Page 1 of 1

Newb needing help with my code.

Posted: Fri Aug 24, 2007 1:06 pm
by lafflin
Sorry I couldn't give a more descriptive subject.

I am creating a form/script for a public user to register for classes at a small studio. It will be a four form proccess, the first will be the students info, followed by the parents info, then the class info they're siging up for and then the payment info.

on the first form I want to check the DB for the user's first_name, last_name, and their dob. (those are the names of the fields in my DB).
If I do not get any result from that query than I want to go ahead and register them and then redirect them to the next form and take their sid(primary key - studentID) turn it into a cookie and then pass it along to the next form.

If my first query finds that same three values for name and dob than an error should be displayed "already registered"

Well all has been well except I can enter the exact same user info (firsdt_name, Last_name, and dob).

I can not get that error message to display no matter what I type into my form.

sorry for posting long code, but I think it might be necessary as I have no idea what is causing the error.

Also their is a function being used throughout this script that is defined in an external document. the function escape_data checks the server settings for magic_quotes and applies mysql_real_escape_string to data.

here is my script,
and I apologize for it being messy, it is my first ever.

Code: Select all

<?php # - register student -

$page_title = 'Register';


// Check if the form has been submitted.
if (isset($_POST['submitted'])) {

require_once ('./includes/mysql_connect.php');

	$errors = array(); // Initialize error array.
	
	// Check for a first name.
	if (empty($_POST['first_name'])) {
		$errors[] = 'You forgot to enter your first name.';
	} else {
		$fn = escape_data($_POST['first_name']);
	}
	
	// Check for a last name.
	if (empty($_POST['last_name'])) {
		$errors[] = 'You forgot to enter your last name.';
	} else {
		$ln = escape_data($_POST['last_name']);
	}
	
	// Check for a date of birth.
	if (empty($_POST['month']))  {
		$errors[] = 'You forgot to enter students birthdate.';
	} else {
		$dob = ($_POST['year']).($_POST['month']).($_POST['day']);
	}
	
	
	// Check for  sex value.
	if (empty($_POST['sex'])) {
		$errors[] = 'You forgot to enter students sex.';
	} else {
		$sex =($_POST['sex']);
	}
	
	//following fields not mandatory
	
	// Check for a school attending.
	if (empty($_POST['school'])) {
		$school ='null';
	} else { 
	    $school = escape_data($_POST['school']);
	   }
	
	// Check for a medical issues.
	if (empty($_POST['medical'])) {
		$medical ='null';
	} else {
	     $medical = escape_data($_POST['medical']);
	    }
	
	// Check for a students phone.
	if (empty($_POST['students_phone'])) {
		$stud_phon ='null';
	} else {
	     $stud_phon = escape_data($_POST['students_phone']);
		 }
	
	// Check for a students email.
	if (empty($_POST['student_email'])) {
		$stud_email ='null';
	} else {
	     $stud_email = escape_data($_POST['stud_email']);
		 }
	
	// Check for notes.
	if (empty($_POST['notes'])) {
		$notes ='null';
	} else {
	     $notes = escape_data($_POST['notes']);
		 }
		 
		 
	if (empty($errors)) { // If everything's okay.
	
	$query0 = "SELECT sid FROM student_info WHERE first_name = '\"$fn\"' AND last_name = '\"$ln\"' AND dob = '\"$dob\"' " ;
	$result0 = @mysql_query ($query0);
		if(mysql_num_rows($result0)>0) {
		echo 'you are already registered!';
		exit() ;
		} else{
		// Make the query.
		$query = "INSERT INTO student_info (sid, first_name, last_name, sex, reg_date, dob, school, email, phone, active, medical_issues, notes, secret_classification, last_update) VALUES ('null', '$fn', '$ln', '$sex', now(), '$dob', '$school', '$stud_email', '$stud_phone', 'y', '$medical', '$notes', '0', 'null' )";		
		$result = @mysql_query ($query); // Run the query.
		}
		if ($result) { // If it ran OK.
		
	
	
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++		
		
	$sid = mysql_insert_id();
	setcookie('SID', $sid);
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
				
		
			// Redirect the user to the thanks.php page.
				// Start defining the URL.
				$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
				
				// Check for a trailing slash.
				if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
					$url = substr ($url, 0, -1); // Chop off the slash.
				}
				
				// Add the page.
				$url .= '/parent_info.php';
				
				header("Location: $url");
				exit();
		
			
		} else { // If it did not run OK.
		include ('./includes/header.inc.htm');
			echo '<h1 id="mainhead">System Error</h1>
			<p class="error">You could not be registered due to a system error. We apologize for any inconvenience.</p>'; // Public message.
			echo '<p>' . mysql_error() . '<br /><br />Query: ' . $query . '</p>'; // Debugging message.
			
			exit();
		}
		
		mysql_close(); // Close the database connection.
		
	} else { // Report the errors.
	
		echo '<h1 id="mainhead">Error!</h1>
		<p class="error">The following error(s) occurred:<br />';
		foreach ($errors as $msg) { // Print each error.
			echo " - $msg<br />\n";
		}
		echo '</p><p>Please try again.</p><p><br /></p>';
		
	} // End of if (empty($errors)) IF.

} // End of the main Submit conditional.
include ('./includes/header.inc.htm');
?>

this is followed by a bunch of html, there is no need to post it.


I am open to any and all criticism as I said I this is my first project.
thanks

Posted: Fri Aug 24, 2007 5:01 pm
by califdon
Not at all bad for a beginner.

Replace:

Code: Select all

$result0 = @mysql_query ($query0);
with

Code: Select all

$result0 = mysql_query ($query0) or die($query0)
so that you can see what that query is doing. If you never receive the warning, apparently it's never finding a matching record. Probably when you look at the actual SQL you immediately spot why it's behaving like that.

Posted: Fri Aug 24, 2007 7:22 pm
by lafflin
here's what I know from staring at this code all day:

1-the second query is running successfully, entering the data into my table regardless of weather or not it's duplicate. So my first query (query0) while running successfully as far as not producing errors, isn't stoping my script from being able to enter duplicates.

2- I have ran the same query (query0) in my MySQL command line utility and the correct results are being produced.

I'm kinda thinking that there is something wrong with the logic in my nested IF statements and not the actual query.

Any help that anyone can give is greatly appreciated,

Posted: Fri Aug 24, 2007 7:36 pm
by VladSun
You have some strange `double/single quotes and escaping. String concatenation is done by ".".

Wrong:

Code: Select all

$query0 = "SELECT sid FROM student_info WHERE first_name = '\"$fn\"' AND last_name = '\"$ln\"' AND dob = '\"$dob\"' " ;
Right:

Code: Select all

$query0 = "SELECT sid FROM student_info WHERE first_name = '" . $fn . "' AND last_name = '" . $ln . "' AND dob = '" . $dob . "' " ;
or Right:

Code: Select all

$query0 = "SELECT sid FROM student_info WHERE first_name = '$fn' AND last_name = '$ln' AND dob = '$dob' " ;
And something else - what are you going to use this SID cookie for? I am asking because it is very insecure to use client side data.

Posted: Fri Aug 24, 2007 8:28 pm
by lafflin
the cookie will be used as a way to ensure the integrity of my tables, I kind of made up this method by myself, so it might be a terrible idea, but the premise is that there is a series of four forms that need to be submitted to complete a registration: student info, parent info, class info and payment info. each form being responsible for creating the values of a table that correspond to that form. Well, there is also some linking tables the first being students to parents, because one parent could have two students. So as the first form is submitted into the table, the second form (parents) recieves the value of the primary key which is created durring the insert for students. I then get another cookie when submitting the parent form for that tables PK and when I have both they get inserted into my linking (student_parent) table. If your still with me on this the idea then goes a bit farther and once I have all three (five with the linking tables) PK's in cookies going into the payment form I have the option of creating a query to delete them all if the last step (payment) is unsuccessful.
I considered using sessions, but I don't see any advantage seeing as the PK's for these tables isn't sensitive anyway right?

Now, I know there may be a better, more standard way to accomplish what I'm trying to do, and by all means anything that anyone wants to share is much appreciated.


Wow, my query was way off! thanks Vlad. I couldn't find instructions for what i wanted to do (use a variable in my query), so I copied some other newbs query from some other post.
I'm going to try it out (i'm sure it'll work now though).
Thanks Man!

Posted: Fri Aug 24, 2007 8:48 pm
by lafflin
Thanks Vlad, it all makes sense now........sorta. But it works just fine!
I was told in another post that I needed to escape my data, I must have not understood what was going on at all there.

the post was "simple sytax error" I was obviously lost in that post and that led me to being even further lost.
But all is good now....till the next episode.