[RESOLVED] User Registration From

finisher1017

I am creating a members only website and am having trouble with the user registration form. I want the registration page to require a minimum of Username, Password, Confirmation Password, and email. If the user does not enter any or all of these fields I would like them to be redirected to a page with a corresponding error and not have their input entered into the database. The problem is that when I test the form with the various fields missing I am redircted to the correct errors pages, but the information still goes to the database. Even if I submit the form completely blank, a blank user account is still created in the database. I've posted the code I'm using below. Any help would be greatly appreciated.

<?php

//connection to database "***"
$host="localhost";
$user="";
$pass="";
$db="***";
$cxn=mysqli_connect($host, $user, $pass, $db);
if (!$cxn)
{
die('Unable to connect to database: ' . mysqli_error($cxn));
}

//registration verification function
$new_user=$POST['username'];
$new_pass=$POST['password'];
$conf_new_pass=$POST['confirm_password'];
$new_lastname=$POST['lastname'];
$new_firstname=$POST['firstname'];
$new_street=$POST['street'];
$new_city=$POST['city'];
$new_state=$POST['state'];
$new_zip=$POST['zip'];
$new_email=$POST['email'];
$new_phone=$POST['phone'];
$new_fax=$POST['fax'];

//form to process user registration
$sql=mysqli_query($cxn,"INSERT INTO members (loginName, password, lastName, firstName)
VALUES ('$new_user','$new_pass', '$new_lastname', '$new_firstname')");

//if (!mysqli_query($sql,$cxn))
//{
//die('Error: ' . mysqli_error($sql));
//}

if (empty($new_user)) { echo "username required"; exit;}
if (empty($new_pass)) { echo "password required"; exit;}
if (empty($new_email)) { echo "email required"; exit;}
if(!preg_match("^{[a-z0-9-]+(.[a-z0-9-]+)@[a-z0-9-]+(.[a-z0-9-]+)(.[a-z]{2,4})$",} $new_email)) {
echo "Invalid Email"; exit;
}
if ($new_pass != $conf_new_pass) { echo "passwords don't match"; exit;}

else { mysqli_query($sql); }

mysqli_close($cxn)

Weedpacket

Your problem is here:

//form to process user registration
$sql=mysqli_query($cxn,"INSERT INTO members (loginName, password, lastName, firstName)
VALUES ('$new_user','$new_pass', '$new_lastname', '$new_firstname')");

You're performing the insertion before you check whether the fields have been provided.

finisher1017

Thanks for responding so quickly. It's my understanding that the statement you're refering to only defines the query as a variable and shouldn't actually be exectuted until the "else { mysqli_query($sql); }" at the bottom is reached. If I am wrong please set me straight.

And no, I'm not you're Mummy. Whatever that means.

NogDog

finisher1017;10993502 wrote:
Thanks for responding so quickly. It's my understanding that the statement you're refering to only defines the query as a variable and shouldn't actually be exectuted until the "else { mysqli_query($sql); }" at the bottom is reached. If I am wrong please set me straight.

If you want to do that, then do not include the call to mysqli_query() at that point, just do:

$sql = "INSERT INTO members (loginName, password, lastName, firstName)
VALUES ('$new_user','$new_pass', '$new_lastname', '$new_firstname')";

Weedpacket

What you're probably thinking of is [man]mysqli_prepare[/man], and the related binding/execution methods. As NogDog said: [man]mysqli_query[/man] actually performs the query (just as it does in the other places (one of them commented out) where you use it). (Caveat: I never use these functions even when I have to use MySQL; the PDO extension is similar, but more consistent.)

But rather than NogDog's suggestion, I'd move that whole thing down to replace your other call, because leaving it where it is you're still trying to use variables like $new_user and the rest before you check to see whether they contain anything or not. (In fact, you're assuming that $_POST['username'] and the rest actually exist.)

finisher1017

Thanks for the advice. I made the change you suggested and the invalid info is no longer inserted into the database, but I'm now running into a problem with email verification. I recieve the following error when submitting the form, even though the email address is valid.

Warning: preg_match() [function.preg-match]: No ending delimiter '^' found in C:\xampp\htdocs\registration_processform.php on line 41
Invalid Email

Line 41 being:

if (!preg_match("^{[a-z0-9-]+(.[a-z0-9-]+)@[a-z0-9-]+(.[a-z0-9-]+)(.[a-z]{2,4})$",} $new_email)) {
echo "Invalid Email"; exit;}

I found the function somewhere on the internet, and It's been weeks since I worked on this code so I honestly don't remember where I got it from.

bradgrafelman

All [man]PCRE[/man] patterns must be delimited (see: [man]regexp.reference.delimiters[/man]).

However, I would suggest getting rid of your use of regular expressions (which, by the way, rejects perfectly valid e-mail addresses) altogether and simply using [man]filter_var/man with the FILTER_VALIDATE_EMAIL filter/option.

finisher1017

I'll use any method that does what I need it to do. Can you give me an example using my code?

bradgrafelman

The PHP manual page for [man]filter_var/man already has plenty of examples along with a full description of how the function works.