0

I have two steps sign up form. From the first step I'm picking up email and username and from second step I want to pick up first name and lastname and add it into DB. But the problem is that variables which I've got from the first POST form, $bridge_username to be exact, is not available in the IF statement below (the first one from the bottom). The thing is that they are visible anywhere else, but not inside this particular IF statement. I've tried everything, including sessions. I can clearly see that variable is still there (using vardump or just echoing it out), everywhere but not where I need it... I'll be happy to hear your advises.

$bridge_email = $_POST['email'];
$bridge_username = $_POST['username'];
$bridge_pass = $_POST['password'];
$bridge_pass_conf = $_POST['passconf'];
$bridge_terms = $_POST['terms'];
$bridge_pass_counted = strlen($bridge_pass);
$bridge_username_counted = strlen($bridge_username);
if (isset ($_POST['email']) AND isset ($_POST['password']) AND isset ($_POST['passconf']) AND isset ($_POST['username'])) { 

if ($bridge_email != '' AND $bridge_pass != '' AND $bridge_pass_conf != '' AND $bridge_username != '' AND $bridge_terms != '') {

if ($bridge_pass == $bridge_pass_conf) {

if ($bridge_pass_counted >= 33 OR $bridge_pass_counted <= 5) {
} else {

if ($bridge_username_counted >= 65 OR $bridge_username_counted <= 3) {
} else {

if (is_numeric(substr($bridge_username, 0, 1))) {
                } else {
//CHECK IF USERNAME OR EMAIL ALREADY EXIST  
$checkreguser = $mysqli->query("SELECT username FROM `engine_users` WHERE username = '$bridge_username' OR email = '$bridge_email' LIMIT 0, 1 ");
$checkreguser = $checkreguser->fetch_assoc();
if ($checkreguser == '') {
//CREATING A NEW USER 
$mysqli->query("INSERT INTO `users` (`id`, `username`, `password`, `email`, `fname`, `lname`, `company`, `address`, `city`, `state`, `zip`, `country`, `currency`, `phone`, `vat`, `userlevel`, `created`, `notes`, `lastlogin`, `lastip`, `active`) VALUES\n"
    . "(NULL, '$bridge_username', '1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5', '$bridge_email', '', '', NULL, '', '', '', '', '', '', '', NULL, 5, '2011-05-01 18:10:14', '', '2013-04-19 22:25:11', '127.0.0.1', 'y')");
}}}}}}}

$bridge_fname = $_POST['1_1_3'];
$bridge_lname = $_POST['1_1_4'];
if (isset ($_POST['1_1_3']) AND isset ($_POST['1_1_4'])) {
$mysqli->query("UPDATE `users` SET `fname` = '$bridge_fname',`lname` = '$bridge_lname' WHERE `users`.`username` = '$bridge_username'");
}
Sumit Bijvani
  • 8,154
  • 17
  • 50
  • 82
Eugene Bondarenko
  • 13
  • 1
  • 4
  • This may not be your problem, but you are accessing certain `_POST` variables before you check that they exist. Why not change the order? And what makes you say "not visible"? Could you show the result of a vardump just before and just after the if statements? – Floris Apr 20 '13 at 05:18
  • 1
    Values inside single quotes don't get expanded... You have `'$bridge_username'` in single quotes which makes it a string, not a variable, if I'm not mistaken. – Floris Apr 20 '13 at 05:23
  • Your script may be vulnerable to SQL injections. Make sure to validate and [process the user provided parameters properly](http://stackoverflow.com/q/60174/53114). – Gumbo Apr 20 '13 at 06:37

4 Answers4

0

Use

if(isset($_POST['bridge_username']))

To see if it exists.

You can also use the ternary operator:

$email = isset($_POST['bridge_username']) ? $_POST['bridge_username'] = false;

And ye.. "$bridge_username to be exact, is not available in the IF statement below."

Show us the exact error if you want a more detailed answer :)

Kevin Reid
  • 37,492
  • 13
  • 80
  • 108
Jonast92
  • 4,964
  • 1
  • 18
  • 32
  • That's why I'm here, it doesn't giving me any errors, so I'm kind of stuck. I've tried to do as you said and realized that `$bridge_username` and all the other variables from the first POST are available through whole php file, but ONLY if you don't use them within IF statements. – Eugene Bondarenko Apr 20 '13 at 05:32
  • What do you mean no error? What is the problem then? Doesn't it simply go to the ELSE part of the statement and end of story? – Jonast92 Apr 20 '13 at 05:34
  • I mean no error messages. when you use this var not within IF statements it works just fine, otherwise, `echo` shows it as a plain text `$bridge_username` I just assumed that it's just my lack of theory knowledge and there is easy explanation for this... – Eugene Bondarenko Apr 20 '13 at 05:35
  • Okay, what is the result that you expect and why? – Jonast92 Apr 20 '13 at 05:37
  • I expect this var to still be available for the second form or at least not to be available anywhere after the first form submitting. In this case I could use session to store this var. But even with session storage this var doesn't work within IF statements, even though vardump for session show that variable is there... I'm just confused :) – Eugene Bondarenko Apr 20 '13 at 05:42
  • RE: _"Doesn't it simply go to the ELSE part of the statement and end of story?"_ The thing is that I need this variable, to get the username from the first input form, when I'm procesing the second form, so I can identify user to make an update in corresponding mysql row and add first name and last name there – Eugene Bondarenko Apr 20 '13 at 05:46
0

http://php.net/manual/en/function.isset.php

I would try and break your code down to a simple few lines and test the if statement. Better to identify where it is breaking. Maybe add some echo statements during different steps or comment and step through the code. Example below. 

