0
votes

I am trying to create a registration form that checks to see if the Email and passwords entered by the user match, if all forms are complete, and if the email has been previously used to register. When there is in fact an error, I would like the code to display the error message at the top of the registration form.

However, I cannon't figure out how to make the error message display above the registration inputs. Instead, what happens is that the error message replaces the registration inputs and appears alone (requiring the user to refresh the page to try registering again). This is my first post on stackoverflow, so please excuse me if my coding jargon is off! Below is the code I have been trying to use.

<?php

// Connect to database server
mysql_connect("localhost", "root") or die (mysql_error ());

// Select database
mysql_select_db("mydatabase") or die(mysql_error());

    //Checks to make sure form has been submitted
    if (isset($_POST['submit'])) { 

//Checks to make sure all fields are complete
if (!$_POST['FirstName'] | !$_POST['LastName'] | !$_POST['Username']| !$_POST['Username2']| !$_POST['Password']| !$_POST['Password2'] ) {
    die('You did not complete all of the required fields');
}

//Check to see if email has already been used to reigster
if (!get_magic_quotes_gpc()) {
    $_POST['Username'] = addslashes($_POST['Username']);
}

$usercheck = $_POST['Username'];

$check = mysql_query("SELECT Username FROM people WHERE Username = '$usercheck'") 
or die(mysql_error());

$check2 = mysql_num_rows($check);

//Email has already been used to register message
if ($check2 != 0) {
    die('Sorry, the Email '.$_POST['Username'].' has already been used to register.');
}

//Confirm that Emails match
if ($_POST['Username'] != $_POST['Username2']) {
    die('The Email addresses you entered do not match. ');
}

//Confirm that passwords match
if ($_POST['Password'] != $_POST['Password2']) {
    die('The passwords you entered do not match. ');
}

//Encrypt the password and add slashes if needed
$_POST['Password'] = md5($_POST['Password']);
if (!get_magic_quotes_gpc()) {
    $_POST['Password'] = addslashes($_POST['Password']);
    $_POST['Username'] = addslashes($_POST['Username']);
    }

    // now we insert it into the database
$insert = "INSERT INTO people(FirstName,LastName,Username,Password) VALUES ('" . $_POST["FirstName"] . "','" . $_POST["LastName"] . "','" . $_POST["Username"] . "','" . $_POST["Password"] . "')";

$add_member = mysql_query($insert);
?>

Registered

Thank you, you have registered - you may now login.

    <?php 
    } 
    else 
    {   
    ?>
    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
        <table border="0">
            <tr><td>First Name:</td><td>
                <input type="text" name="FirstName" maxlength="60">
            </td></tr>
            <tr><td>Last Name:</td><td>
                <input type="text" name="LastName" maxlength="60">
            </td></tr>
            <tr><td>Email Address:</td><td>
                <input type="text" name="Username" maxlength="60">
            </td></tr>
            <tr><td>Confirm Email Address:</td><td>
                <input type="text" name="Username2" maxlength="60">
            </td></tr>
            <tr><td>Password (8 character minimum):</td><td>
                <input type="password" name="Password">
            </td></tr>
            <tr><td>Confirm Password:</td><td>
                <input type="password" name="Password2">
            </td></tr>
            <tr><th colspan=2>
        <input type="submit" name="submit" value="Register"></th></tr> </table>
    </form>
    <?php
    }
    ?>
1
Please, don't use mysql_* functions in new code. They are no longer maintained and the deprecation process has begun, see the red box. Learn about prepared statements instead, and use PDO or MySQLi; this article will help you decide which. If you choose PDO, here is a good tutorial.Geek Num 88
I think his/her problems go way beyond using ext/mysql. Literally almost every line has some sort of bad practice going on.Mike

1 Answers

1
votes

As I mentioned in the comment above, almost every line of your code has some sort of bad practice. Here's a quick summary.

  • As Geek Num 88 mentioned, you should be using PDO or mysqli. See his comment above for links.
  • Assuming ext/mysql, addslashes is not good enough for escaping values. Neither is relying on get_magic_quotes_gpc. The appropriate function is mysql_real_escape_string. However from the previous point, you should not be using that either. Use parametrized queries without any form of escaping.
  • When coding, it is good practice to put error_reporting(-1); at the top of your file. This will force you to code a bit more stricter to standards.
  • You are using a bitwise or | in your comparisons instead of ||. If you don't know what 'bitwise or' even means, just use ||.
  • Instead of doing if (!$_POST['FirstName']) you should instead check if it is set and then check to see if it is empty using strlen()
  • Instead of doing die() for each error, append them to an array and iterate through it at the end. Using die() is bad because it's possible that more than one error is occurring and the user will then have to fill out the form multiple times, and also your HTML may no longer be valid if you are omitting the normal footer that appears at the bottom of your page.
  • For goodness sake, do not use md5 for hashing your passwords. You might as well be storing them in plain text. Instead use bcrypt.
  • Never echo $_SERVER['PHP_SELF'] to the browser because this makes your script vulnerable to XSS attacks.

So to actually answer your question, this is what I would do:

  1. See if the form has been posted. This can be done with a hidden field in the HTML. If it is set, do the validation
  2. Go through all your possible errors and append all errors to an array. Say, $errors[].
  3. If errors are present, echo them back to the user
  4. If no errors, securely hash the password and store all values in the database
  5. Redirect the browser upon success to some sort of success page. This prevents users from pushing refresh and resubmitting the form.
  6. If the form hasn't been submitted or if there was an error, show the form with any values still populated so that they don't have to fill it out again or push back