[RESOLVED] Simple Login Registration Problem

Jeebs

Hello all, I am currently teaching my self MySQL by making a Dummy user registration and login system. However, when ever I register a dummy account, it always bypasses the blocks I put in place! (i.e. not NULL, not too long, check for dupe's, etc.)

When it runs, I skips right to "thankyou.html"

It does also insert the data into my temp table (even it i fill in only 1 field, or none)

Here is my Code

Keep in mind, I'm new to this PHP stuff, sarted only a week or so back.

<?php

// PRE DEFINE VARS
$username = strip_tags($_POST['username']);
$password1 = strip_tags($_POST['password1']);
$password2 = strip_tags($_POST['password2']);
$email1 = strip_tags($_POST['email1']);
$email2 = strip_tags($_POST['email2']);
$firstname = strip_tags($_POST['firstname']);
$lastname = strip_tags($_POST['lastname']);

// MySQL VARS
$host = "localhost";
$sql_username = "xxx";
$sql_password = "xxx";
$database = "xxx";

// CONNECT TO THE SERVER
$connect = mysql_connect($host, $sql_username, $sql_password);
	if($connect) {
		// SELECT THE DATABASE
		$db_select = mysql_select_db($database, $connect);
			if($db_select) {
				// CHECK MATCHING EMAILS AND PASSWORDS
				if($password1 == $password2 && $email1 == $email2) { 
					$email = $email1;
					$password = $password1;
					// CHECK FOR EMPTY FIELDS
					if(strlen($password) != NULL || strlen($username) != NULL || strlen($email) != NULL || strlen($firstname) != NULL || strlen($lastname) != NULL) {
						// CHECK FOR LONG FIELDS
						if(strlen($password) < '20' || strlen($username) < '14' || strlen($email) < '50' || strlen($firstname) < '50' || strlen($lastname) < '50') {
							// CHECK FOR DUPE USERS IN USERS TABLE
							$query = "SELECT * FROM users WHERE username='$username' OR email='$email'";
							$result = mysql_query($query);
							$num = mysql_num_rows($result);
							if($num == '0') {
								// CHECK FOR DUPE USERS IN TEMP TABLE
								$query = "SELECT * FROM temp WHERE username='$username' OR email='$email'";
								$result = mysql_query($query);
								$num = mysql_num_rows($result);
								if($num == '0') {
									// ENCRYPT PASSWORD WITH MD5
									$h_password = md5($password);
									// MAKE EMAIL CONFIRMATION CODE
									$confirm_code = md5(uniqid(rand()));
									// STORE TEMP DATA
									$sql = "INSERT INTO temp SET code='$confirm_code', username='$username', password='$h_password', email='$email', firstname='$firstname', lastname='$lastname'";
									$result = mysql_query($sql);
									// EMAIL CONFRIMATION CODE
									if($result) {
										$message="Your Comfirmation Link! \r\n";
										$message.="Click on this link to activate your account \r\n";
										$message.="http://fisherevans.getfrantic.com/test_login/confirm.php?passkey=$confirm_code";
										$messgae.=" ";
										$messgae.="Username : $username";
										$messgae.="Password : $password";
										$sentmail=mail("$email",'Registration Confrimation',"$message");
										// SEND TO THANKYOU PAGE
										header( 'Location: thankyou.html' );
									} else {
										header( 'Location: login.php?action=register&error=6' );
										die();
									}
								} else {
									header( 'Location: login.php?action=register&error=5' );
									die();
								}
							} else {
								header( 'Location: login.php?action=register&error=4' );
								die();
							}
						} else {
							header( 'Location: login.php?action=register&error=3' );
							die();
						}
					} else {
						header( 'Location: login.php?action=register&error=2' );
						die();
					}
				} else {
					header( 'Location: login.php?action=register&error=1' );
					die();
				}
			} else {
				die('Could not Connect to the selected Database! ' . mysql_error());
			}
	} else {
		die('Could not Connect to the server! ' . mysql_error());
	}

?>

PS : It connects fine to the DB and TABLE

PSS : Any advice to make this more secure, would be greatly appreciated 😃

djjjozsi

you should read more about SQL injection.

to prevent this, use mysql_real_escape_string() on your user inputs.

Jeebs

I appreciate your tip on making it more secure. However, I would prefer to solve my current problem first and then move onto solving my other problems. Do you have any idea why maycode is all bypassed, and skips right onto the email?

halojoy

First lets see if we can get PHP to give
some info about any errors.

error_reporting(E_ALL);
should be a standard for everybody into coding.
Not only we who are many years experienced coders need this!

You have a spelling mistake right before sending mail
$messgae

<?php

error_reporting(E_ALL); // DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG 
ini_set('display_errors', '1'); // DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG 
// DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG 


// PRE DEFINE VARS
$username = strip_tags($_POST['username']);
$password1 = strip_tags($_POST['password1']);
$password2 = strip_tags($_POST['password2']);
$email1 = strip_tags($_POST['email1']);

bradgrafelman

WOW that's a lot of tabbing/spacing. Whatever editor you're using, if it displays code like that I would highly recommend you either a) figure out how to turn down the tab amount, or b) get rid of that editor!

