Simple Code causing errors

PHPtoday

I am new to the world of PHP, i wanted to start with something simple and build my understanding from there!

I have simple looking codes, but it is really being a little pest to me, and giving me errors, right after I fix another. Can anyone who has travel in my tracks before
show me how these codes should actually look like, please.😕

<?php   

session_start();

$username = $_POST['username'];
$password = $_POST['password'];


if ($username&&$password)
{

$connect = mysql_connect("localhost","root","") or die("Couldn't connect!");
mysql_select_db("phpuserlogin") or die("Couldn't find db");

$query = mysql_query("SELECT * FROM users WHERE username= '$username'");

$numrows = mysql_num_rows($query);

if (numbers!=0)
{


while ($row = mysql_fetch_assoc($query))
{
	$dbusername = $row['username'];
	$dbpassword = $row['password'];
}

//check to see if they match!
if ($username==$dbusername&&md5($password)==$dbpassword)
{

echo "You're in! <a href='member.php'>Click</a> here to enter the member page";
$_SESSION['username']=$username;
}
else
	echo "Incorrect password!";

}
else
	die("That user doesn't exist!");

}
?>

<?php 

echo "<h1>Register</h1>";

$submit = $_POST['submit'];

//form data
$fullname = strip_tags($_POST['fullname']); 
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = strip_tags($_POST['repeatpassword']);
$date = date('Y-m-d');


if ($submit)
{
echo "Please fill in <b>all </b> fields!";
}

//check for existance
if ($fullname&&$username&&$password&&$repeatpassword)
{

if ($password==$repeatpassword)
{ 

 // check char length of username and fullname 
if (strlen($username)>25||strlen($fullname)>25) 
{
echo "Length of username or fullname is too long!"; 	
}

else	
{

 //check password length
if (strlen($password)>25||strlen($password)<6)
{    
echo "Password must between 6 and 25 characters";

}
else  
{
 //register the user!

//encrypt password
$password = md5($password);
$repeatpassword = md5($repeatpassword);

echo "Success!!";
}
	}
  }
  	else
		echo "Your passwords do not match!";
?>

bradgrafelman

First of all, welcome to PHPBuilder!

Second, when posting PHP code, please use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

Now, on to some comments in regards to your code...

Code such as this:
```
$username = $_POST['username']; 
$password = $_POST['password']; 


if ($username&&$password) 
{ 
```
will generate E_NOTICE level error messages if the external data doesn't exist. Instead, you should consider using [man]isset[/man]() or [man]empty[/man]() to verify that things such as $_POST['username'] exist before you attempt to access them (e.g. by assigning their value to another variable).
In this code:
```
$query = mysql_query("SELECT * FROM users WHERE username= '$username'");
```
you're placing user-supplied data directly into a SQL query string, and doing so will leave your code vulnerable to SQL injection attacks and/or just plain SQL errors.

Instead, all user-supplied data must be properly sanitized with a function such as [man]mysql_real_escape_string/man (for string data).
Are usernames unique in your DB? In other words, do you have a PRIMARY or UNIQUE index on the username column? If so, then your query will only return at most 1 row, so there's no point in using a while() loop.

In addition, there's really no need to verify that $username is equal to $dbusername, since that was part of the WHERE condition in the SQL query.

And some comments about the second code snippet:

Again, same comment as above in regards to using [man]isset/man or [man]empty/man rather than doing:
```
$submit = $_POST['submit'];

// ...

if ($submit) 
{
```
Why do you use [man]strip_tags/man on the user's data? If you only want to allow certain characters in the username or full name, then check to make sure that no other characters are used. If you don't want to allow HTML to be injected, then you might consider instead using something like [man]htmlentities/man when displaying the data you retrieve from your database (not when you're storing it).

In regards to the passwords... I'm not sure why you would care what characters they use?
Note that if the only purpose of this variable:
```
$date = date('Y-m-d'); 
```
is to store the current date in a database, then note that MySQL can generate the date on its own (in fact, using a TIMESTAMP column, you could even make it completely automatic and wouldn't have to include the column in your INSERT query at all).
What is the purpose of this code:
```
    if ($submit) 
    { 
    echo "Please fill in <b>all </b> fields!"; 
    } 
```
You're telling them to fill in all fields whenever they submit the form regardless of whether they already have done so...?
Rather than just allowing PHP to convert the string values into boolean logic here:
```
    if ($fullname&&$username&&$password&&$repeatpassword) 
    { 
```
you should again consider using something like [man]empty/man.

Then again, since you're using [man]strlen/man to verify the length later on, I'm not even sure why you have this if() statement at all..?
```
     // check char length of username and fullname 
    if (strlen($username)>25||strlen($fullname)>25) 
    { 
    echo "Length of username or fullname is too long!";      

    }
```
Hope you don't have any visitors from outside the U.S., as [man]strlen/man isn't Unicode-safe (thus a UTF-8 encoded string of only 13 characters could very well produce a [man]strlen/man value of over 25). :p
```
     //check password length 
    if (strlen($password)>25||strlen($password)<6) 
    {     

    echo "Password must between 6 and 25 characters"; 

} 
```
While I can certainly understand why you'd want a lower limit to ensure minimal password strength, why do you impose an upper limit on the password? From what I can tell, you're hashing the password using MD5 later on, so you shouldn't really care if they entered a password of 25 characters or 50 characters since both passwords would result in hashed values of the same length.
```
    //encrypt password 
    $password = md5($password); 
    $repeatpassword = md5($repeatpassword); 
```
Here, why are you hashing both passwords? Since they're the same, you only need to hash one of the values and use it.
In your "Success!!" output section, you never actually do anything with all of the data. Is there some sort of INSERT query you've removed or something?

Also, a general comment about both code snippets: While you do some indenting in your code, you aren't very consistent. You might want to find some examples of proper code indention techniques as it will make your code much easier to read and follow through the different logic/control structures.