

The programmer should never assume it starts at zero... but if they DO assume it starts at zero, then RG being turned off will help protect that bad programmer.

Unfortunately, even if you're a great programmer, you might install code that you downloaded somewhere from the net... and that programmer might have assumed that some variable started at zero. So if word spreads that Application X was written by a bad programmer, then hackers start looking for web sites that use Application X and they can exploit those web sites by passing in values that the web site didn't expect them to.

so pretty much I have to make sure, I set all variables with something, rather than leaving them empty at first?

etully

so pretty much I have to make sure, I set all variables with something, rather than leaving them empty at first?

Yes. That's a rule of good programming in any language, not just PHP.

my error msg 'username or password invalid' keeps coming up

I'm having a little trouble following the logic of your code. Put some print statements in and follow the code's logic to see what's getting executed. I suspect that "return $feedback" isn't making the function stop executing... and it's continuing on through the rest of the function even though you think it's stopped.

fearfx

Im not sure either whats wrong, I am going to assume this is where my problem lies.

        //Must contain legal characters

    if(strspn($_POST['user_name'],$span_str)  != strlen($name)) {
        return false;
        }

because in the above code, I don't know why I put the variable $namem because its not declared anywhere or used anywhere else.

etully

a better way to check to see if a string has characters is this:

if (ereg("[a-zA-Z]",$username)) { print "your usename is acceptable"; }
else { print "your username must have at least one letter"; }

(and yes Brad, I know that preg_match is faster than ereg. I'm old school. Deal with it.)

fearfx

		//Must have at least 1 character


if (ereg("[a-zA-Z]",$user_name)) { print "your usename is acceptable"; }
else { print "your username must have at least one letter"; }

	//Must contain legal characters

	if(strspn($_POST['user_name'],$span_str)  != strlen($name)) {
		return false;
		}

	//Min and Max Length

	if (strlen($_POST['user_name']) <5) {
		print "not enough";
		}
	if (strlen($_POST['user_name']) > 25) {
		print "too many";
		}

now when i use the register.php page, I do get the error your username must have at least one letter, but their's 6 in it

now Im more confused!?!?

fearfx

if you could, can you test out the register page

http://www.fearfx.com/OkaucheeWI/register.php

now when I leave the email box empty It gets rid of the 1 letter error, but when I put one in, it comes back

thanks very much

etully

When you call a function, you must either pass variables to the function or use the global command so that the function can see variables that were set outside the function. (The global command is almost always the wrong way to do it. You should be passing variables to the function in this example.)

You must use the print command so that you can see what the script is working with. Instead of saying, "Your username must have at least one character", you should be saying, "Your username ($user_name) must have at least one character". If the error message shows something like "Your username () must have at least one character", then you know that this part of the script isn't able to see the $user_name variable.

You can take the variable out later but for now, it's essential for troubleshooting. Print is your friend. Printing the value of variables will save you. It will make you happy.

fearfx

Ok, for now I just code blocked fucntion() account_namevalid

but now when I submit my registration I get this error.

Parse error: syntax error, unexpected $end in

its pointing to the last line of this code block

<?php
include_once('config.php');

$supersecret_hash_padding = 'A string that is used to pad' . 'out short strings for md5 encryption.';

$first_name = $_POST['first_name'];

$last_name = $_POST['last_name'];

$user_name = $_POST['user_name'];

$email = $_POST['email'];

function user_register() {
	global $supersecret_hash_padding;

//Are all VARS present and do passwords MATCH

if (strlen($_POST['user_name']) <= 25 &&
strlen($_POST['password1']) <= 25 && ($_POST['password1'] == 
$_POST['password2']) && strlen($_POST['email']) <= 50 &&
validate_email($_POST['email'])) {

	//Validate UserName and PassWord

	if(account_namevalid($_POST['user_name'])  ||
	strlen($_POST['password1'] >= 6 )) {

		$user_name = strtolower($_POST['user_name']);
		$user_name = trim($user_name);
		$email = $_POST['email'];