As for your problem...

```
// CHECK FOR EMPTY FIELDS
						if(strlen($password) != NULL || strlen($username) != NULL || strlen($email) != NULL || strlen($firstname) != NULL || strlen($lastname) != NULL) {
```
You're checking to see if [man]strlen/man returns NULL, but the manual never says anything about this function returning such a value. If you're trying to check if the variables are empty, just compare them to an empty string, e.g.
```
if($username != '' ...
```
In that same code, you use the logical OR operator (the two vertical bars mean OR), but I don't think that's what you want. Think about it: you want to make sure all of the fields were filled in, right? Your if() statement will be true if any one (or more) field is filled in.
```
// CHECK FOR LONG FIELDS
							if(strlen($password) < '20' || strlen($username) < '14' || strlen($email) < '50' || strlen($firstname) < '50' || strlen($lastname) < '50') {
```
The problem with this code is that you're comparing the result of strlen() to a string - not a number. Numeric quantities do not get surrounded with quotes, otherwise they're treated as strings.

The whole logical flow of your script is very hard to follow. Why nest the if() statements so deep? Try writing your code without nesting them so much, e.g.:

$db = connect_to_db();
if(!$db) {
   // handle the db failing here; exit if necessary
}

if(!empty($_POST['submit'])) { // data submitted, process form
    // processing code here...

if($username == '' || $password == '') {
    // fields left empty - invalid! display error message.
} else {
    // fields not empty, insert data to DB
}
}

Your DB design could be improved a bit. Instead of having two separate tables, I would suggest having one main 'users' table. You can add a "temp" column (or "activated") to indicate whether the row was newly inserted and the account hasn't been activated yet.

Then, you could also add UNIQUE indexes to the username and email (or both in a single index) columns. That way, you wouldn't have to do any SELECT queries at all when processing a new user form; just INSERT the data and if the query fails with error number 1062 ("duplicate data for key...") then you know that the username/email combination (depending upon how you setup your index(es)) is a duplicate.

Jeebs

Thankyou very much for the speedy and helpful comments, I will get back to this thread once i work out the code. 😃

PS : in my text editor (notepad++, the tabs are about 1/3 the space, i was surprised when pasting here ;P)

Jeebs

Thank you all - we are good to go 😃

Now onto making it more secure, and blocking spammers >.>

if anyone wanted to see the finished code, here it is 😃

<?php

	// CONNECT TO DB + SELECT TABLE + REQUEST ERRORS
include('mysql_connect.php');

	// PRE DEFINE VARS
$user = strip_tags($_POST['user']);
$pass1 = strip_tags($_POST['pass1']);
$pass2 = strip_tags($_POST['pass2']);
$email1 = strip_tags($_POST['email1']);
$email2 = strip_tags($_POST['email2']);
$fname = strip_tags($_POST['fname']);
$lname = strip_tags($_POST['lname']);

	// CHECK FOR EMPTY FIELDS
if($user ==  '' || $pass1 == '' || $email1 == '' || $pass2 == '' || $email2 == '' || $fname == '' || $lname == '') {
	die('One or more fields are empty!');
}

	// CHECK MATCHING EMAILS + PASSWORD
if($pass1 != $pass2 || $email1 != $email2) {
	die('Passwords and/or E-mails do not match!');
} else {
	$pass = $pass1;
	$email = $email1;
}

	// CHECK LENGTH OF VARS
if(strlen($user) < 3 || strlen($pass) < 4) {
	die('Either your username and or password are too short!<br>Username > 3<br>Password > 4');
}

	// CHECK FOR DUPE VARS
$query = "SELECT * FROM users WHERE user='$user' OR email='$email'";
$result = mysql_query($query);
$num = mysql_num_rows($result);
if($num != '0') {
	die('Username and/or E-mail are already in use!');
}

	// ENCRYPT PASSWORD + MAKE CONFRIMATION CODE
$h_pass = md5($pass);
$code = md5(uniqid(rand()));

	// STOR DATA TO USERS
$sql = "INSERT INTO users SET user='$user', pass='$h_pass', email='$email', fname='$fname', lname='$lname', act='0', code='$code'";
$result = mysql_query($sql);
if(!$result) {
	die('Could not store data to DB!');
}

	// EMAIL CONFRIMATION CODE
$message="Thank-you for Registering to our site! \r\n";
$message.=" \r\n";
$message.="Click on the link below to activate your account! \r\n";
$message.="http://fisherevans.getfrantic.com/test_login/confirm.php?code=$code \r\n";
$message.=" \r\n";
$message.="Account Details \r\n";
$message.="Username : $user \r\n";
$message.="Password : $pass \r\n";
$message.=" \r\n";
$message.="If you have any problems registering, please contact us!";
$sentmail=mail("$email",'Account Activation',"$message");

	// THANK-YOU
echo "Thank-you for registering!<br>Check your E-mail for your activation link!

?>