I'll admit, i'm a n00b when it comes to PHP/MySQL. What do you guys think: (Let me know if i'm missing something)
<?php
//Convert posts to PHP Variables
if (isset($_POST['submituser'])) {
$firstname = $_POST["firstname"];
$lastname = $_POST["lastname"];
$username = $_POST["username"];
$emailone = $_POST["email"];
$emailtwo = $_POST["emailtwo"];
$passwordone = $_POST["password"];
$passwordtwo = $_POST["passwordtwo"];
//convert strings to lowercase
$emailone = strtolower($emailone);
$emailtwo = strtolower($emailtwo);
$username = strtolower($username);
//define an array for error handling, which will be displayed at the end
$error = array();
//No blank fields
if ($firstname=='' || $lastname=='' || $username=='' || $emailone=='' || $passwordone=='') {
$error[] = 'None of the fields can be blank, please try again. ';
}
if ($emailone!==$emailtwo) {
$error[] = 'Email fields do not match, please try again. ';
}
if ($passwordone!==$passwordtwo) {
$error[] = 'Password fields do not match, please try again. ';
}else{
$passwordone = sha1($passwordone);
}
//check to see if user account already exists.
$usercount = "select COUNT(*) from users where username='".$username."'";
$userresult = mysql_query($usercount);
$userfinal = mysql_result($userresult,0);
//check to see if email account already exists.
$emailcount = "select COUNT(*) from users where email='".$emailone."'";
$emailresult = mysql_query($emailcount);
$emailfinal = mysql_result($emailresult,0);
if ($userfinal>0) {
$error[] = 'The username provided has already been taken. Please select another.';
}
if ($emailfinal>0) {
$error[] = 'The email address provided has already been taken. Please select another.';
}
if (count($error) > 0) {
foreach($error as $err)
{
echo $err . "<br />";
}
}else{
$sqlquery = "select * from users";
$result = mysql_query($sqlquery);
$row = mysql_fetch_array( $result );
}
}
?>
<?php
//Convert posts to PHP Variables
if (isset($_POST['submituser'])) {
$firstname = $_POST["firstname"];
$lastname = $_POST["lastname"];
$username = $_POST["username"];
$emailone = $_POST["email"];
$emailtwo = $_POST["emailtwo"];
$passwordone = $_POST["password"];
$passwordtwo = $_POST["passwordtwo"];
//convert strings to lowercase
$emailone = strtolower($emailone);
$emailtwo = strtolower($emailtwo);
$username = strtolower($username);
//define an array for error handling, which will be displayed at the end
$error = array();
//No blank fields
if ($firstname=='' || $lastname=='' || $username=='' || $emailone=='' || $passwordone=='') {
$error[] = 'None of the fields can be blank, please try again. ';
}
if ($emailone!==$emailtwo) {
$error[] = 'Email fields do not match, please try again. ';
}
if ($passwordone!==$passwordtwo) {
$error[] = 'Password fields do not match, please try again. ';
}else{
$passwordone = sha1($passwordone);
}
//check to see if user account already exists.
$usercount = "select COUNT(*) from users where username='".$username."'";
$userresult = mysql_query($usercount);
$userfinal = mysql_result($userresult,0);
//check to see if email account already exists.
$emailcount = "select COUNT(*) from users where email='".$emailone."'";
$emailresult = mysql_query($emailcount);
$emailfinal = mysql_result($emailresult,0);
if ($userfinal>0) {
$error[] = 'The username provided has already been taken. Please select another.';
}
if ($emailfinal>0) {
$error[] = 'The email address provided has already been taken. Please select another.';
}
if (count($error) > 0) {
foreach($error as $err)
{
echo $err . "<br />";
}
}else{
$sqlquery = "select * from users";
$result = mysql_query($sqlquery);
$row = mysql_fetch_array( $result );
}
}
?>
Here is a screenshot from the forms on my site....complete with errors!
http://www.clanbbw.com/publicimg/data/images/ … mysite.PNG
http://www.clanbbw.com/publicimg/data/images/ … mysite.PNG
Alright you fuckers...at least tell me what you think about the design of my site.
i've been avoiding ttf lately because of the slowness of the server.
i've never thought of using an array for a list of errors.. kinda cool. i usually just do a ton of nested conditionals (if/then).
i've never seen the operator !== like in "$emailone!==$emailtwo", i just do !=.
