[RESOLVED] Checking if email is in use before form is sent.

Dada78

I am working on this script for a registration form that ask for email and password and the last thing I need to fix is to check if a email is in use, if it is then display an error as shown in the picture below. I have some code written for the error but it doesn't work and I am not sure as to why.

Here is what it is suppose to do.

If you want to test out what this is doing you can use the email garbage@yourhouse.com and try to register. This is a registered email so it should so an error like it shows above but it doesn't.

Here is the code for the entire file/page....

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit'])) {
   if (empty($_POST['email']) || empty($_POST['password'])) {
   $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
   }else {

// MAKE CONNECTION
include ('db_connect.php');  

// connect to the mysql server
$link = mysql_connect($host, $username, $password)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the email is taken
$check = "select email from users where email = '".$_POST['email']."';";
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry);
if ($num_rows != 0) {

  // redirect them to the user account page, because we successfully ran the SQL
  // notice how we haven't output ANYTHING to the browser yet- header() works
  header('Location: user.php');
  exit();
   }else {
       $error = 'There was a problem.  That email is already in use.';
   }
// insert the data
$insert = mysql_query("INSERT INTO users VALUES  ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

}

}
else { 
// now here, we've either redirected to the user account page, this is the first visit, or there
// was an error with the form/registration.  So, we echo the HTML
}

?> 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name="description" content="Mesquite Texas Country Christmas" />
<meta name="keywords" content="Mesquite, Texas, Country Christmas" />
<meta name="author" content="NA" />
<link rel="stylesheet" type="text/css" href="/stylesheet.css" media="screen" title="FBC" />
<script type="text/javascript" src="drop_down.js"></script>
<title>A Mesquite Country Christmas - Register for account</title>
</head>
<body>

 <div id="wrap">

<a href="/index.html">
<img id="frontphoto" src="/images/header.png" width="760" height="237" alt="Mesquite Country Christmas" border="0"></a>

<div id="menu">

<h2 class="hide">Menu:</h2>

<ul id="avmenu">
<li><a href="index.html">Home</a></li>
<li><a href="christmasstory.html">The Christmas Story</a></li>
<li><a href="directions.html">Directions</a></li>
<li><a href="faq.html">FAQ</a></li>
<li><a href="#">Photos</a>
  <ul>
      <li><a href="2007photos.html">2007</a></li>
  </ul></li>
<li><a href="#">Videos</a>
  <ul>
      <li><a href="2007videos.html">2007</a></li>
  </ul></li>
<li><a href="guestbook.php">Guestbook</a></li>
<li><a href="webcam.html">Web Cam</a></li>
<li><a href="webradio.html">Internet Radio</a></li>
<li><a href="http://www.noradsanta.org/" TARGET="_blank">Track Santa</a></li>
<li><a href="projects.html">Projects & How Tos</a></li>
<li><a href="links.html">Links</a></li>
<li><a href="contact_us.html">Contact Us</a></li>
</ul>

<center><a href="http://www.toysfortots.org/" TARGET="_blank"><img src="/images/toys_for_tots.jpg" border="0" width="110" height="153" vspace="10"></a></center>

<center><a href="http://christmas.bronners.com/2007/house/534.html"><img src="http://christmas.bronners.com/voteforme/vote.jpg" border="0" width="110" height="153" alt="christmas decorations" vspace="10"></a></center>

</div>

<div id="content">


 <div class="fadebox">

<h2>Register for a FREE Account</h2>

<hr />

<p> In order to submit your display on our website, we require that you register for a free account. This will enable you to make changes to your listings each year. If you already have an account then <a href="login.php"> Log In</a> now.</p>

<table width="28%" border="0" cellpadding="0" cellspacing="0">
	<tr>
	<td>	

<table width="331" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="register.php" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="2"><strong>Registration - Please fill in all fields. </strong></td>
</tr>
<tr>
<td width="103">Email:</td>
<td width="180"><input type="text" name="email" value="<?php echo $email ?>" size="30" maxlength="40" /></td>
</tr>
<tr>
<td>Desired Password:</td>
<td><input type="password" name="password" value="<?php echo $password ?>" size="30" maxlength="20" /></td>
</tr>
<tr>
<td colspan="2" align="right" class="errorText">
<?PHP
// then we check for the error message
if (isset($error)) {
   echo $error . '<br />';
}
?> </td>
</tr>
<tr>
<td colspan="2" align="right"><input value="Register Now" name="submit" type="submit"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></td>
</tr>
</table>


   </div>
 </div>


<div id="footer">
&copy; 2007 Mesquite Country Christmas
</div>

</div>
</body>
</html>

-Thanks

bpat1434

From what I can tell, you seem to have an issue with your logical flow. Think about this. If an email is registered (garbage@yourdomain.com) and someone tries to use it in your form, you check the database. So how many rows would be returned?

You ask for the mysql_num_rows($qry) but if garbage@yourdomain.com is already registered, it will return 1 (or more than 1 if there are multiple registrations with that address).

Also please note that it's possible for your script to be hacked. You should never put user-supplied data directly into a SQL string. Instead you should sanitize it first (either through regex or type-casting) and then when possible, use [man]mysql_real_escape_string/man to properly escape quotes & special characters.

So in the line that says: "if ($num_rows != 0)" perhaps you should be looking for:
"if ($num_rows < 1)". That way if one (or more) rows are returned, the else{} statement will fire (where you set your $error variable); however, if no rows are returned, then you'll be redirected to user.php.

Dada78

Just so we are clear before we move along. I have been working on this for about 3 weeks for about 18 hrs a day just for this one little script and page. I have looked and read everything under the sun. I have not used PHP in 3 yrs and I really don't use it all that often because I just do web development with XHTML CSS, etc. Nor do I expect do use PHP that much in the future. So all the lingo really doesn't mean anything to me.

Most of this code that I have written has had about 10 or so other peoples hand in it. So when you have someone else tell you oh no that is wrong, it needs to be this way, then someone else says no that's not right, this is the way. You can see how the code can get rather screwed up and I can get rather confused.

From what I can tell, you seem to have an issue with your logical flow. Think about this. If an email is registered (garbage@yourdomain.com) and someone tries to use it in your form, you check the database. So how many rows would be returned?

You ask for the mysql_num_rows($qry) but if garbage@yourdomain.com is already registered, it will return 1 (or more than 1 if there are multiple registrations with that address).

Their should not be more then one of the same email registered. If someone tries to register with an email already used then it should throw an error. I have got that fixed with the code below and that works now.

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit'])) {
   if (empty($_POST['email']) || empty($_POST['password'])) {
   $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
   }else {

// MAKE CONNECTION
include ('db_connect.php');  

// connect to the mysql server
$link = mysql_connect($host, $username, $password)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the email is taken
$check = "select email from users where email = '".$_POST['email']."'";
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry) or die(mysql_error());
if ($num_rows < 1) {
$insert = mysql_query("INSERT INTO users VALUES ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

  // redirect them to the user account page, because we successfully ran the SQL
  // notice how we haven't output ANYTHING to the browser yet- header() works
  header('Location: user.php');
  exit();
   }else {
       $error = 'That email is already in use, please select a different one.';
   }

}

}
else { 
// now here, we've either redirected to the user account page, this is the first visit, or there
// was an error with the form/registration.  So, we echo the HTML
}

?>

Problem with that code now is if their are no errors and you hit register it is suppose to direct you to users.php page and instead of that happening it just refreshes to a blank white page.

I am really not that concerned with it getting hacked because it won't have any real sensitive information not to mention I will probably only get about 20-30 users maxed for this. If someone wants to hack it, oh well more power to them, they need a life because all it is displaying is Christmas displays. I wouldn't mind adding the extra security but I know nothing about PHP really and I want to just get this script working before I start making patches and upgrades.

I changed out "if ($num_rows != 0)" to "if ($num_rows < 1)" as suggested and it is noted in the new code above.