		$query = "SELECT user_id
					FROM user
					WHERE user_name = '$user_name'
					AND email = '$email'";
		$result = mysql_query($query);

		if ($result && mysql_num_rows($result) > 0) {
			$feedback = 'ERROR - - Username and or EMAIL is already taken';
			return $feedback;
			} else {
				$first_name = $_POST['first_name'];
				$last_name = $_POST['last_name'];
				$password = md5($_POST['password1']);
				$user_ip = $_SERVER['REMOTE_ADDR'];

				//Create new HASH to insert into DB and the Conformation EMAIL

				$hash = md5($email.$supersecret_hash_padding);

				$query = "INSERT INTO user (user_name, first_name, last_name, password, email, remote_addr, confirm_hash, is_confirmed, date_created)
				VALUES ('$user_name', '$first_name', '$last_name', '$password', '$email', '$user_ip', '$hash', '0', NOW())";

				$result = mysql_query($query);
				if (!$result) {
					$feedback = 'ERROR - - Database ERROR';
					return $feedback;
					} else {

					//Send Conformation EMAIL

					$encoded_email = urlencode($_POST['email']);
$mail_body = <<< EOMAILBODY

				Thank you for registering at www.okaucheewi.com! Click this link below to confirm registration.

				http://www.fearfx.com/OkaucheeWI/confirm.php?hash=$hash$email=$encoded_email

				Once you see a confirmation message, you will be logged into www.okacuheewi.com

EOMAILBODY;
mail ($email, 'OkaucheeWI Registration Confirmation' , $mail_body, 'FROM: noreply@okaucheewi.com');

					// Give a successfull registration message
						$feedback = 'YOU HAVE SUCCESSFULLY REGISTER. You will receive a confirmation email shortly';
						return $feedback;
						}
					}

				} else {
					$feedback = 'ERROR - - Username or Password Invalid';
					return $feedback;
					}
				} else {
					$feedback = 'ERROR - - Please fill in all required fields correctly';
					return $feedback;
					}
				}


function account_namevalid() {

	/*$span_str = "abcdefghijklmnopqrstuvwxyz" . "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-";

	$user_name = $_POST['user_name'];

	//Must have at least 1 character


	if (ereg("[a-zA-Z]",$user_name)) { }
		else { print "your " . $user_name . " must have at least one letter"; }

	//Must contain legal characters

	if(strspn($_POST['user_name'],$span_str)  != strlen($user_name)) {
		print "illegal characters";

		}

	//Min and Max Length

	if (strlen($_POST['user_name']) <5) {
		print "not enough";
		}
	if (strlen($_POST['user_name']) > 25) {
		print "too many";
		}


	//Illegal names

	if
	(eregi("^((root) | (bin) | (daemon) | (adm) | (lp) | (sync) | (shutdown) | 
	(halt) | (mail) | (news) | (uucp) | (operator) | (games) | (mysql) | 
	(httpd) | (nobody) | (dummy) | (www) | (cvs) | (shell) | (ftp) | (irc) |
	(debian) | (ns) | ( donwload))$", $_POST['user_name'])) {
		print "illegal names";
		}
	if (eregi("^(anoncvs_)", $_POST['user_name'])) {
		return false;
		}
	return false;

}
*/
function validate_email() {
	return (ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'. '@' . '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.' . '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $_POST['email']));
	}

function user_confirm() {

	global $supersecret_hash_padding;

	//Verify no tampering with email address

	$new_hash = md5($_GET['email'].$supersecret_hash_padding);

		if ($new_hash && ($new_hash == $_GET['hash'])) {
			$query = "SELECT user_name
					  FROM user
					  WHERE confirm_hash = '$new_hash'";
			$result = mysql_query($query);

			if (!$result || mysql_num_rows($result) < 1) {
				$feedback = 'ERROR - - Hash not found';
				return $feedback;
				} else {
					//Confirm email and set account active

					$email = $_GET['email'];
					$hash = $_GET['hash'];
					$query = "UPDATE user SET email ='$email', is_confirmed='1' WHERE confirm_hash = '$hash'";
					$result = mysql_query($query);
					return 1;
					}
				} else { 
					$feedback = 'ERROR - - Values do not match';
					return $feedback;
					}

				}
?>

etully

You accidentally commented out the last } of the account_namevalid function. Put the closing comment before the curly brace, not after it.