Keep getting invalid email and passwords do not match

fullyloaded

Hi
i've been working on a signup forum for my site using pdo, but have came across a problem i been trying to fix for weeks with no luck at all. My problem is when i sign up and submit my info, im getting The given E-mail address is not valid. and Passwords do not match. but the emails are valid and the passwords do match any help would be great thanks.

require("config.php");
require("globalfunction.php");
if(!empty($_POST))
{
   $query = "SELECT id FROM signup WHERE user = :user";
   $query_params = array(
   ':user' => $_POST['user']
   );
   try
   {
     $stmt = $db->prepare($query);
     $result = $stmt->execute($query_params);
   }
   catch(PDOException $ex)
   {
     die("Failed to run query: " . $ex->getMessage());
   }
   $errors = array();
   if (trim($_POST['user']) == '') { $errors[] = "Please Enter A Username."; }
   if (trim($_POST['pass']) == '') { $errors[] = "Please Enter A Password."; }
   if (trim($_POST['confirmpass']) == '') { $errors[] = "Please Enter A confirmation password."; }
   if (trim($_POST['mailaddress']) == '') { $errors[] = "Please Enter Your E-mail Address."; }
   if (trim($_POST['mailaddressconfirm']) == '') { $errors[] = "Please Enter Your Conformation E-mail Address."; }
   if (strlen($pass) < $passLengthMIN ) { $errors[] = "The password contains to little characters."; }
   if (strlen($pass) > $passLengthMAX ) { $errors[] = "The password contains to many characters."; }
   if (strlen($user) < $userLengthMIN ) { $errors[] = "The username contains to little characters."; }
   if (strlen($user) > $userLengthMAX ) { $errors[] = "The username contains to many characters."; }
   if (validaddress($mailaddress) == false ) { $errors[] = "The given E-mail address is not valid."; }
   if ($pass  <>  $confirmpass ) { $errors[] = "Passwords do not match."; }
   if ($mailaddress  <>  $mailaddressconfirm ) { $errors[] = "Email Address do not match."; }
   $query = "SELECT * FROM signup WHERE user = :user Or mailaddress = :mailaddress";
   $query_params = array(
   ':user' => $user,
   ':mailaddress' => $mailaddress
   );
   try
   {
     $stmt = $db->prepare($query);
     $result = $stmt->execute($query_params);
   }
   catch(PDOException $ex)
   {
     header("Location: error");
     exit;
   }
   if ($row = $stmt->fetch($result)){ 
      if ($row['user'] == $user) { $errors[] = "Username, ".htmlentities($row['username']).", is already in use."; }
      if ($row['mailaddress'] == $mailaddress) { $errors[] = "E-mail address, ".htmlentities($row['mailadres']).", is already in use."; }
   }
   if ($errors) {
      $errorstr = "<ul><li>" . implode("</li><li>", $errors) . "</li></ul>";
      echo $errorstr;
      } else {
      $errorstr = "";
      $datetime = date("d-m-Y G:i ");
      $sth = $db->prepare("INSERT INTO signup (user,pass,salt,mailaddress,signupdate,lastlogin
      ) VALUES (:user,:pass,:salt,:mailaddress,:signupdate,:lastlogin)");
      $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
      $pass = hash('sha256', $_POST['pass'] . $salt);
      $query_params = array(
      ':user' => $_POST['user'],
      ':pass' => $pass,
      ':salt' => $salt,
      ':mailaddress' => $_POST['mailaddress'],
      ':signupdate' => $datetime,
      ':lastlogin' => $lastlogin
      );
      $sth->execute($query_params);
      header("Location: signup");
      exit;
   }
}

Global Function for email address:

function validaddress($mailaddress){
$prereturn = true;
if (strlen($mailaddress) < 5){$prereturn = false;}
$partsNumber = split("@",$mailaddress);
if (count($partsNumber) <> 2) {$prereturn = false;}
else{
list($user,$domain) = split("@",$mailaddress);
if (strlen($user) < 1) {$prereturn = false;}
}
return $prereturn;
}

Bonesnap

To validate email addresses, it's strongly recommended you use the built in PHP function filter_var() and use the FILTER_VALIDATE_EMAIL flag. It's much better than messing around with custom functions or regular expressions. 🙂

bradgrafelman

For one, you should consider changing your 'validaddress' function to simply return the result of a call to [man]filter_var/man (with the FILTER_VALIDATE_EMAIL filter) cast to a boolean.

