Need php help for registering

[thenewprogrammer]

Having problems with php registering script, confirm php is file with login information

register.html file

Code:

<form name="form1" method="post" action="registernext.php">
  Username:<input type="text" name="username" size="15" maxlength="20" value=""><br />
  Password:<input type="password" name="pass"  size="15" maxlength="20" value=""><br />
  Confirm Password:<input type="password" name="pass2"  size="15" maxlength="20" value=""><br />
  Gender:<input type="radio" name="gender" value="male" />Male<input type="radio" name="gender" value="female" />Female<br />
  Age:<select name="birthmonth" value="">
   <option>Month</option>
   <option>Janurary</option>
   <option>Feburary</option>
   <option>March</option>
 </select>
 <select name="birthday" value="">
   <option>Day</option>
   <option>1</option>
   <option>2</option>
   <option>3</option>
   <option>4</option>
 </select>
 <input type="text" name="birthyear" size="4" maxlength="4" value="" /><br />
 <br />
  E-mail:<input type="text" name="email"  size="15" maxlength="65" value=""><br />
  Confirm E-mail:<input type="text" name="email2"  size="15" maxlength="65" value=""><br />
 <input type="submit" name="submit"  size="15" maxlength="20" value="Register">
 </form>

registernext.php file

Code:

<?php
include('confirm.php');
//test to see if username is alphanumeric
$test=$_POST[username];
if(!eregi(("[^A-Za-z0-9]"),$test)){
 //test for duplicate names
 $query="SELECT * FROM users WHERE user_name ='$_POST[username]'";
 $result=mysql_query($query);
 $num=mysql_num_rows($result);
 
 
 if ($num == 0){
  
  //test for duplicate email
  $query2="SELECT * FROM users WHERE user_email = '$_POST[email]'";
  $result2=mysql_query($query2);
  $num2=mysql_num_rows($result2);
  
   if($num2==0){
   //if emails and passwords match up
    if(($_POST['pass']==$_POST['pass2'])&&($_POST['email']==$_POST['email2'])){
   
   
    //generate random confirmation code
    $confirm_code=md5(uniqid(rand()));
   
    //get rid of all html from hackers
    $name=strip_tags($_POST['username']);
    $email=strip_tags($_POST['email']);
    $pass=strip_tags($_POST['pass']);
    $gender=strip_tags($_POST['gender']);
    $birthday = strip_tags($_POST['birthday']) . strip_tags($_POST['birthmonth']) . strip_tags($_POST['birthyear']);
    
   
    //insert data into database
    $sql="INSERT INTO temp SET code='$confirm_code',user_name='$name',user_email='$email',user_password='$pass', user_gender='$gender',user_birthday='$birthday'";
    $result=mysql_query($sql);
    
     if($result){
    
     $message="your confirm link \r\n";
     $message.="Click on this link to activate your account \r\n";
     $message.="http://likeftp.com/confirmation.php?...=$confirm_code";
     $sentmail=mail($email,'Registration Confirmation',"$message");
    
   
     header("Location:thankyou.php");
    }
    else{
    echo "Not found in our database ";
    }
    
    //if your email succesfully sent
      if($sentmail){
      echo "Your confirmation link has been sent to your email";
      }
      else{
      echo "Cannot send confirmation link to your email address";
      }
 }else{
 header("Location:usernametaken.html");
 }
}else{
header("Location:invalidname.html");
}
}
}
?>

for some reason it keeps triggering my else statements instead of going to next step. The else statements it triggers is "error" and "Cannot send confirmation link to your email address" so im guessing the error is caused around if($result) but not sure. I need it to be successful and the the two tables i have in database are "temp" and "users"

[misson]

Protip: use the [PHP] and [HTML] tags (when appropriate) rather than plain [CODE] tags.

PHP Code:

$test=$_POST[username]; 


Use strings for indices rather than bare words. Note this doesn't apply when you're interpolating variables into a string, unless you're using complex syntax ("{$...}"), in which case it does apply.

PHP Code:

$query="SELECT * FROM users WHERE user_name ='$_POST[username]'";
...
  $query2="SELECT * FROM users WHERE user_email = '$_POST[email]'";
  $result2=mysql_query($query2);
...
  $sql="INSERT INTO temp SET code='$confirm_code',user_name='$name',user_email='$email',user_password='$pass', user_gender='$gender',user_birthday='$birthday'"; 


Your code is susceptible to SQL Injection via the values in $_POST. Either sanitize the user input or (better yet) use prepared statements. Think of the children.

