Creating a login\register form in DW and xampp mysql will only hold one query?? help please.

Forum|Forum|16 years ago
June 24, 2009
1 reply
3946 views

Hi;

I have been doing a lot of research on how to code in php and mysql. I've read one of david powers books that has a few chapters on DW and php but I've also been watching tutorials at lynda.com. Whenever I make a form and I connect to my mysql database via xampp it will only hold one username at a time in the mysql database. I'm trying to figure out if this is a problem with the php or if somethings wrong with my database settings. I will gladly copy over the DW php form and anything from my mysql database. I know the form is currently susceptable to mysql injections thats cause the versions I will display won't show the security codes because I learned that from Mr. Powers book. I didn't follow his security tutorial to a T-- I did change some variable names but I don't want to risk infringing on any of his rights.

Server side applications

This topic has been closed for replies.

David_Powers

Inspiring

I didn't follow his security tutorial to a T-- I did change some variable names but I don't want to risk infringing on any of his rights.

The code printed in my books is there for readers to use. You're not infringing my rights by using code that I have released to the public.

the_missing_linkAuthor

Known Participant

Thank you david. here is the login code with the security <?php virtual('/Connections/userinfo.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
mysql_select_db($database_userinfo, $userinfo);
$query_user_info_registration = "SELECT * FROM user_info_registration";
$user_info_registration = mysql_query($query_user_info_registration, $userinfo) or die(mysql_error());
$row_user_info_registration = mysql_fetch_assoc($user_info_registration);
$totalRows_user_info_registration = mysql_num_rows($user_info_registration);
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form2")) {
  $insertSQL = sprintf("INSERT INTO user_info_registration (user_id, username, password, email, firstname, lastname, gender) VALUES (%s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['user_id'], "int"),
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString($_POST['password'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['firstname'], "text"),
                       GetSQLValueString($_POST['lastname'], "text"),
                       GetSQLValueString(isset($_POST['gender']) ? "true" : "", "defined","'Y'","'N'"));
  mysql_select_db($database_userinfo, $userinfo);
  $Result1 = mysql_query($insertSQL, $userinfo) or die(mysql_error());
  $insertGoTo = "/planet_zuda/welcome.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 
 //show array error messages 
$error = array();
// remove whitespace
$_POST['Username'] = trim($_POST[Username]);
$_POST[first_name] =  trim($_POST['first_name']);
$_POST['Last_Name'] = trim($_POST['Last_Name']);
if (empty($_POST['first_name'])|| empty($_POST['Last_Name'])) {
$error['name'] = 'Please enter  your first name';
}
//username security check 
$_POST['Username'] = trim($_POST['Username']);
if (strlen($_POST['Username']) < 6) {
$error ['length'] = 'please choose a username with 6 or more characters.';
}
// checking to make sure password is valid
$pwdvld = true;
// trim whitespace
$_POST['pwd'] = trim ($_POST['pwd']);
if (strlen($_POST['pwd']) < 7);{
$error['pwd_length'] = 'due to reasons of security please choose a password with seven or more characters';
$pwdvld = false;
}
// if passwords don't match send an alert
if ($_POST['pwd'] != trim($_POST['retpe_pwd'])) { 
$error['pwd'] = "your passwords do not match. Please try again!";
$pwdvld = false;
}
// if users password is validated okay go ahead with enhancements
if($pwdvld) { 
$_POST['pwd'] = sha1($_POST['pwd']);
}
//if the form is completed with no errors continue with task
if (!$error) {
  $insertSQL = sprintf("INSERT INTO user_registration (Username, first_name, Last_Name, Users_Password, Gender, e_mail) VALUES (%s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['Username'], "text"),
                       GetSQLValueString($_POST['first_name'], "text"),
                       GetSQLValueString($_POST['Last_Name'], "text"),
                       GetSQLValueString($_POST['Users_Password'], "text"),
                       GetSQLValueString(isset($_POST['Gender']) ? "true" : "", "defined","'Y'","'N'"),
                       GetSQLValueString($_POST['e_mail'], "text"));
  mysql_select_db($database_userinfo, $userinfo);
  $Result1 = mysql_query($insertSQL, $userinfo);
  if(!Result1 && mysql_errno() == 1062) { 
  $error['Username'] = $_POST['Username'] .  'sorry this username has been taken. Please choose a different username.';
 } elseif (mysql_error()) {
  $error['dberror'] = 'Sorry, there was an error. Please try again later or email techs@planetzuda.com';
 } else { 
  $insertGoTo = "welcome.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
}
}
?>
<?php include("includes/body.php")?>
<h1 class="move">register your free account<br />
</h1>
<p> </p>
<form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="user_info_registration">
  <input type="hidden" name="MM_insert" value="form1" />
</form>
<form action="<?php echo $editFormAction; ?>" method="post" name="form2" id="form2">
  <table align="center" class="zudanian">
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Username:</td>
      <td><input type="text" name="username" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Password:</td>
      <td><input type="text" name="password" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Email:</td>
      <td><input type="text" name="email" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Firstname(optional:</td>
      <td><input type="text" name="firstname" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Lastname(optional:</td>
      <td><input type="text" name="lastname" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Gender:</td>
      <td valign="baseline"><table>
        <tr>
          <td><input type="radio" name="gender" value="m" />
            male</td>
        </tr>
        <tr>
          <td><input type="radio" name="gender" value="f" />
            female</td>
        </tr>
      </table></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right"> </td>
      <td><input type="submit" value="register" /></td>
    </tr>
  </table>
  <input type="hidden" name="MM_insert" value="form2" />
</form>
<p> </p>
</body>
</html>
<?php
mysql_free_result($user_info_registration);
?>

David_Powers

Inspiring

You have got two forms in your page: form1 and form2. The first one, form1, does nothing. It has only a hidden field, but no submit button. Consequently, your validation code never gets run, because all the error checking is controlled by this conditional statement:

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 
 //show array error messages 
 $error = array();
 etc...

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded