Page 1 of 1

Naughty code, shouldn't be doing this???

Posted: Mon Nov 25, 2002 3:58 pm
by darthmahon
Hey,
Ok below is the sign up script for my site, now I have a problem. I am validating email addresses so that I don't get any addresses without @ in them. Thing is, even though I tell it to output an error message, it still inputs the information into the database. Can you guys spot anything wrong?

Code: Select all

<?php 

#open session#
session_save_path('/home/mydir/data'); 
session_start(); 

if ($access_name=="") &#123;
$title = "Hello, you are not logged in. Please click <a href="login.php">here</a> to log in. To sign up click 
<a href=signup.php>here</a>.";
&#125;else&#123; 
$title = "Hello $access_name, please click <a href=/members/welcome.php>here</a> to visit the members section.";
&#125;


$form_complete="";
if ($formsubmit==1) &#123;$formsubmit="";$sucess="";

#db connection#
include("access/data.inc.php");
mysql_connect ($SQLhost, $SQLuser, $SQLpass);
mysql_select_db ($SQLdb);

#null error report.#
$error="";

if ( ($firstname=="") || ($lastname=="") || ($addressline1=="") || ($city=="") || ($postcode=="") || ($telephonenumber=="") || ($email=="") )
    &#123;
        $error_field=1;
        $error.="Please ensure that you have entered all information requested by the signup form.";
    &#125;else&#123;

#Check email address validity#
if(!ereg("^&#1111;_a-zA-Z0-9-]+(.&#1111;_a-zA-Z0-9-]+)*@(&#1111;a-zA-Z0-9-]+.)+(&#1111;a-zA-z]&#123;2,3&#125;)$",$email)) &#123;
  $error .= "Your email address is not valid, please try again.<br>\n";
&#125;else&#123;

&#125;

#search for id#
$res_access = mysql_query ("SELECT id, userid, registered, password FROM users where userid='$id'");
$num_access = mysql_num_rows ($res_access);

#duplicates found#
if ($num_access>1) 
    &#123; 
    $error .= "Duplicates found, please contast  the webmaster about this problem.<br>\n"; 

#no user found#
    &#125;else if ($num_access==0) 
    &#123;     
    $error .= "ID wasn't found in our database.<br>\n";
    &#125;else&#123;

#insert user into database#
$registered = mysql_result ($res_access,0,"registered");
$password = mysql_result ($res_access,0,"password");
        if ($registered=="0")
            &#123;

$name = $firstname." ".$lastname;
$address = $addressline1.", ".$addressline2.", ".$city.", ".$county.", ".$postcode;
$telephonenumber;
$email;

$name = strtolower ($name);
$name = ucwords ($name);
$postcode = strtoupper ($postcode);
$postcode = ucwords ($postcode);
$address = strtoupper ($address);
$address = ucwords ($address);
$address = str_replace (", , ",", ",$address);
$telephonenumber = str_replace (" ", "", $telephonenumber);
$telephonenumber = str_replace ("-", "", $telephonenumber);
$telephonenumber = trim ($telephonenumber);

#update db#
@mysql_query ("update users set name='$name', address='$address', telephone='$telephonenumber', email='$email', registered='1' WHERE userid='$id' ");
$error .= "New user registration completed. You have been emailed your password.<br>\n";

#send email with password#
$From = 'Registration <chris@yduk.net>';
$headers .= "From: $From\r\n";

$subject = "Your details...";
$message = "Dear $name,\n\nThank you for registering!\n\nBelow are your login details needed to access the website.  We advise you to keep these details in a secure place.\n\nID: $id \nPassword: $password";
mail($email, $subject, $message, $headers);

//mail($contactemail, $subject, $message, $headers);
header("Location: success.php?Name=$name&Email=$email");

$sucess=1;
            &#125;else&#123;
#user already registered#
$error .= "This ID has already been registered.<br>\n";
            &#125;
    &#125;

    &#125;

$form_complete="1";
&#125;

?>
Cheers,
Chris

Posted: Mon Nov 25, 2002 9:16 pm
by oldtimer
Got to put in an exit in there so that it stops right there.

Code: Select all

&lt;?php
if ( ($firstname=="") || ($lastname=="") || ($addressline1=="") || ($city=="") || ($postcode=="") || ($telephonenumber=="") || ($email=="") ) 
    { 
        $error_field=1; 
        $error.="Please ensure that you have entered all information requested by the signup form."; 
    }else{ 

#Check email address validity# 
if(!ereg("^&#1111;_a-zA-Z0-9-]+(.&#1111;_a-zA-Z0-9-]+)*@(&#1111;a-zA-Z0-9-]+.)+(&#1111;a-zA-z]{2,3})$",$email)) { 
  $error .= "Your email address is not valid, please try again.&lt;br&gt;\n"; 
exit;
}else{ 

} 
?&gt;

Posted: Mon Nov 25, 2002 11:28 pm
by BigE
That would work... however, I don't see an error output in your script, just error setting, so I'm guessing there is more. My suggestion would be to set an error control variable, and check it before you do your query, it if it returns properly, the query is done, otherwise it displays an error. Hope that helps.