Paul Posted April 27, 2011 Share Posted April 27, 2011 Hi, 1. When I run the following code, as per the above scripts, there are no errors and the blank form appears OK except that in the email and password fields appear 'root' and what I'm assuming is my DB password, although it appears as '*******'. (PHP version 5.3.4, MySQL client version: mysqlnd 5.0.7-dev - 091210 - $Revision: 304625 $). What am I doing wrong? Even as a novice I could see that this is probably not a good security measure! START OF SCRIPT <?php # Script 8.3 - register.php $page_title = 'Register'; include ('includes/header.html'); // Check if the form has been submitted if (isset($_POST['submitted']) ) { //Open the DB require_once('../mysqli_connect.php'); //Initialise and error array $errors = array(); //Check for a first name and assign it to a variable if (empty($_POST['first_name']) ) { $errors[] = 'You forgot to enter your first name.'; } else { $fn = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); } //Check for a last name and assign it to a variable if (empty($_POST['last_name']) ) { $errors[] = 'You forgot to enter your last name.'; } else { $ln = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); } //Check for an email address and assign it to a variable if (empty($_POST['email']) ) { $errors[] = 'You forgot to enter your email address.'; } else { $e = mysqli_real_escape_string($dbc, trim($_POST['email'])); } //Check for a password, match it against the confirm field and assign it to a variable if (!empty($_POST['pass1']) ) { if ($_POST['pass1'] != $_POST['pass2']) { $errors[] = 'Your password did not match the confirmed password.'; } else { $p = mysqli_real_escape_string($dbc, trim($_POST['pass1'])); } } else { $errors[] = 'You forgot to enter your password.'; } //Check if the errors array is empty. If so register the user. If not print the details to show the user (done later) if (empty($errors) ) { //Register the user //Make the query and insert into DB $q = "INSERT INTO users (first_name, last_name, email, pass, registration_date) VALUES ('$fn', '$ln', '$e', SHA1('p'), NOW() )"; $r = @mysqli_query ($dbc, $q); //Check if the query ran. Does $r have a TRUE value? if ($r) { //Print a thankyou message to the user echo '<h1>Thank you</h1> <p>You are now registered. In Chapter 11 you will actually be able to log in!</p><p><br /></p>'; } else { //If the query didn't run OK. //A message to the user echo '<h1>Oops, system error.</h1> <p class="error">You might not be registered because of a system error. Sorry.</p>'; //A message to the programmer echo '<p>' . mysqli_error($dbc) . '<br /><br />Query: ' . $q . '</p>'; } //Close the Db connection mysqli_close($dbc); //include the footer and exit the script include ('includes/footer.html'); exit(); } else { //Report the input errors to the user echo '<h1>Errors</h1> <p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p><p><br /></p>'; } } ?> <!--'// Start of HTML--> <h1>Register</h1> <form action="register.php" method="post"> <p>First Name: <input type="text" name="first_name" size="15" maxlength="20" value="<?php if (isset($_POST['first_name']) ) echo $_POST['first_name']; ?>" /> </p> <p>Last Name: <input type="text" name="last_name" size="15" maxlength="40" value="<?php if (isset($_POST['last_name']) ) echo $_POST['last_name']; ?>" /> </p> <p>Email Address: <input type="text" name="email" size="20" maxlength="80" value="<?php if (isset($_POST['email']) ) echo $_POST['email']; ?>" /> </p> <p>Password: <input type="password" name="pass1" size="10" maxlength="20" /> </p> <p>Confirm Password: <input type="password" name="pass2" size="10" maxlength="20" /> </p> <p> <input type="submit" name="submit" value="Register" /> </p> <p> <input type="hidden" name="submitted" value="TRUE" /> </p> </form> END OF SCRIPT 2. In script 8.5 there are two 'mysqli_close($dbc)' functions but only one 'require_once('../mysqli_connect.php') function. Please could someone explain why a DB needs to be closed twice when it has only been opened once. Thanks once again. Paul Link to comment Share on other sites More sharing options...
chuflasky Posted April 27, 2011 Share Posted April 27, 2011 Hi paul try to change your query from $q = "INSERT INTO users (first_name, last_name, email, pass, registration_date) VALUES ('$fn', '$ln', '$e', SHA1('p'), NOW() )"; To $q = "INSERT INTO users (first_name, last_name, email, pass, registration_date) VALUES ('$fn', '$ln', '$e', SHA1('$p'), NOW() )"; $r = @mysqli_query ($dbc, $q) or die("Error: " . mysqli_error($dbc) ); //this will output any query string error syntax. And see what happens. 1 Link to comment Share on other sites More sharing options...
Jonathon Posted April 27, 2011 Share Posted April 27, 2011 Hi Paul, So let me get this straight. The form is ok but the some of the fields are already populated?? If so are you clearing the cache or just resending the form sending the same data. On a seperate note jorgeLP is also right your query is currently applying a SHA1 function to a string with a value of 'p' not a variable '$p'. 1 Link to comment Share on other sites More sharing options...
Paul Posted April 27, 2011 Author Share Posted April 27, 2011 Jonathon and JorgeLP, Thanks once again for a quick response. Right. I changed p to $p at JorgeLP's suggestion and inserted the line of code. Rerun. Same. Jonathon. You are correct. The form is OK, but 2 of the fields are already populated. Not sure if this is what you mean but I cleared the cache from the browser, closed the browser window and rerun the script. Same thing, two fields populated with what I'm assuming are my login details. Thanks Paul Link to comment Share on other sites More sharing options...
