Creating a login\register form in DW and xampp mysql will only hold one query?? help please.

Report · Jun 24, 2009

Hi;

I have been doing a lot of research on how to code in php and mysql. I've read one of david powers books that has a few chapters on DW and php but I've also been watching tutorials at lynda.com. Whenever I make a form and I connect to my mysql database via xampp it will only hold one username at a time in the mysql database. I'm trying to figure out if this is a problem with the php or if somethings wrong with my database settings. I will gladly copy over the DW php form and anything from my mysql database. I know the form is currently susceptable to mysql injections thats cause the versions I will display won't show the security codes because I learned that from Mr. Powers book. I didn't follow his security tutorial to a T-- I did change some variable names but I don't want to risk infringing on any of his rights.

Report · Jun 25, 2009

I didn't follow his security tutorial to a T-- I did change some variable names but I don't want to risk infringing on any of his rights.

The code printed in my books is there for readers to use. You're not infringing my rights by using code that I have released to the public.

Report · Jun 25, 2009

Thank you david. here is the login code with the security <?php virtual('/Connections/userinfo.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }
  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
mysql_select_db($database_userinfo, $userinfo);
$query_user_info_registration = "SELECT * FROM user_info_registration";
$user_info_registration = mysql_query($query_user_info_registration, $userinfo) or die(mysql_error());
$row_user_info_registration = mysql_fetch_assoc($user_info_registration);
$totalRows_user_info_registration = mysql_num_rows($user_info_registration);
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form2")) {
  $insertSQL = sprintf("INSERT INTO user_info_registration (user_id, username, password, email, firstname, lastname, gender) VALUES (%s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['user_id'], "int"),
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString($_POST['password'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['firstname'], "text"),
                       GetSQLValueString($_POST['lastname'], "text"),
                       GetSQLValueString(isset($_POST['gender']) ? "true" : "", "defined","'Y'","'N'"));
  mysql_select_db($database_userinfo, $userinfo);
  $Result1 = mysql_query($insertSQL, $userinfo) or die(mysql_error());
  $insertGoTo = "/planet_zuda/welcome.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 
 //show array error messages 
$error = array();
// remove whitespace
$_POST['Username'] = trim($_POST[Username]);
$_POST[first_name] =  trim($_POST['first_name']);
$_POST['Last_Name'] = trim($_POST['Last_Name']);
if (empty($_POST['first_name'])|| empty($_POST['Last_Name'])) {
$error['name'] = 'Please enter  your first name';
}
//username security check 
$_POST['Username'] = trim($_POST['Username']);
if (strlen($_POST['Username']) < 6) {
$error ['length'] = 'please choose a username with 6 or more characters.';
}
// checking to make sure password is valid
$pwdvld = true;
// trim whitespace
$_POST['pwd'] = trim ($_POST['pwd']);
if (strlen($_POST['pwd']) < 7);{
$error['pwd_length'] = 'due to reasons of security please choose a password with seven or more characters';
$pwdvld = false;
}
// if passwords don't match send an alert
if ($_POST['pwd'] != trim($_POST['retpe_pwd'])) { 
$error['pwd'] = "your passwords do not match. Please try again!";
$pwdvld = false;
}
// if users password is validated okay go ahead with enhancements
if($pwdvld) { 
$_POST['pwd'] = sha1($_POST['pwd']);
}
//if the form is completed with no errors continue with task
if (!$error) {
  $insertSQL = sprintf("INSERT INTO user_registration (Username, first_name, Last_Name, Users_Password, Gender, e_mail) VALUES (%s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['Username'], "text"),
                       GetSQLValueString($_POST['first_name'], "text"),
                       GetSQLValueString($_POST['Last_Name'], "text"),
                       GetSQLValueString($_POST['Users_Password'], "text"),
                       GetSQLValueString(isset($_POST['Gender']) ? "true" : "", "defined","'Y'","'N'"),
                       GetSQLValueString($_POST['e_mail'], "text"));
  mysql_select_db($database_userinfo, $userinfo);
  $Result1 = mysql_query($insertSQL, $userinfo);
  if(!Result1 && mysql_errno() == 1062) { 
  $error['Username'] = $_POST['Username'] .  'sorry this username has been taken. Please choose a different username.';
 } elseif (mysql_error()) {
  $error['dberror'] = 'Sorry, there was an error. Please try again later or email techs@planetzuda.com';
 } else { 
  $insertGoTo = "welcome.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}
}
}
?>
<?php include("includes/body.php")?>
<h1 class="move">register your free account<br />
</h1>
<p> </p>
<form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="user_info_registration">
  <input type="hidden" name="MM_insert" value="form1" />
</form>
<form action="<?php echo $editFormAction; ?>" method="post" name="form2" id="form2">
  <table align="center" class="zudanian">
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Username:</td>
      <td><input type="text" name="username" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Password:</td>
      <td><input type="text" name="password" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Email:</td>
      <td><input type="text" name="email" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Firstname(optional:</td>
      <td><input type="text" name="firstname" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Lastname(optional:</td>
      <td><input type="text" name="lastname" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Gender:</td>
      <td valign="baseline"><table>
        <tr>
          <td><input type="radio" name="gender" value="m" />
            male</td>
        </tr>
        <tr>
          <td><input type="radio" name="gender" value="f" />
            female</td>
        </tr>
      </table></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right"> </td>
      <td><input type="submit" value="register" /></td>
    </tr>
  </table>
  <input type="hidden" name="MM_insert" value="form2" />
</form>
<p> </p>
</body>
</html>
<?php
mysql_free_result($user_info_registration);
?>

Report · Jun 26, 2009

You have got two forms in your page: form1 and form2. The first one, form1, does nothing. It has only a hidden field, but no submit button. Consequently, your validation code never gets run, because all the error checking is controlled by this conditional statement:

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
 
 //show array error messages 
 $error = array();
 etc...

Report · Jun 28, 2009

Thank you for looking over the code and finding that newb error for me. I'm

inspecting all of my php coding with a fine comb now! I know langauges being

case sensitive is helpful but it can also be a bit of a pain... I guess I'll

get better at it. I know form1 and form2 don't have anything to do with

cases I'm talking about other errors I've ran into.

Report · Jul 02, 2009

Okay, first of all it's better if u delete any form that is not being used. From your code i see u have made 2 coding for insert record and both also using different table name(user_info_registration, user_registration). Which one did u exactly use and which table where the problem is happened?

Report · Jul 03, 2009

Thanks for the reply and taking the time to read all of the code! I have

tried to make the form work but I kinda gave up on it and started building a

new one so I won't run into my previous coding errors. I should have posted

that on the forum. Sorry sometimes I get wrapped up in my own little world

and forget to post. Oh to answer your question I'm using

user_info_registration. Again thank you for taking the time to read all of

the code!