Now someone else told me this statement

$insert = mysql_query("INSERT INTO users VALUES ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

Should be this

$insert = mysql_query("INSERT INTO users (email, password) VALUES ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

What is different is the column names are added after users and before VALUES. It worked without that and I don't know if that has any bearing on why it is not redirecting but when I added that it when the problems started with it not redirecting but even with it taken out it still doesn't redirect.

-Thanks

Dada78

Ok I have been reading up on the mysql_real_escape_string() so would this be correct?

Here is some information first on my Database. Table name is users and the columns as id which is auto_increment, then email and password.

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit'])) {
   if (empty($_POST['email']) || empty($_POST['password'])) {
   $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
   }else {

// MAKE CONNECTION
include ('db_connect.php');

// connect to the mysql server
$link = mysql_connect($host, $username, $password)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the email is taken
$check = "select email from users where email = '".$_POST['email']."'";
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry) or die(mysql_error());
if ($num_rows < 1) {

// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.

    if(get_magic_quotes_gpc()) {
        $product_name        = stripslashes($_POST['email']);
        $product_description = stripslashes($_POST['password']);
    } else {
        $product_name        = $_POST['email'];
        $product_description = $_POST['password'];
    }

    // Make a safe query
    $query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s', %d)",
                mysql_real_escape_string($email, $link),
                mysql_real_escape_string($password, $link);

                mysql_query($query, $link);

or die("Could not insert data because ".mysql_error());

  // redirect them to the user account page, because we successfully ran the SQL
  // notice how we haven't output ANYTHING to the browser yet- header() works
  header('Location: user.php');
  exit();
   }else {
       $error = 'That email is already in use, please select a different one.';
   }

}

}
else {
// now here, we've either redirected to the user account page, this is the first visit, or there
// was an error with the form/registration.  So, we echo the HTML
}

?>

-Thanks

bpat1434

With regards to this:

Now someone else told me this statement

$insert = mysql_query("INSERT INTO users VALUES ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

Should be this

$insert = mysql_query("INSERT INTO users (email, password) VALUES ('NULL', '".$_POST['email']."', '".$_POST['password']."')")
or die("Could not insert data because ".mysql_error());

They are incorrect, and whomever told you that needs to sit down and relax. The number of columns in an insert statement must have a counterpart in the values area (and vice-versa). So you have 2 columns (email and password) however you're putting in values for 3 columns (NULL, $POST['email'], $POST['password']). Now, there are two issues in play here:
1.) Putting quotes around "NULL" will turn it into the string "NULL" and not be the keyword meaning nothing.
2.) With that "NULL" being first, you will get some awkward functionality:
2.a) Your users will always be inserted with an email address of "NULL"
2.b) Your SQL statement should error because you have specified 3 values for only 2 columns.

To fix this, your statement should be:

$query = "INSERT INTO `users` (`email`, `password`)
VALUES ('" . mysql_real_escape_string($_POST['email']) . "', '" . mysql_real_escape_string($_POST['password']) . "')";
$result = mysql_query($query) or die(mysql_error());

As for the blank page issue... here is your code a little prettier and for sanities sake, a little more definitive as to which braces match up with what if() or else statement:

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit']))
{
	if (empty($_POST['email']) || empty($_POST['password']))
	{
		$error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
	}
	else 
	{
		// MAKE CONNECTION
		include ('db_connect.php');

	// connect to the mysql server
	$link = mysql_connect($host, $username, $password)
	or die ("Could not connect to mysql because ".mysql_error());

	// select the database
	mysql_select_db($database)
	or die ("Could not select database because ".mysql_error());

	// check if the email is taken
	$check = "select email from users where email = '".$_POST['email']."'";
	$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
	$num_rows = mysql_num_rows($qry) or die(mysql_error());
	if ($num_rows < 1)
	{
		// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
		if(get_magic_quotes_gpc())
		{
			$product_name        = stripslashes($_POST['email']);
			$product_description = stripslashes($_POST['password']);
		}
		else 
		{
			$product_name        = $_POST['email'];
			$product_description = $_POST['password'];
		}

