Page 1 of 1

Insert works but doesnt work at same time!

Posted: Tue Jul 31, 2007 12:03 pm
by SirChick
Ok basically when i click register the record goes to the table fine and gets its userid.

But the values from the php variables:

Code: Select all

$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];

Does not get inserted.. it just inserts blanks. My insert code is:

Code: Select all

$query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
    mysql_query($query) or die(mysql_error());
Also the $ip = $_SERVER["REMOTE_ADDR"]; when i test this, in the database the result comes out as "Array" instead of an IP number :S? Im not entirely sure why this is.. any thoughts?

Posted: Tue Jul 31, 2007 12:12 pm
by superdezign
Echo $query.

Posted: Tue Jul 31, 2007 12:21 pm
by SirChick
Ok i would paste the error but its behind my main site so i can't paste it neatly.

But it says:

Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 1

repeated x 31

Notice: Trying to get property of non-object in C:\xampp\htdocs\RegisterPage.php on line 32
INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('', '', '', '', '127.0.0.1', 'Male')



I deffinatly inputted something into the fields but only IP and gender actually appears in the database table.

I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.

Posted: Tue Jul 31, 2007 12:34 pm
by superdezign
SirChick wrote:I checked for case sensitivity on the field names its deffinatly a match so i duno why it wont input.
Because regardless of how right you think it is, it's wrong. :P print_r($_POST).
Also, we can't help you with the other errors if you don't post that code up as well.

And on a different note, why is that you escape some posted data, but not all?

Posted: Tue Jul 31, 2007 1:29 pm
by SirChick
where have i escaped it ?

Code: Select all

<?php
error_reporting(E_ALL); 
if (isset($_POST['RegistrationSubmission'])) {

$TermsOfService = $_POST['TermsOfService'];
$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
$ip = $_SERVER["REMOTE_ADDR"];
$Gender = $_POST['Gender'];
$jump2 = 1;
if ($Password != $Password2) {
    echo "Passwords did not match";
	if ($TermsOfService == "off") {
	echo "You must agree to the terms of service before registering!";
$jump2 = 0;
}
}

If ($jump2 ==1){
mysql_connect("localhost", "root", "private") or die (mysql_error());
mysql_select_db("civilian") or die (mysql_error());
$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
 $getUSERNAME = mysql_fetch_object($chkUSERNAME);
 if($_POST['Username'] == $getUSERNAME->Username) {
  die('Username already registered, please choose a different username!');
 }
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");
 $getEmail = mysql_fetch_object($chkEmail);
 if($_POST['EmailRegistration'] == $getEmail->Email) {
  die('Email already registered, please choose a different username!');
 }

 If ($Password == $Password2) {
    mysql_connect("localhost", "root", "private") or die (mysql_error());
    mysql_select_db("civilian") or die (mysql_error());
    $query = "INSERT INTO `userregistration` (Username,Password,Email,Country,IP,Gender) Values ('$Username', '$Password', '$Email', '$Country', '$ip', '$Gender')";
    echo $query;
	mysql_query($query) or die(mysql_error());
	}
	}
	}
?>

Posted: Tue Jul 31, 2007 5:20 pm
by nathanr
SirChick wrote:where have i escaped it ?

escaped here>> (some others aren't escaped)

Code: Select all

$Username = mysql_real_escape_string($_POST['Username']); 
$Password = mysql_real_escape_string($_POST['Password']); 
$Password2 = mysql_real_escape_string($_POST['Password2']);
$Email = mysql_real_escape_string($_POST['EmailRegistration']);
$Country = mysql_real_escape_string($_POST['CountryChoice']);
but not escaped here.. which leaves you open to sql injections..

Code: Select all

$chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");
 ...
$chkEmail = mysql_query("SELECT * FROM `userregistration` WHERE `Email` = '".$_POST['EmailRegistration']."'");

Posted: Wed Aug 01, 2007 7:05 am
by SirChick
Is that why its not working ? And how do i structure it with escaped

Posted: Wed Aug 01, 2007 9:02 am
by timvw
There are a couple of things that would bother me if i were reviewing the code...

- Variable naming: what does '$jump2' represent?

- Using data that might not exists: $Username = mysql_real_escape_string($_POST['Username']);

- Using data that is not prepared for use in a query: $chkUSERNAME = mysql_query("SELECT * FROM `userregistration` WHERE `Username` = '".$_POST['Username']."'");

- Odd logic: You simply want to select a count of the rows where the username or e-mail equal something that already exists...