0

I'm sure this get's asked a lot but everybody's code is different, but I'm having trouble validating my registration form.

I'll post my code below the snippet.

Now what exactly am I doing wrong? I want to make sure every field is filled out but even if I use the code below or I add in a die() function with an error echo the rest of the code still gets executed and the form is sent off.

The snippet below is the sort of thing I've been trying.

if(isset($_POST["submit"])){
if(empty($firstname) || empty($lastname) || empty($username) || empty($password) || 
empty($passwordconf) 
{
echo "You did not fill out the required fields.";
die();  
}   
$user=$_POST['user'];
$pass=$_POST['pass'];

This is my current code as it stands.

if(isset($_POST["submit"])){
$user=$_POST['user'];
$pass=$_POST['pass'];
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$username = "DBname";
$password = "DBpass";
$hostname = "DBhost"; 
$md5pass = md5($pass);


if(empty($email)){ //this is what I've tried 
    $errors[] = "email cannot be left empty";
}

//connection to the database
$dbhandle = mysqli_connect($hostname, $username, $password)
or die("Unable to connect to server");

$con=mysql_connect($hostname, $username, $password) or die(mysql_error());
$select=mysql_select_db("Database", $con) or die("cannot select DB");

$query=mysql_query("SELECT * FROM login WHERE username='".$user."'");
$numrows=mysql_num_rows($query);
if($numrows==0)
{
$sql="INSERT INTO login(username,password,firstname,lastname,email) 
VALUES('$user','$md5pass','$fname','$lname','$email')";

$result=mysql_query($sql);


if($result){
echo "Account Successfully Created, Please login to continue";
} else {
echo "Failure!";
}

} else {
echo "That username already exists! Please try again with another.";
}
}
user3632789
  • 5
  • 1
  • 1
    Your database is very vulnerable to injection – Sterling Archer May 15 '14 at 14:56
  • 1
    **Danger**: You are mixing [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) with a modern one (which won't work) and should use only a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 15 '14 at 14:56
  • You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin May 15 '14 at 14:57
  • It isn't erroring, because the code you say you are using, doesn't have the `die` statement in it. – Quentin May 15 '14 at 14:58
  • Yes I know my code probably isn't safe but this site isn't actually live. I'm trying to learn everything before I put it into actual practise – user3632789 May 15 '14 at 14:58
  • I see this response all the time. Why wouldn't you want to learn and practice the correct way!? – dcclassics May 15 '14 at 15:19
  • I am doing it the correct way! just not in this project :) I'm sorry but I just want to know how to properly validate my form, I'm well aware of the issues already there. – user3632789 May 15 '14 at 15:24
  • Shouldn't it be `if(empty($_POST['fname'])||..`. You are checking a variable `$firstname` in the first part that isn't set. – Michel May 15 '14 at 15:32

1 Answers1

0

Maybe it got lost during copy but the second if needs a closing )

if(isset($_POST["submit"])){
    if(empty($firstname) || empty($lastname) || empty($username) || empty($password) || empty($passwordconf)) {
a1ee9b
  • 31
  • 6