		// Make a safe query
		$query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
		mysql_real_escape_string($email, $link),
		mysql_real_escape_string($password, $link));
		$result = mysql_query($query, $link);

		// If there is no result, or there was not at least 1 row affected, die...
		if(!$result || mysql_affected_rows() < 1)
		{
			die('Could not insert user because ' . mysql_error());
		}

		// redirect them to the user account page, because we successfully ran the SQL
		// notice how we haven't output ANYTHING to the browser yet- header() works
		header('Location: user.php');
		exit();
	}
	else
	{
		$error = 'That email is already in use, please select a different one.';
	}

}

}
else
{
	// now here, we've either redirected to the user account page, this is the first visit, or there
	// was an error with the form/registration.  So, we echo the HTML
}

?>

Now, I've modified the section where you say "Make a safe query" to actually use the proper syntax for sprintf() as well as the proper SQL query (you don't need the %d since you have no 3rd column defined, see earlier notes).

Notice that you start your file by looking at the $_POST superglobal and seeing if a form has been submitted. This is good; however, if a form has not been submitted, the very last "else" statement will be triggered. In this case, you have nothing there. So there's a blank page possibility.

Now, in the last else{} statement you have comments which hint to the fact that if the user hasn't visited the page yet, or there were errors, you are to show an HTML form. The thing to remember about if()else{} statements is that if something evaluates to true, then else won't run (and vice-versa, if something evaluates to false, then else{} will run but if() won't).

So how is it that we show the form with the $_POSTed data and error messages? Remove the final else{} (which now is blank and has only comments in it) and just print up an HTML form. Here's an example of something that might work:

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit']))
{
	if (empty($_POST['email']) || empty($_POST['password']))
	{
		$error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
	}
	else 
	{
		// MAKE CONNECTION
		include ('db_connect.php');

	// connect to the mysql server
	$link = mysql_connect($host, $username, $password) or die ("Could not connect to mysql because ".mysql_error());

	// select the database
	mysql_select_db($database) or die ("Could not select database because ".mysql_error());

	// check if the email is taken (safe query):
	$query = sprintf("SELECT `email` FROM `users` WHERE `email` = '%s'",
			mysql_real_escape_string($_POST['email']));
	$qry = mysql_query($query) or die ("Could not match data because ".mysql_error());
	$num_rows = mysql_num_rows($qry) or die(mysql_error());
	if ($num_rows < 1)
	{
		// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
		if(get_magic_quotes_gpc())
		{
			$product_name        = stripslashes($_POST['email']);
			$product_description = stripslashes($_POST['password']);
		}
		else 
		{
			$product_name        = $_POST['email'];
			$product_description = $_POST['password'];
		}

		// Make a safe query
		$query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
				mysql_real_escape_string($email, $link),
				mysql_real_escape_string($password, $link));
		$result = mysql_query($query, $link);

		// If there is no result, or there was not at least 1 row affected, die...
		if(!$result || mysql_affected_rows() < 1)
		{
			$error = 'Could not insert user because ' . mysql_error());
		}
		else
		{
			// redirect them to the user account page, because we successfully ran the SQL
			// notice how we haven't output ANYTHING to the browser yet- header() works
			header('Location: user.php');
			exit();
		}
	}
	else
	{
		$error = 'That email is already in use, please select a different one.';
	}

}

}

// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
	$email = $_POST['email'];
else
	$email = '';

// If there is an error, show it:
if(isset($error) && !empty($error)) 
{ 
	echo '<div><h4>Error!</h4><p>' . $error . '</p></div>';	
}
?>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
	<label for="email">Email Address:</label> <input type="text" name="email" id="email" value="<?php echo $email; ?>" /><br />
	<label for="password">Password:</label> <input type="password" name="password" id="password" value="" /><br />
	<input type="submit" name="submit" value="Submit" />
</form>

Hope that helps.