Jonathon Posted April 27, 2011 Share Posted April 27, 2011 Hi Paul post your source code please? I can't see why password field should have a value at all. Please use the 'other styles' on your reply and out it between code tags 1 Link to comment Share on other sites More sharing options...
HartleySan Posted April 27, 2011 Share Posted April 27, 2011 Paul, it is most likely your browser settings. I get the same thing, because I want Chrome to remember my email address and password for logging in, but the browser is too "dumb" to know the difference between normal login forms and registration forms containing fields for an email address and password. Most likely, if you disable the auto-fill setting in the browser, you'll be okay. 1 Link to comment Share on other sites More sharing options...
Paul Posted April 28, 2011 Author Share Posted April 28, 2011 Hi everyone, I ran the same script through Chrome and IE8 (I use Firefox) and the fields were not populated so I think HartleySan has cracked it. Could I also refer you all to the 2nd part of my original question: 2. In script 8.5 there are two 'mysqli_close($dbc)' functions but only one 'require_once('../mysqli_connect.php') function. Please could someone explain why a DB needs to be closed twice when it has only been opened once. As per Jonathon's request I've put the code here: <?php # Script 8.3 - register.php $page_title = 'Register'; include ('includes/header.html'); // Check if the form has been submitted if (isset($_POST['submitted']) ) { //Open the DB require_once('../mysqli_connect.php'); //Initialise and error array $errors = array(); //Check for a first name and assign it to a variable if (empty($_POST['first_name']) ) { $errors[] = 'You forgot to enter your first name.'; } else { $fn = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); } //Check for a last name and assign it to a variable if (empty($_POST['last_name']) ) { $errors[] = 'You forgot to enter your last name.'; } else { $ln = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); } //Check for an email address and assign it to a variable if (empty($_POST['email']) ) { $errors[] = 'You forgot to enter your email address.'; } else { $e = mysqli_real_escape_string($dbc, trim($_POST['email'])); } //Check for a password, match it against the confirm field and assign it to a variable if (!empty($_POST['pass1']) ) { if ($_POST['pass1'] != $_POST['pass2']) { $errors[] = 'Your password did not match the confirmed password.'; } else { $p = mysqli_real_escape_string($dbc, trim($_POST['pass1'])); } } else { $errors[] = 'You forgot to enter your password.'; } //Check if the errors array is empty. If so register the user. If not print the details to show the user (done later) if (empty($errors) ) { //Register the user //Make the query and insert into DB $q = "INSERT INTO users (first_name, last_name, email, pass, registration_date) VALUES ('$fn', '$ln', '$e', SHA1('$p'), NOW() )"; //As per fourm suggestion $r = @mysqli_query ($dbc, $q) or die("Error: " . mysqli_error($dbc) ); //this will output any query string error syntax. //$r = @mysqli_query ($dbc, $q); //Check if the query ran. Does $r have a TRUE value? if ($r) { //Print a thankyou message to the user echo '<h1>Thank you</h1> <p>You are now registered. In Chapter 11 you will actually be able to log in!</p><p><br /></p>'; } else { //If the query didn't run OK. //A message to the user echo '<h1>Oops, system error.</h1> <p class="error">You might not be registered because of a system error. Sorry.</p>'; //A message to the programmer echo '<p>' . mysqli_error($dbc) . '<br /><br />Query: ' . $q . '</p>'; } //Close the Db connection mysqli_close($dbc); //include the footer and exit the script include ('includes/footer.html'); exit(); } else { //Report the input errors to the user echo '<h1>Errors</h1> <p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p><p><br /></p>'; } //Close the Db connection mysqli_close($dbc); } ?> <!--'// Start of HTML--> <h1>Register</h1> <form action="register.php" method="post"> <p>First Name: <input type="text" name="first_name" size="15" maxlength="20" value="<?php if (isset($_POST['first_name']) ) echo $_POST['first_name']; ?>" /> </p> <p>Last Name: <input type="text" name="last_name" size="15" maxlength="40" value="<?php if (isset($_POST['last_name']) ) echo $_POST['last_name']; ?>" /> </p> <p>Email Address: <input type="text" name="email" size="20" maxlength="80" value="<?php if (isset($_POST['email']) ) echo $_POST['email']; ?>" /> </p> <p>Password: <input type="password" name="pass1" size="10" maxlength="20" /> </p> <p>Confirm Password: <input type="password" name="pass2" size="10" maxlength="20" /> </p> <p> <input type="submit" name="submit" value="Register" /> </p> <p> <input type="hidden" name="submitted" value="TRUE" /> </p> </form> Thanks everyone. Paul Link to comment Share on other sites More sharing options...
HartleySan Posted April 28, 2011 Share Posted April 28, 2011 Paul, the reason for the two functions for closing the DB connection is because only one of them will actually be executed each time. The exit() function after the first one will terminate the script (i.e., not execute anything after it), and if that the if statement that the first DB-closing function is in is not satisfied, then after the else statement, the other DB-closing function will be executed at the end. Hope that helps. 1 Link to comment Share on other sites More sharing options...
Paul Posted April 29, 2011 Author Share Posted April 29, 2011 Ah. Of course. Not every part of a script is actually 'used'. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts