Page 1 of 1
Insert works but doesnt work at same time!
Posted: Tue Jul 31, 2007 12:03 pm
by SirChick
Ok basically when i click register the record goes to the table fine and gets its userid.
But the values from the php variables:
Code: Select all
$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']);
$Password = mysql_real_escape_string($_POST['Password']);
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];
Does not get inserted.. it just inserts blanks. My insert code is:
Code: Select all
$query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
mysql_query($query) or die(mysql_error());
Also the $ip = $_SERVER["REMOTE_ADDR"]; when i test this, in the database the result comes out as "Array" instead of an IP number :S? Im not entirely sure why this is.. any thoughts?
Posted: Tue Jul 31, 2007 12:12 pm
by superdezign
Echo $query.
Posted: Tue Jul 31, 2007 12:21 pm
by SirChick
Ok i would paste the error but its behind my main site so i can't paste it neatly.
But it says:
Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 1
repeated x 31
Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 32
INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('', '', '', '', '127.0.0.1', 'Male')
I deffinatly inputted something into the fields but only IP and gender actually appears in the database table.
I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.
Posted: Tue Jul 31, 2007 12:34 pm
by superdezign
SirChick wrote:I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.
Because regardless of how right you think it is, it's wrong.

print_r($_POST).
Also, we can't help you with the other errors if you don't post that code up as well.
And on a different note, why is that you escape some posted data, but not all?
Posted: Tue Jul 31, 2007 1:29 pm
by SirChick
where have i escaped it ?
Code: Select all
<?php
error_reporting(E_ALL);
if (isset($_POST['RegistrationSubmission'])) {
$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']);
$Password = mysql_real_escape_string($_POST['Password']);
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];
$jump2 = 1;
if ($Password != $Password2) {
echo "Passwords did not match";
if ($TermsOfService == "off") {
echo "You must agree to the terms of service before registering!";
$jump2 = 0;
}
}
If ($jump2 ==1){
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
$getUSERNAME = mysql_fetch_object($chkUSERNAME);
if($_POST['Username'] == $getUSERNAME->Username) {
die('Username already registered, please choose a different username!');
}
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");
$getEmail = mysql_fetch_object($chkEmail);
if($_POST['EmailRegistration'] == $getEmail->Email) {
die('Email already registered, please choose a different username!');
}
If ($Password == $Password2) {
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
echo $query;
mysql_query($query) or die(mysql_error());
}
}
}
?>
Posted: Tue Jul 31, 2007 5:20 pm
by nathanr
SirChick wrote:where have i escaped it ?
escaped here>> (some others aren't escaped)
Code: Select all
$Username = mysql_real_escape_string($_POST['Username']);
$Password = mysql_real_escape_string($_POST['Password']);
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
but not escaped here.. which leaves you open to sql injections..
Code: Select all
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
...
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");
Posted: Wed Aug 01, 2007 7:05 am
by SirChick
Is that why its not working ? And how do i structure it with escaped
Posted: Wed Aug 01, 2007 9:02 am
by timvw
There are a couple of things that would bother me if i were reviewing the code...
- Variable naming: what does '$jump2' represent?
- Using data that might not exists: $Username = mysql_real_escape_string($_POST['Username']);
- Using data that is not prepared for use in a query: $chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
- Odd logic: You simply want to select a count of the rows where the username or e-mail equal something that already exists...