Registration scripting help

IceRegent

I am trying to get a registration script working. I have my registration form, which has php script at the top, that checks for form validation. However, I am running everything thru the index.php file, because I am trying to do things strickly thru includes. My menu and everything works great this way, using GET statements etc. Here is the index file:

<?php
session_start();

// Check the session - Set session to NULL if anything but "yes" is found
if($_SESSION['valid'] <> "yes") { $_SESSION['valid'] = NULL;}

// Setup the Database Connection
include $_SERVER['DOCUMENT_ROOT'] . '/include/config.php';

// If choice selection has not been made, set choice selection to "home" in order to load home page
if($_GET['select'] == NULL) { $_GET['select'] = "home"; }
if($_SESSION['checkit'] == NULL) { $_SESSION['checkit'] = "stop";}
//if($_GET['select'] <> "reg") { $_SESSION['checkit'] = "stop"; }

// This is the HTML head of the document - Load stylesheet as well
echo '<head>';
echo '<title>IceRegent NetWorx User Portal</title>';
echo '<link rel="stylesheet" type="text/css" href="visual.css">';
echo '</head>';
echo '<body>';


// This is the LOGO section of the document
echo '<body>';
echo '   <div class="header">';
echo '        <img src="images/logo.png" width="100%" height="90px" alt="IceRegent NetWorx Logo"/>';
echo '    </div>';    

//  If session is not logged in, display REGULAR menu      

if($_SESSION['valid'] == NULL) 
	{
echo '            <ul class="menu">';
echo '                <li><a href="index.php?select=home" target ="_self">Home</a></li>';
echo '                <li><a href="index.php?select=forums" target ="_self">Forums</a></li>';
echo '                <li><a href="index.php?select=bands" target ="_self">Band WebPages</a></li>';
echo '                <li><a href="index.php?select=classifieds" target ="_self">Classifieds</a></li>';
echo '                <li><a href="index.php?select=contact" target ="_self">Contact Us</a></li>';
echo '            </ul>';    

	}        

// If session is logged in, Display ADMIN menu	
if($_SESSION['valid'] == "yes") 
	{
echo '            <ul class="menu">';
echo '                <li><a href="index.php?select=home" target ="_self">Home</a></li>';
echo '                <li><a href="index.php?select=admin" target ="_self">Admin</a></li>';
echo '                <li><a href="index.php?select=contact" target ="_self">Contact Us</a></li>';
echo '            </ul>';    

	}        

// Begin MAIN page content display       

echo '    <div class="pageContent">';

// If session is not logged in, display login box 
if($_SESSION['valid'] == NULL) {
echo '		<div class="signin">';
include 'signin.php';
echo '		</div>';
}

// If session is logged in, display logout link
if($_SESSION['valid'] == "yes") {
echo '		<div class="signout">';
include 'signout.php';
echo '		</div>';
}

// This is the actual main processing section of the display content - self explanatory include scripts
echo '<div class="main">';

// Check the $_GET selection passed from clickable links for selected user options
if ($_GET['select'] == "contact") 	{	include 'contact.php';	}	
if ($_GET['select'] == "forums") 	{	include 'forums.php'; 	}	
if ($_GET['select'] == "classifieds") 	{	include 'classifieds.php';	}	
if ($_GET['select'] == "home") 	{	include 'home.php'; }	
if ($_GET['select'] == "bands") 	{	include 'bands.php'; }
echo '<div class="displayvars">';
echo 'checkit - ' . $_SESSION['checkit'] . '<br>select - ' . $_GET['select'] . '<br>valid - ' . $_SESSION['valid'];
echo '</div>';

// Setup the REGISTRATION form and launch it
if ($_GET['select'] == "reg")  

		{ 
			echo '<div class="register">';
			include 'register.php'; 
			echo '</div>';
		}

// Process the submitted REGISTRATION form if selection if from registration form submission
if ($_SESSION['checkit'] == "register") 
		{
			include 'regme.php';
		}

echo '   		</div>';
echo '   </div>';

?>

You can check out the progression of it at: http://www.iceregent.com

Now, the registration form code is called upon if the variable $_GET['select'] = 'reg'

