php - MySQL linking error

[greatm]

I'll start off by admitting that while I have no issues with html and css, I have a very basic understanding of php. I haven't used MySQL, but I am fairly comfortable with Microsoft SQL Server 2005 and don't think the issue is with the database.

I do not believe my log-in code is wrong, but I am including it as well, I think the whole issue is with my registration code. It seems to work partially, allowing a user name to be passed through into the table, but it looks like the password takes the username as the input value. I have an id field that is a simple integer field set to automatically increase as entries are added and that seems to work as well.

The php page I have with the forms that call the login and registration to run are all pretty much straight up html/css and based on previous use of forms I think there is nothing wrong with them since both my own scouring through the code and dreamweaver found nothing wrong with them andthe ids match the ones being referenced.

The email field and the display field both seem to be dropped from the insert portion if it reaches that point in the code. As I mentioned before, I believe that the user is being inserted into both the user field and the password field in the database.

I'll stop my babble now and show you the two pages of code, the only thing I edited before copying them over was the variable names since I can already connect to the database.:

Registration - code

PHP Code:

<?
//Initializing registration
//Set up variables
$host = "localhost";
$user = "username";
$pass = "password";
$db = "database";
$tbl = "table";
//Connect to server
mysql_connect("$host", "$user", "$pass") or trigger_error('Could not connect to server');
//Connect to user table
mysql_select_db("$db")or trigger_error('Could not access required database on server');
//Pass through new user info
$newuser = $_POST['newuser']; 
$newpass = $_POST['newpass'];
$newpass2 = $_POST['conpass']; 
$newmail = $_POST['newemail']; 
$newdisp = $_POST['newdisplay'];
//Protect MySQL Injection
$newuser = stripslashes($myuser);
$newpass = stripslashes($mypass);
$newpass2 = stripslashes($mypass2);
$newmail = stripslashes($mymail);
$newdisp = stripslashes($mydisp);
$newuser = mysql_real_escape_string($myuser);
$newpass = mysql_real_escape_string($mypass);
$newpass2 = mysql_real_escape_string($mypass2);
$newmail = mysql_real_escape_string($mymail);
$newdisp = mysql_real_escape_string($newdisp);
//check password
if ($newpass == $newpass2)
{
 //encrypt and set up final variables before insertion
 $passfinal = $newpass;
 $npass = md5($passfinal);
 $user = md5($newuser);
 $mail = $newmail;
 $disp = $newdisp;
}
else
{
 echo "Passwords do not match";
 exit;
}
//Verify user is not registered already
$sql = "SELECT * FROM $tbl WHERE User='$user'";
$pull = mysql_query($sql);
$count = mysql_num_rows($pull);
if ($count > 1)
{
 echo "User already exists"; 
 exit;
}
else
{
 //Add user to user table
 $insert = "INSERT INTO users (User, Password, Email, Display) VALUES ('$user', '$npass', '$mail', '$disp')";
 mysql_query($insert);
 echo "User created. Please go back to <a href='http://mysticfate.co.cc'>MysticFate</a>";
}
?>

Login - code

PHP Code:

<?
//Initializing login portion of script
//Set up variables
$host = "localhost";
$user = "username";
$pass = "password";
$db = "database";
$tbl = "table";
//Connect to server
mysql_connect("$host", "$user", "$pass") or trigger_error('Could not connect to server');
//Connect to user table
mysql_select_db("$db")or trigger_error('Could not access required database on server');
//Pass through user name and password
$myuser = $_POST['myuser']; 
$mypass = $_POST['mypass']; 
//Protect MySQL Injection
$myuser = stripslashes($myuser);
$mypass = stripslashes($mypass);
$myuser = mysql_real_escape_string($myuser);
$mypass = mysql_real_escape_string($mypass);
//Encrypt fields
$encryptuser = md5($myuser);
$encryptpass = md5($mypass);
//SQL statement selecting user passed through
$sql="SELECT * FROM $tbl WHERE User='$encryptuser' and Password='$encryptpass'";
$result = mysql_query($sql);
//Counting table rows
$count = mysql_num_rows($result);
//Verifying only one row exists and if succesful redirect to succesful login page
if ($count==1)
{
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else
{
echo "Wrong Username/Password or not registered";
}
?>

I'm sure I missed something stupidly obvious, and would like to thank everyone who replies in advance for the help

[descalzo]

PHP Code:

 
//Pass through new user info
$newuser = $_POST['newuser']; 
$newpass = $_POST['newpass'];
$newpass2 = $_POST['conpass']; 
$newmail = $_POST['newemail']; 
$newdisp = $_POST['newdisplay'];
//Protect MySQL Injection
// THESE DO NOT MATCH!!!!!!
// $myuser, $mypass ??? etc
$newuser = stripslashes($myuser);
$newpass = stripslashes($mypass);
$newpass2 = stripslashes($mypass2);
$newmail = stripslashes($mymail);
$newdisp = stripslashes($mydisp);
$newuser = mysql_real_escape_string($myuser);
$newpass = mysql_real_escape_string($mypass);
$newpass2 = mysql_real_escape_string($mypass2);
$newmail = mysql_real_escape_string($mymail);
$newdisp = mysql_real_escape_string($newdisp); 


See the comments. You went from $newuser to $myuser, etc in the registration code.

[greatm]

Thanks, I knew it had to be something stupid and it was.

Hopefully I will look more closely when I copy code from another page that has part of it set up how I need.

[xav0989]

After having looked over your code, I have a little comment to optimize your script. It is to not encrypt the user name field. It will save some processing time on php's side and will reduce the size of your database.

[misson]

Readability suggestion: the calls to stripslashes and mysql_real_escape_string in the registration script can be shortened to:

PHP Code:

if (get_magic_quotes_gpc()) {
    $_POST = array_map('stripslashes', $_POST);
}
$registrationData = array_map('mysql_real_escape_string', $_POST); 


Also, don't neglect to check the result of the INSERT query.

trigger_error will only halt the script if the error level is E_USER_ERROR.

[greatm]

Okay, thanks for the information and tips.

I will integrate the magic quote bit and improve upon the basic error checking I have.

I know encrypting the username field has more overhead than leaving it be, I am used to working with guids and encryption was close enough to a guid for me since I use the field mostly as a user id. I will probably add another field into the database and insert the username in without encryption there before I fully implement the finished system, but for now it is working for my purposes.