PHP: If-Statement & Form

Question

my code is ...

<?php
        $username = mysql_real_escape_string($_POST['username']);
        $password = mysql_real_escape_string($_POST['password']);
        $passwordr = mysql_real_escape_string($_POST['passwordr']);
        $email = mysql_real_escape_string($_POST['email']);

        if(empty($username) || empty($password) || empty($passwordr) || empty($email)) {
            echo '<div class="alert alert-danger">Bitte fülle alle Felder aus.</div>';
        }

        elseif(!preg_match('/^[a-zA-Z0-9-_^#]{4,15}$/', $username)) {
            echo '<div class="alert alert-danger">Bitte gebe einen gültigen Usernamen ein.<br />Der Username muss mindestens 4 und maximal 15 Zeichen lang sein und darf nur folgende Sonderzeichen enthalten: -_^#</div>';
        }

        elseif(!preg_match('/^[a-zA-Z0-9-_*^#?!.,;@€]{8,20}$/', $password)) {
            echo '<div class="alert alert-danger">Bitte gebe ein gültiges Passwort ein.<br />Das Passwort muss mindestens 8 und maximal 20 Zeichen lang sein und darf nur folgende Sonderzeichen enthalten: -_*^#?!.,;@€</div>';
        }

        elseif($passwordr != $password) {
            echo '<div class="alert alert-danger">Die Passwörter stimmen nicht überein.</div>';
        }

        elseif(!preg_match('/^[a-zA-Z0-9-_.]+@[a-zA-Z0-9-_.]+\.[a-zA-Z]{2,4}$/', $email)) {
            echo '<div class="alert alert-danger">Bitte gebe eine gültige E-Mail Adresse ein.</div>';
        }

        else {
            die("have a n1 day");
        }
    ?>

somehow, I always get <div class="alert alert-danger">Bitte fülle alle Felder aus.</div>, even when the forms aren't empty.

why?

here's my form ...

<div class="row">
        <form method="POST">
            <fieldset>
                <div class="col-lg-5">
                    <div id="username-group" class="form-group">
                        <label for="username">Username</label>
                        <input type="text" name="username" id="username" class="form-control" placeholder="Username">
                    </div>
                    <div id="password-group" class="form-group">
                        <label for="password">Passwort</label>
                        <input type="password" name="password" id="password" class="form-control" placeholder="Passwort">
                    </div>
                    <div id="passwordr-group" class="form-group">
                        <label for="passwordr">Passwort wiederholen</label>
                        <input type="password" name="passwordr" id="passwordr" class="form-control" placeholder="Passwort wiederholen">
                    </div>
                    <div id="email-group" class="form-group">
                        <label for="email">E-Mail</label>
                        <input type="email" name="email" id="email" class="form-control" placeholder="E-Mail">
                    </div>
                    <input type="submit" name="submit" id="submit" class="btn btn-default" value="Registrieren">
                </div>
            </fieldset>
        </form>
    </div>

I'm using bootstrap, but I don't think that's the problem. and the code looks fine too.

Where are your variables being set? Can you provide your form markup too? — Jonnix, May 14 '15 at 21:34
First check that you are actually getting values back from the form, you can use: print_r($_REQUEST);die; . Than show some more code where you are actually assigning this from $_POST (or $_GET) into those variables. you're not using extract, right? — Mahakala, May 14 '15 at 21:39
You realize that the name doesn't magically turn into `$username`, but `$_POST['username']` — adeneo, May 14 '15 at 21:41
Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using PDO, [it's not as hard as you think](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 14 '15 at 21:46
That is some yucky code for many reasons. First, you're using mysql_* functions, which are deprecated. Second, you're placing ridiculous limits on passwords with your regex, which is actually going to lower the security of your app. Third, since you have a password length limit, I'm assuming you are also storing them in plain text instead of hashing them with `password_hash()`. And then to add additional wrongness, you are using regex to validate an email address instead of using `filter_var`. — Mike, May 14 '15 at 21:46
if you dont have active mysql session then you cannot use `mysql_real_escape_string` this function, try to remove the function or use it in the active session — tzafar, May 14 '15 at 21:48
If I want to use the password "password", or "12345678", or "qwertyui" your system will allow me to do so, but something like "r6Ö·)ßëºÆáØ\ã½" will be rejected. Which seems more secure to you? — Mike, May 14 '15 at 21:50

score 0 · Accepted Answer · edited May 14 '15 at 22:21

If you add the error logging

error_reporting(E_ALL);
ini_set('display_errors','On');

you will see this:

Deprecated: mysql_real_escape_string(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in .../public_html/index.php on line 38

Warning: mysql_real_escape_string(): Access denied for user 'www-data'@'localhost' (using password: NO) in .../public_html/index.php on line 38

mysql_real_escape_string requires you to connect to the database first. Also indeed this function is deprecated.

You can start with deleting mysql_real_escape_string from the code to see that it works.

PHP: If-Statement & Form

1 Answers1