Here is the code for register.php:

<?php
session_start();
$_SESSION['checkit'] = "stop";
$required = array("name" => 'UserName', "pass" => 'PassWord', "band" => 'Band',	"desc" => 'Description', "genre" => 'Genre', "email" => 'E-Mail');	
foreach ($required as $field => $label) {
	if (!$_POST[$field]) {
		$warnings[$field] = "Required";
		}

if ($_POST["email"] && !ereg("^[^@]+@([a-z\-]+\.)+[a-z]{2,4}$", $_POST["email"]))
	$warnings["email"] = "Invalid Email Format";
}		
		if (count($warnings) > 0) 
		{
?>
<html>
<form method="post" action="index.php?select=reg">

<table width="200" cellspacing="2" cellpadding="2"  border="2" bordercolor="#800000">
<tr>
	<td>Name</td>
	<td><input type="text" name="name" value="<?php echo $_POST["name"];?>"></td>
	<td><?php echo $warnings['name'];?></td>
</tr>
<tr>
	<td>Pass</td>
	<td><input type="password" name="pass" value="<?php echo $_POST["pass"];?>"></td>
	<td><?php echo $warnings['pass'];?></td>
</tr>
<tr>
	<td>Band</td>
	<td><input type="text" name="band" value="<?php echo $_POST["band"];?>"></td>
	<td><?php echo $warnings['band'];?></td>
</tr>
<tr>
	<td>Description</td>
	<td><textarea name="desc"  value="<?php echo $_POST["desc"];?>" rows="3" cols="30"></textarea></td>
	<td><?php echo $warnings['desc'];?></td>
</tr>
<tr>
	<td>Genre</td>
	<td><input type="text" name="genre" value="<?php echo $_POST["genre"];?>"></td>
	<td><?php echo $warnings['genre'];?></td>
</tr>
<tr>
	<td>E-Mail</td>
	<td><input type="text" name="email" value="<?php echo $_POST["email"];?>"></td>
	<td><?php echo $warnings['email'];?></td>
</tr>
<tr>
	<td><input type="submit" value="register"></td>
	<td><input type="reset" value="clear"></td>
	<td></td>
</tr>
</table>
</form>
</html>
<?php
		} else {

$_SESSION['checkit'] = "proceed";
}

?>

Now, I set the session variable ['checkit'] to Proceed, which means that now we should include the registration processing form instead, which is thus far:

<?php
session_start();
include $_SERVER['DOCUMENT_ROOT'] . '/include/config.php';
$username = $_POST['name'];
$password = $_POST['pass'];
$bandname = $_POST['band'];
$banddesc = $_POST['desc'];
$bandgenre = $_POST['genre'];
$useremail = $_POST['email'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password = md5($password);

$query = "SELECT * FROM users";
$result = mysql_query($query) or exit(mysql_error());
	while($row = mysql_fetch_array($result, MYSQL_ASSOC))	
		{
			echo $row['uname'] . ' - ' . $username . ' - ';			
			if($row['uname'] == $username) 
				{ 
					echo 'Sorry, Username already in Database';
					$_SESSION['checkit'] = "stop";
					break;			
				} else {
			echo 'This name isnt in the database<br>' ;
			$_SESSION['checkit'] = "proceed";			
			}
		}
?>

This script is supposed to check the database for already used username, and if so, say so, and then go back to the register.php script. But if no username exists like it, then it should be able to go on and insert the new data into the database. I already have that worked out, but I removed that part due to the fact that the check wasnt working correctly. I must have something messed up. Is there an easier workable way to egt this working?

Ice

Bjom

$query = "SELECT * FROM users";

replace this with a query that has a condition and don't query all fields if you only need one field (i.e. no more * asterisks) and use limit, since you know you only want one row:

$sql = "SELECT `uname` FROM `users` WHERE `uname` = '" . $username . "';";

then simply check if you get a resultset. if so: the username exists

if ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
    echo 'user exists';
}

you should however sanitize the $username. The best way is to switch from the deprecated mysql to mysqli and use the prepared statements that it offers since those are the safest way.

and on an other note: or exit() is as bad as or die(). replace with or trigger_error()