0

Hey guys i am very new to this so i am sorry if there is just something completely stupid i am missing here. I have the following Sign Up Form. And in the URL http://www.rockaholics-cologne.de/root/signup.php?e=cataras@gmx.de i am trying to submit the value e. However, in all cases e is simply empty or undefined:

 <?php
   // Ajax calls this REGISTRATION code to execute
   if(isset($_POST["u"])){
   // CONNECT TO THE DATABASE
   include_once("php_includes/db_conx.php");
   // GATHER THE POSTED DATA INTO LOCAL VARIABLES
    $u = preg_replace('#[^a-z0-9]#i', '', $_POST['u']);
    $p = $_POST['p'];
    $e = $_GET['e'];
    echo "test";
    echo "$e";
    // GET USER IP ADDRESS
    $ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
    // DUPLICATE DATA CHECKS FOR USERNAME AND EMAIL
    $sql = "SELECT id FROM team WHERE username='$u' LIMIT 1";
    $query = mysqli_query($db_conx, $sql); 
    $u_check = mysqli_num_rows($query);
    // FORM DATA ERROR HANDLING
    if($u == "" || $p == ""){
        echo "The form submission is missing values.";
        exit();
    } else if ($u_check > 0){ 
        echo "The username you entered is alreay taken";
        exit();
    } else if (strlen($u) < 3 || strlen($u) > 16) {
        echo "Username must be between 3 and 16 characters";
        exit(); 
    } else if (is_numeric($u[0])) {
        echo 'Username cannot begin with a number';
        exit();
    } else {
    // END FORM DATA ERROR HANDLING
        // Begin Insertion of data into the database
        // Hash the password and apply your own mysterious unique salt
        $cryptpass = crypt($p);
        include_once ("php_includes/randStrGen.php");
        $p_hash = randStrGen(20)."$cryptpass".randStrGen(20);
        // Add user info into the database table for the main site table
        $sql = "UPDATE team
                SET username='$u',password='$p_hash',ip='$ip',signup=now(),lastlogin=now(),notecheck=now()
                WHERE email='$e'";
        $query = mysqli_query($db_conx, $sql); 
        $uid = mysqli_insert_id($db_conx);
        // Create directory(folder) to hold each user's files(pics, MP3s, etc.)
        if (!file_exists("user/$u")) {
            mkdir("user/$u", 0755);
        }
        // Email the user their activation link
        $to = "$e";                          
        $from = "auto_responder@yoursitename.com";
        $subject = 'Account Activation';
        $message = '<!DOCTYPE html><html><head><meta charset="UTF-8">
        <title>yoursitename Message</title></head>
        <body style="margin:0px; font-family:Tahoma, Geneva, sans-serif;">
        <div style="padding:10px; background:#333; font-size:24px; color:#CCC;">
        <a href="http://www.yoursitename.com"><img src="http://www.rockaholics-cologne.de/root/images/logo.png" width="36" height="30" alt="yoursitename" style="border:none; float:left;"></a>Account Activation</div>
        <div style="padding:24px; font-size:17px;">Hello '.$u.',<br /><br />Click the link below to activate your account when ready:<br /><br /><a href="http://www.rockaholics-cologne.de/root/activation.php?id='.$uid.'&u='.$u.'&p='.$p_hash.'">Click here to activate your account now</a><br /><br />Login after successful activation using your:<br />* Username: <b>'.$u.'</b></div></body></html>';
        $headers = "From: $from\n";
        $headers .= "MIME-Version: 1.0\n";
        $headers .= "Content-type: text/html; charset=iso-8859-1\n";
        mail($to, $subject, $message, $headers);
        echo "signup_success";
        exit();
    }
    exit();
}
?>

I do get new entries into the database when i fill out the form. But it does neither send me an email or UPDATE the database at the specified email. It simply updates all the entries with a blank email. The echo "$e" within the script also return nothing.

I used this code to check:

<?php

    echo "<pre>";
    print_r($_GET);
    echo "</pre>";
    $e = $_GET['e'];
    echo "$e";

?>

And in this case it does return an array with [e]=cataras@gmx.de and it also prints out $e. But why doesnt it work in the other skript? I'm using the exact same methods to get e from the URL.

When i run my Javascript function:

function signup(){
    var u = _("username").value;
    var p1 = _("pass1").value;
    var p2 = _("pass2").value;
    var status = _("status");
    if(u == "" || p1 == "" || p2 == ""){
        status.innerHTML = "Fill out all of the form data";
    } else if(p1 != p2){
        status.innerHTML = "Your password fields do not match";
    } else {
        _("signupbtn").style.display = "none";
        status.innerHTML = 'please wait ...';
        var ajax = ajaxObj("POST", "signup.php");
        ajax.onreadystatechange = function() {
            if(ajaxReturn(ajax) == true) {
                if(ajax.responseText.replace(/^\s+|\s+$/g, "") == "signup_success"){
                    status.innerHTML = ajax.responseText;
                    _("signupbtn").style.display = "block";
                } else {
                    window.scrollTo(0,0);
                    _("signupform").innerHTML = "OK "+u+", check your email inbox and junk mail box at <u>"+e+"</u> in a moment to complete the sign up process by activating your account. You will not be able to do anything on the site until you successfully activate your account.";
                }
            }
        }
        ajax.send("u="+u+"&p="+p1);
    }
}

I get Uncaught ReferenceError: e is not defined. And the site stops at "please wait...". I just took out the +e+ in the js to get to the php above. Sorry for the long post but i am really running out of ideas. THANKS in advance!!!

Cataras
  • 49
  • 1
  • 5
  • Your approach to validate/clean the input values for `$_POST['u']` is `getenv('REMOTE_ADDR')` are hilarious. Use a regex pattern to test the trimmed value you get against, instead of removing all characters you do not expect. – arkascha Nov 29 '14 at 10:17
  • you should do urlencode($e) before posting it ,is not ok to post the '@' sign fro mail – Maria Gheorghe Nov 29 '14 at 10:20
  • Declare "e" as variable `var e = _("e").value;` you are using "e" `"+e+"` and you didn't declare "e" as variable. – Alex Nov 29 '14 at 10:28
  • Much recommended reading: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and http://blog.ircmaxell.com/2012/04/introducing-passwordlib.html – Gordon Nov 29 '14 at 10:34
  • Thanks very much for the answers and i will definately try to make the program more secure once its running. But as of now i still don't understand why it echoes $e in my test code but doesn't recognice $e in my big php function!? – Cataras Nov 29 '14 at 11:09

1 Answers1

0

I think $_GET['e'] is not working in your original script because it's not getting passed to that processing script from your form page. I accessed the URL you provided (http://www.rockaholics-cologne.de/root/signup.php?e=cataras@gmx.de). Note that when you submit your form, the value of "e" in your URL is not being passed to whatever is processing your script. In your form, you need to either do this:

<form action="{yourscripturl}?e=<?php echo $_GET['e']?>" {rest of form tag}>

Or, add a hidden to hold the value of "e", and then use $_POST['e'] on your processing script instead of $_GET['e'].

<input type="hidden" name="e" value="<?php echo $_GET['e']?>" />
Eric Ping
  • 359
  • 1
  • 6
  • Thanks. I eventually gave up yesterday and tried something similar to the hidden input :) Thanks to everyone – Cataras Nov 30 '14 at 12:21