$bridge_email = $_POST['email'];
$bridge_pass = $_POST['password'];

if (isset($_POST['email']) AND isset($_POST['password']){
   // EXECUTE AN ALERT
echo"email and pass are set";
}else {
echo"not passing";
}
Shawn Altman
  • 143
  • 1
  • 10
  • I'll try, but the thing is that all IF statements, including the last one, are working well, they just not reading previous POST data, even if it was passed to vars or even session. On the other hand, with any other vars inside (which are not originating from older POST data) everything's okay. I just can't find any logic here... – Eugene Bondarenko Apr 20 '13 at 05:53
0

I fixed your code a bit to make you a good example, main issue was how you build your query string 

..." username = '$bridge_username' "

this will result in a string like you see it
(it is good debug to print the queries, before executing them) you have to change it to:

." username = '".$bridge_username."' "

and the variable will be replaced with its value.

Also added checks for the post values, so you don't get warnings if they are not set.

$bridge_email = (isset($_POST['email']) ? $_POST['email'] : null);
$bridge_username = (isset($_POST['username']) ? $_POST['username'] : null);
$bridge_pass = (isset($_POST['password']) ? $_POST['password'] : null);
$bridge_pass_conf = (isset($_POST['passconf']) ? $_POST['passconf'] : null);
$bridge_terms = (isset($_POST['terms']) ? $_POST['terms'] : null);
//$bridge_pass_counted = strlen($bridge_pass); 
//$bridge_username_counted = strlen($bridge_username);

//return early and stay back from chained IFs
if (!$bridge_email || !$bridge_username || !$bridge_pass || !$bridge_pass_conf) {
    return;
}

if ($bridge_pass != $bridge_pass_conf) {
    return;
}

if ($bridge_pass AND strlen($bridge_pass) > 5 AND strlen($bridge_pass) < 33) {
    return;
}

if ($bridge_username AND strlen($bridge_username) > 5 AND strlen($bridge_username) < 33) {
    return;
}

if (is_numeric(substr($bridge_username, 0, 1))) {
    return;
}

$result = $mysqli->query("SELECT username FROM `engine_users` WHERE username = '" . $bridge_username . "' OR email = '" . $bridge_email . "' LIMIT 0, 1 ");
$checkreguser = $result->fetch_assoc(); // returns associative array of strings  or NULL if there are no more rows 
//if ($checkreguser == '') {

if ($checkreguser === null) {
//CREATING A NEW USER 
    $mysqli->query("INSERT INTO `users` (`id`, `username`, `password`, `email`, `fname`, `lname`, `company`, `address`, `city`, `state`, `zip`, `country`, `currency`, `phone`, `vat`, `userlevel`, `created`, `notes`, `lastlogin`, `lastip`, `active`) VALUES\n"
            . "(NULL, '" . $bridge_username . "', '1411678a0b9e25ee2f7c8b2f7ac92b6a74b3f9c5', '" . $bridge_email . "', '', '', NULL, '', '', '', '', '', '', '', NULL, 5, '2011-05-01 18:10:14', '', '2013-04-19 22:25:11', '127.0.0.1', 'y')");
}

$bridge_fname =  (isset($_POST['1_1_3']) ? $_POST['1_1_3'] : null);
$bridge_lname =  (isset($_POST['1_1_4']) ? $_POST['1_1_4'] : null);
if ($bridge_fname AND $bridge_lname ) {
    $mysqli->query("UPDATE `users` SET `fname` = '" . $bridge_fname . "',`lname` = '" . $bridge_lname . "' WHERE `users`.`username` = '" . $bridge_username . "'");
}

Please examine the IF structure, returning early makes the code more readable.

d.raev
  • 9,216
  • 8
  • 58
  • 79
0

Are you checking to see if the session has been started. I see that you keep mentioning that the data was passed to session. May want to set this up to make sure that it is getting handled.

Try checking that the session variable was created and if not redirect back to the registration/login page.

As an example... if the session is not registered it will move to a different script or location.

session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");

you could further test the session by echoing contents on an isset on session to keep testing. Again, I would break your code down into the most basic form to learn what is going on. Might also need to see the prior page code to see what is happening.

found another example online that might help you out. http://www.phpeasystep.com/phptu/6.html

Shawn Altman
  • 143
  • 1
  • 10