EDIT: If you're wondering about the header() call and the plain HTML at the end, don't. Since you're posting back to the same script, the if() statement will catch when the form has been posted, and since between the start of the script processing and the time you call header() nothing has been outputted, you will be fine. Please note that while I'm 99% sure this will work, I did not test this code.

benracer

"I am really not that concerned with it getting hacked",

even if the data is not confidential its better to be safe then sorry. Without protection a hacker could fill the database with as much data as he/she wishes. This could ruin your websites reputation if somthing offencive/illegal is inserted. Worse of all the data can be deleted and lost for good!

Dada78

Thank you for your time. I have tried the code above and while it seems to work, it still doesn't redirect to http://www.mesquitechristmas.com/local/user.php after successful registration.

The one thing I changed and you will notice in my first code I posted I moved this

// If there is an error, show it:
if(isset($error) && !empty($error))
{
    echo '<div><h4>Error!</h4><p>' . $error . '</p></div>';    

}

Into my form table so it displays a little nicer instead of at the top of the page and throwing the layout off like this. Is that ok, that is how I had it before anyways.

<table width="28%" border="0" cellpadding="0" cellspacing="0">
	<tr>
	<td>	

<table width="331" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="2"><strong>Registration - Please fill in all fields. </strong></td>
</tr>
<tr>
<td width="103">Email:</td>
<td width="180"><input type="text" name="email" value="<?php echo $email; ?>" size="30" maxlength="40" /></td>
</tr>
<tr>
<td>Desired Password:</td>
<td><input type="password" name="password" size="30" maxlength="20" /></td>
</tr>
<tr>
<td colspan="2" align="right" class="errorText">
<?PHP
// then we check for the error message
if(isset($error) && !empty($error))
{ 
   echo $error . '<br />';
}
?> 
</td>
</tr>
<tr>
<td colspan="2" align="right"><input value="Register Now" name="submit" type="submit"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></td>
</tr>
</table>

Here is the entire file with PHP and HTML

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit']))
{
    if (empty($_POST['email']) || empty($_POST['password']))
    {
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
        // MAKE CONNECTION
        include ('db_connect.php');

    // connect to the mysql server
    $link = mysql_connect($host, $username, $password) or die ("Could not connect to mysql because ".mysql_error());

    // select the database
    mysql_select_db($database) or die ("Could not select database because ".mysql_error());

    // check if the email is taken (safe query):
    $query = sprintf("SELECT `email` FROM `users` WHERE `email` = '%s'",
            mysql_real_escape_string($_POST['email']));
    $qry = mysql_query($query) or die ("Could not match data because ".mysql_error());
    $num_rows = mysql_num_rows($qry) or die(mysql_error());
    if ($num_rows < 1)
    {
        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
        if(get_magic_quotes_gpc())
        {
            $product_name        = stripslashes($_POST['email']);
            $product_description = stripslashes($_POST['password']);
        }
        else
        {
            $product_name        = $_POST['email'];
            $product_description = $_POST['password'];
        }

        // Make a safe query
        $query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                mysql_real_escape_string($email, $link),
                mysql_real_escape_string($password, $link));
        $result = mysql_query($query, $link);

        // If there is no result, or there was not at least 1 row affected, die...
        if(!$result || mysql_affected_rows() < 1)
        {
            $error = 'Could not insert user because ' . mysql_error();
        }
        else
        {
            // redirect them to the user account page, because we successfully ran the SQL
            // notice how we haven't output ANYTHING to the browser yet- header() works
            header('Location: user.php');
            exit();
        }
    }
    else
    {
        $error = 'That email is already in use, please select a different one.';
    }

}

}

// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
    $email = $_POST['email'];
else
    $email = '';

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta name="description" content="Mesquite Texas Country Christmas" />
<meta name="keywords" content="Mesquite, Texas, Country Christmas" />
<meta name="author" content="NA" />
<link rel="stylesheet" type="text/css" href="/stylesheet.css" media="screen" title="FBC" />
<script type="text/javascript" src="drop_down.js"></script>
<title>A Mesquite Country Christmas - Register for account</title>
</head>
<body>