and i've never used the sql COUNT() function to see if a particular row exists. that's a good idea, too. thanks.
i would check for invalid characters in the email/password. i would do this by running something like addslashes on it (or better yet, mysql_real_escape_string) and seeing if the original is the same as the escaped. then you know if it has shitty characters in it.
as far as you checking to see if the username or email address exists in the database, you should just create PRIMARY keys for those fields in the table. then when you insert it, mysql will not allow you to duplicate the username or email address.
you may also want to send an email to the email address with a randomly selected password (although this easy to get around for users). an activation link is another possibility.
i've never thought of using an array for a list of errors.. kinda cool. i usually just do a ton of nested conditionals (if/then).
i've never seen the operator !== like in "$emailone!==$emailtwo", i just do !=.
and i've never used the sql COUNT() function to see if a particular row exists. that's a good idea, too. thanks.
i would check for invalid characters in the email/password. i would do this by running something like addslashes on it (or better yet, mysql_real_escape_string) and seeing if the original is the same as the escaped. then you know if it has shitty characters in it.
as far as you checking to see if the username or email address exists in the database, you should just create PRIMARY keys for those fields in the table. then when you insert it, mysql will not allow you to duplicate the username or email address.
you may also want to send an email to the email address with a randomly selected password (although this easy to get around for users). an activation link is another possibility.
I'm running into a few problems with the email function (no sendmail on Windows), but that is a feature i was going to use. I just got sessions to work. Before this thing goes live, I need to create some kind of cleaning function to clean all of the input boxes of possible sql injection attacks. Other than that, thanks for the response.
all you have to do is this:
function clean($value) {
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
};
then pull in your variables like this:
$firstname = clean($_POST["firstname"]);
$lastname = clean($_POST["lastname"]);
et cetera. the function i used above is from the php manual: http://us2.php.net/mysql_real_escape_string
function clean($value) {
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
};
then pull in your variables like this:
$firstname = clean($_POST["firstname"]);
$lastname = clean($_POST["lastname"]);
et cetera. the function i used above is from the php manual: http://us2.php.net/mysql_real_escape_string
Hey man, I made the clean function in a file called "clean.php". Here is the PHP code:
include 'connect.php';
include 'clean.php';
if (isset($_POST['addtonews'])) {
$newsdate = date('m.d.Y');
$newstitle = clean($_POST['newstitle']);
$newscontent = clean($_POST['newscontent']);
if ($newstitle=='' || $newscontent=='') {
echo "One or both of the fields were left blank.";
}else{
$sqlquery = "insert into news
values('0','".$newsdate."','".$newstitle."','".$newscontent."')";
echo $sqlquery;
$result = mysql_query($sqlquery);
if ($result) {
echo "Successfully added to the database!<br /><br />";
}else{
die('Invalid query: ' . mysql_error())."<br /><br />";
}
}
}
Here is the difference in the queries (The first has been cleaned):
insert into news values('0','01.06.2007',''Mathew Adams\' Site'',''What\'s up.'')
insert into news values('0','01.06.2007','Mathew Adam's Site','What's up.')
The mysql_error tells me to check my syntax. I don't know if the "\" is actually escaping anything. Let me know if you can see a problem.
include 'connect.php';
include 'clean.php';
if (isset($_POST['addtonews'])) {
$newsdate = date('m.d.Y');
$newstitle = clean($_POST['newstitle']);
$newscontent = clean($_POST['newscontent']);
if ($newstitle=='' || $newscontent=='') {
echo "One or both of the fields were left blank.";
}else{
$sqlquery = "insert into news
values('0','".$newsdate."','".$newstitle."','".$newscontent."')";
echo $sqlquery;
$result = mysql_query($sqlquery);
if ($result) {
echo "Successfully added to the database!<br /><br />";
}else{
die('Invalid query: ' . mysql_error())."<br /><br />";
}
}
}
Here is the difference in the queries (The first has been cleaned):
insert into news values('0','01.06.2007',''Mathew Adams\' Site'',''What\'s up.'')
insert into news values('0','01.06.2007','Mathew Adam's Site','What's up.')
The mysql_error tells me to check my syntax. I don't know if the "\" is actually escaping anything. Let me know if you can see a problem.
\\
Damn...well your shit is cleaning becayse the query doesn't have the "\\".
I got it, I didn't realize it added single quotes to the beginning and end of each variable.