You could combine the test for existing user names and e-mails into a single statement:

Code:

SELECT user_name,user_email FROM users WHERE user_name=? OR user_email=?

Make sure the page informing a user of duplicate identification (currently in invalidname.html) tells the user when a username is already taken and when an email is already registered (with a link to a page that will send an e-mail to the address that reminds the user what their username is). Both are simultaneously possible, so the message page should be able to display both cases.

Nitpick: the "user_" prefix for the "user_name" and "user_email" fields in the "user" table is redundant. If you ever need the clarity, you can include the table name using dot syntax when referring to a table column: "user.name", "user.email".

PHP Code:

 $query="SELECT * FROM users WHERE user_name ='$_POST[username]'";
 $result=mysql_query($query);
 $num=mysql_num_rows($result); 


Check that the MySQL query succeeded (i.e. check the result isn't FALSE using "!=="), and give an appropriate error message. Just don't use "or die". You do this with the INSERT query, why not here?

PHP Code:

    //get rid of all html from hackers
    $name=strip_tags($_POST['username']);
    $email=strip_tags($_POST['email']);
    $pass=strip_tags($_POST['pass']); 


Good on the use of strip_tags.

Never store plaintext passwords. If someone cracks the server, they have all your users' passwords. Since most people use the same password with every account they have, you've just compromised other sites. At a minimum, hash a random value + the username + the password (in that order; don't put the password first) using whirlpool or sha512; store both the hashed password and the random value. Since you're using the random value for just one thing, it's also called a "nonce". The random value + username is called "salt". Salt doesn't have to be kept secret. In this case, the confirmation code could safely be used as the nonce, if you wanted. When a user attempts to log in, hash the purported password before comparing to the stored hashed password. Read "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes" for an introduction to the issues and "Password Hashing" for info on implementing a password storage scheme.

PHP Code:

    else{
    echo "Not found in our database ";
    }
...
 }else{
 header("Location:usernametaken.html");
 }
}else{
header("Location:invalidname.html");
?> 


It's hard to match up these failure cases with their tests. Either include a comment describing them or reverse the tests so the failure case can come before the success case. The error case shouldn't always come first, but here it's short, so that's the better option:

PHP Code:

            if ($_POST['pass']  != $_POST['pass2']
             || $_POST['email'] != $_POST['email2']) 
            {
                header("Location:usernametaken.html"); 


See? That looks wrong, but it's what your code does.

for some reason it keeps triggering my else statements instead of going to next step. The else statements it triggers is "error" and "Cannot send confirmation link to your email address" so im guessing the error is caused around if($result) but not sure. I need it to be successful and the the two tables i have in database are "temp" and "users"

I don't see "error" in any else statement, and they all seem to be for error cases of some kind. What is the actual output of the script? It's good to cut out extraneous information, but you've left out too much. With web pages, it also helps to include a link to a live page.

On the subject of cutting out extraneous information, code samples should be minimal test case: enough to be complete and no more. They not only make it easier for aides to read the code, they can help expose the cause to you. Sometimes you won't even need to ask for help.

[DefecTalisman]

hmm... this doesn't look right to me :

PHP Code:

//insert data into database
    $sql="INSERT INTO temp SET code='$confirm_code',user_name='$name',user_email='$email',user_password='$pass', user_gender='$gender',user_birthday='$birthday'";
    $result=mysql_query($sql);
    
     if($result){
          ...
     } 


maybe something like this rather :

PHP Code:

//insert data into database
    $sql="INSERT INTO temp ( `code`,`user_name`,`user_email`,`user_password`, `user_gender`,`user_birthday`) VALUES ('$confirm_code','$name','$email','$pass','$gender','$birthday')";
    $result=mysql_query($sql);
    
     if($result){
          ...
     } 


now if the table has a primary key then you could do this :

PHP Code:

//insert data into database
    $sql="INSERT INTO temp ( `code`,`user_name`,`user_email`,`user_password`, `user_gender`,`user_birthday`) VALUES ('$confirm_code','$name','$email','$pass','$gender','$birthday')";
    $result=mysql_query($sql);
    
     if($result || mysql_insert_id() > 0){
          ...
     } 


I hope it helps

[misson]

hmm... this doesn't look right to me :

PHP Code:

//insert data into database
    $sql="INSERT INTO temp SET code='$confirm_code',user_name='$name',user_email='$email',user_password='$pass', user_gender='$gender',user_birthday='$birthday'"; 


"INSERT INTO table SET column=value, ..." is valid syntax, though I personally prefer the INSERT INTO table (columns) VALUES ... form.