 <div id="wrap">

<a href="/index.html">
<img id="frontphoto" src="/images/header.png" width="760" height="237" alt="Mesquite Country Christmas" border="0"></a>

<div id="menu">

<h2 class="hide">Menu:</h2>

<ul id="avmenu">
<li><a href="index.html">Home</a></li>
<li><a href="christmasstory.html">The Christmas Story</a></li>
<li><a href="directions.html">Directions</a></li>
<li><a href="faq.html">FAQ</a></li>
<li><a href="#">Photos</a>
  <ul>
      <li><a href="2007photos.html">2007</a></li>
  </ul></li>
<li><a href="#">Videos</a>
  <ul>
      <li><a href="2007videos.html">2007</a></li>
  </ul></li>
<li><a href="guestbook.php">Guestbook</a></li>
<li><a href="webcam.html">Web Cam</a></li>
<li><a href="webradio.html">Internet Radio</a></li>
<li><a href="http://www.noradsanta.org/" TARGET="_blank">Track Santa</a></li>
<li><a href="projects.html">Projects & How Tos</a></li>
<li><a href="links.html">Links</a></li>
<li><a href="contact_us.html">Contact Us</a></li>
</ul>

<center><a href="http://www.toysfortots.org/" TARGET="_blank"><img src="/images/toys_for_tots.jpg" border="0" width="110" height="153" vspace="10"></a></center>

<center><a href="http://christmas.bronners.com/2007/house/534.html"><img src="http://christmas.bronners.com/voteforme/vote.jpg" border="0" width="110" height="153" alt="christmas decorations" vspace="10"></a></center>

</div>

<div id="content">


 <div class="fadebox">

<h2>Register for a FREE Account</h2>

<hr />

<p> In order to submit your display on our website, we require that you register for a free account. This will enable you to make changes to your listings each year. If you already have an account then <a href="login.php"> Log In</a> now.</p>

<table width="28%" border="0" cellpadding="0" cellspacing="0">
	<tr>
	<td>	

<table width="331" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="2"><strong>Registration - Please fill in all fields. </strong></td>
</tr>
<tr>
<td width="103">Email:</td>
<td width="180"><input type="text" name="email" value="<?php echo $email; ?>" size="30" maxlength="40" /></td>
</tr>
<tr>
<td>Desired Password:</td>
<td><input type="password" name="password" size="30" maxlength="20" /></td>
</tr>
<tr>
<td colspan="2" align="right" class="errorText">
<?PHP
// then we check for the error message
if(isset($error) && !empty($error))
{ 
   echo $error . '<br />';
}
?> 
</td>
</tr>
<tr>
<td colspan="2" align="right"><input value="Register Now" name="submit" type="submit"></td>
</tr>
</table>
</td>
</form>
</tr>
</table></td>
</tr>
</table>


   </div>
 </div>


<div id="footer">
&copy; 2007 Mesquite Country Christmas
</div>

</div>
</body>
</html>

It seems everything as far as the errors are concerned are working properly. Except if their is no error it doesn't insert now and the page is still just refreshes.

Here is the page so you can make a test registration and see what it is doing.

http://www.mesquitechristmas.com/local/register.php

-Thanks

bpat1434

It would seem as though you have a syntax error somewhere.

At the top of the file, add this:

ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL | E_STRICT);

If you're using php 4 (or below), just leave off the "| E_STRICT" part (since it's not available in php 4).

Then try again. An error (if any) should be displayed.

Dada78

I added that to the top of the file just after the opening <?php and I didn't get any errors. I have left it in place if you would like to try yourself.

bpat1434

Have you tried using the full URL in the Location: call instead of just "user.php"? I doubt that's it, but it's worth a shot.

The only thing left i can say is it's time for you to start putting in code calls that define where it is. Something like:

<?php

if(isset($_POST['submit']))
{
    echo 'Form submitted!!';

Do that at all the major steps, then try again. You should get an output that says where it all was.

Dada78

Yea I have tried that already, I thought the same thing but that doesn't help any with the full URL.

Can you tell me more about the code above, do I just need to add an echo or the whole snippet after major steps?

bpat1434

Yeah, just add an

echo 'Some statement about what has passed, or where you are';

So for example:

<?php

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit']))
{
echo 'THe form has been posted.  Processing ... <br />';
    if (empty($_POST['email']) || empty($_POST['password']))
    {
echo 'Empty form fields!! ... <br />';
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
echo 'Form fields okay, moving on ... <br />';
        // MAKE CONNECTION
        include ('db_connect.php');

    // connect to the mysql server
    $link = mysql_connect($host, $username, $password) or die ("Could not connect to mysql because ".mysql_error());

    // select the database
    mysql_select_db($database) or die ("Could not select database because ".mysql_error());

echo 'Database connected & selected .... querying ... <br />';

    // check if the email is taken (safe query):
    $query = sprintf("SELECT `email` FROM `users` WHERE `email` = '%s'",
            mysql_real_escape_string($_POST['email']));
    $qry = mysql_query($query) or die ("Could not match data because ".mysql_error());
    $num_rows = mysql_num_rows($qry) or die(mysql_error());
    if ($num_rows < 1)
    {
echo 'No duplicate email found, cleaning & inserting ... <br />';
            // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
            if(get_magic_quotes_gpc())
            {
                $product_name        = stripslashes($_POST['email']);
                $product_description = stripslashes($_POST['password']);
            }
            else
            {
                $product_name        = $_POST['email'];
                $product_description = $_POST['password'];
            }

        // Make a safe query
        $query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                mysql_real_escape_string($email, $link),
                mysql_real_escape_string($password, $link));
        $result = mysql_query($query, $link);

        // If there is no result, or there was not at least 1 row affected, die...
        if(!$result || mysql_affected_rows() < 1)
        {
echo 'Error inserting user into database!!<br />';
                $error = 'Could not insert user because ' . mysql_error();
            }
            else
            {
echo 'User successfully inserted ... Now I would redirect ... <br />';
                // redirect them to the user account page, because we successfully ran the SQL
                // notice how we haven't output ANYTHING to the browser yet- header() works
                header('Location: user.php');
echo 'Errors galore!! I should see some errors about headers already being sent just above this!!';
                exit();
            }
        }
        else
        {
echo 'Email address is a duplicate ... <br />';
            $error = 'That email is already in use, please select a different one.';
        }

}

}

echo 'Outside the form posting if() statement ... displaying the form ... <br />';
// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
    $email = $_POST['email'];
else
    $email = '';

?>

Now, you should have a nice list outside of your main site that says exactly where you were when things went awry.

Dada78

Ok this all that was returned

The form has been posted. Processing ...
Form fields okay, moving on ...
Database connected & selected .... querying ...

So it looks like it is stopping at "// check if the email is taken (safe query):"

Dada78

Ok on this line

$num_rows = mysql_num_rows($qry) or die(mysql_error());

I change to this taking the or die statement off like this

$num_rows = mysql_num_rows($qry);

And now the echos are returning this to a blank white page when you submit the form....

The form has been posted. Processing ...
Form fields okay, moving on ...
Database connected & selected .... querying ...
No duplicate email found, cleaning & inserting ...
User successfully inserted ... Now I would redirect ...

Warning: Cannot modify header information - headers already sent by (output started at /home/mesquit1/public_html/local/register.php:7) in /home/mesquit1/public_html/local/register.php on line 64
Errors galore!! I should see some errors about headers already being sent just above this!!

Could this at the end of the code be causing the problems

// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
    $email = $_POST['email'];
else
    $email = '';

Here is the link if you want to see it.

http://www.mesquitechristmas.com/local/register.php

bpat1434

No. Now that it shows that it should work, you can remove all the echo statements we put in there. The reason you get the header error is because had the echo statements 😉

Dada78

Ok removed all the echo statements and this is what it shows when you try to register.