As for the issues you're getting... where do you ever define the variables $mailaddress, $pass and $confirmpass before that block of if() statements?

Also... what's with the first SQL query near the top of the script? It seems superfluous since you don't ever do anything with it before running a similar query later on.

EDIT: Oops... seems like I forgot to refresh this tab before replying.

Bonesnap

One other thing: don't restrict users' passwords, especially with a maximum length. Let users decide for themselves how complex they want to make their passwords. Include a strength metre if you'd like.

bradgrafelman

Bonesnap;11013617 wrote:
One other thing: don't restrict users' passwords, especially with a maximum length. Let users decide for themselves how complex they want to make their passwords. Include a strength metre if you'd like.

Agreed - forgot to mention this. Obligatory XKCD reference here.

Weedpacket

As well as all the above, part way down through your code you forget you're using the [font=monospace]$_POST[/font] array start trying to use (uninitialised) variables like [font=monospace]$pass[/font] and [font=monospace]$confirmpass[/font] instead.

fullyloaded

Well thanks for the reply's guys, i took all your advice well i think i did lol and seem to have fixed my problems but now am having a new problem. My new problem is , i can create the same account over and over any help would be great again thanks.

New code:

require("config.php");
   $errors = array();
   if (trim($_POST['user']) == '') { $errors[] = "Please Enter A Username."; }
   if (trim($_POST['pass']) == '') { $errors[] = "Please Enter A Password."; }
   if (trim($_POST['confirmpass']) == '') { $errors[] = "Please Enter A confirmation password."; }
   if (trim($_POST['mailaddress']) == '') { $errors[] = "Please Enter Your E-mail Address."; }
   if (trim($_POST['mailaddressconfirm']) == '') { $errors[] = "Please Enter Your Conformation E-mail Address."; }
   if (strlen($user) < $userLengthMIN ) { $errors[] = "The username contains to little characters."; }
   if (strlen($user) > $userLengthMAX ) { $errors[] = "The username contains to many characters."; }
   if (filter_var($_POST['mailadres'], FILTER_VALIDATE_EMAIL) === false) { $errors[] = "The given E-mail address is not valid."; }
   if ($_POST['pass']  <>  $_POST['confirmpass'] ) { $errors[] = "Passwords do not match."; }
   if ($_POST['mailaddress']  <>  $_POST['mailaddressconfirm'] ) { $errors[] = "Email Address do not match."; }
   $query = "SELECT * FROM signup WHERE user = :user Or mailaddress = :mailaddress";
   $query_params = array(
   ':user' => $user,
   ':mailaddress' => $mailaddress
   );
   try
   {
     $stmt = $db->prepare($query);
     $result = $stmt->execute($query_params);
   }
   catch(PDOException $ex)
   {
     header("Location: error");
     exit;
   }
   if ($row = $stmt->fetch($result)){ 
      if ($row['user'] == $user) { $errors[] = "Username, ".htmlentities($row['username']).", is already in use."; }
      if ($row['mailaddress'] == $mailaddress) { $errors[] = "E-mail address, ".htmlentities($row['mailadres']).", is already in use."; }
   }
   if ($errors) {
      $errorstr = "<ul><li>" . implode("</li><li>", $errors) . "</li></ul>";
      echo $errorstr;
      } else {
      $errorstr = "";
      $datetime = date("d-m-Y G:i ");
      $sth = $db->prepare("INSERT INTO signup (user,pass,salt,mailaddress,signupdate,lastlogin
      ) VALUES (:user,:pass,:salt,:mailaddress,:signupdate,:lastlogin)");
      $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
      $pass = hash('sha256', $_POST['pass'] . $salt);
      $query_params = array(
      ':user' => $_POST['user'],
      ':pass' => $pass,
      ':salt' => $salt,
      ':mailaddress' => $_POST['mailaddress'],
      ':signupdate' => $datetime,
      ':lastlogin' => $lastlogin
      );
      $sth->execute($query_params);
      header("Location: signup");
      exit;
   }
}

johanafm

fullyloaded;11013709 wrote:

   catch(PDOException $ex)
   {
     header("Location: error");
     exit;
   }
      header("Location: signup");
      exit;

Has to be a full url, including protocol and domain

fullyloaded;11013709 wrote:

      $sth = $db->prepare("INSERT INTO signup (user,pass,salt,mailaddress,signupdate,lastlogin
      ) VALUES (:user,:pass,:salt,:mailaddress,:signupdate,:lastlogin)");

Make user and mailaddress unique (mysql 5.5 man page)