Notice: Undefined variable: email in /home/mesquit1/public_html/local/register.php on line 46

Warning: Cannot modify header information - headers already sent by (output started at /home/mesquit1/public_html/local/register.php:46) in /home/mesquit1/public_html/local/register.php on line 59

BUT...

When I add the die statement back to this line....

$num_rows = mysql_num_rows($qry) or die(mysql_error());

and hit register I get redirect to a blank white page again.

Here is the current code with the changes I made.

<?php

ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL | E_STRICT);

// here, we check if the form has been submitted, because we need to handle
// redirection before we handle outputting the HTML stuff.
if (isset($_POST['submit']))
{
    if (empty($_POST['email']) || empty($_POST['password']))
    {
        $error = 'Please fill in all fields.';  // here, they have not filled in either the username OR the password.  Set an error.
    }
    else
    {
        // MAKE CONNECTION
        include ('db_connect.php');

    // connect to the mysql server
    $link = mysql_connect($host, $username, $password) or die ("Could not connect to mysql because ".mysql_error());

    // select the database
    mysql_select_db($database) or die ("Could not select database because ".mysql_error());

    // check if the email is taken (safe query):
    $query = sprintf("SELECT `email` FROM `users` WHERE `email` = '%s'",
            mysql_real_escape_string($_POST['email']));
    $qry = mysql_query($query) or die ("Could not match data because ".mysql_error());
    $num_rows = mysql_num_rows($qry) or die(mysql_error());
    if ($num_rows < 1)
    {
        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
        if(get_magic_quotes_gpc())
        {
            $product_name        = stripslashes($_POST['email']);
            $product_description = stripslashes($_POST['password']);
        }
        else
        {
            $product_name        = $_POST['email'];
            $product_description = $_POST['password'];
        }

        // Make a safe query
        $query = sprintf("INSERT INTO users (`email`, `password`) VALUES ('%s', '%s')",
                mysql_real_escape_string($email, $link),
                mysql_real_escape_string($password, $link));
        $result = mysql_query($query, $link);

        // If there is no result, or there was not at least 1 row affected, die...
        if(!$result || mysql_affected_rows() < 1)
        {
            $error = 'Could not insert user because ' . mysql_error();
        }
        else
        {
            // redirect them to the user account page, because we successfully ran the SQL
            // notice how we haven't output ANYTHING to the browser yet- header() works
            header('Location: /user.php');
            exit();
        }
    }
    else
    {
        $error = 'That email is already in use, please select a different one.';
    }

}

}

// If they've posted but there was an error, kindly show their email address for them again.
if(isset($_POST['email']))
    $email = $_POST['email'];
else
    $email = '';

?>

Dada78

With this error I am getting.

Notice: Undefined variable: email in /home/mesquit1/public_html/local/register.php on line 46

What does that mean and where would this need to be fixed. I have looked at that line and gone over this code throughly and can not find what it is talking about.

Dada78

Ok changing this line

$num_rows = mysql_num_rows($qry) or die(mysql_error());

changing it to this removing the or die statement like this

$num_rows = mysql_num_rows($qry);

Then adding this after the mysql_select_db() to define the variable

$error = "";
$email = $_POST['email'];
$pwd = $_POST['password'];

Has seemed to have got it working and all errors are working now if a feild is left empty or if a email is tried to be registered that is already registered which is perfect.

Only one small tweak I would like to adjust that I noticed during testing and I know this can be done so if someone can help me or point me to someplace where I can read how to do this.

When someone registers, they can use anything for an email and what I mean is it doesn't have to be an email and just just be a word. What can I add that will make sure it is a email they are registering. I remember seeing this before but can't find nothing.

-Thanks

bpat1434

Look in the php manual user notes for a guy's post name Bobocop. He posted a really good ereg() pattern to match valid email addresses. Then like 2 or 3 posts later (as in higher up on the page) someone corrected one part of Bobocop's pattern. You could use something like that.

Or you could use a specific dissection tool to make sure the MX is available and all, but that seems overkill....