if statement mysql value and form value error

Question

I am trying to create a random string with my function which works and to insert the string in my table.

After submitting register.php the page activation.php follows. On the activation page the user should input the generated string and if it works the page login.php follows.

My problem is that on the activation.php page the error "ERROR" show. It looks like my if condition between the user input $code and the variable $result wont work. Where is the mistake?

<?php require_once './auth.php'; ?>
<?php
//activation.php
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name="user2"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// upload picture

// Get values from form 

if (isset($_POST['code'])) {
$code=$_POST['code'];
}

$username = ($_SESSION['user']['username']);

// Insert data into mysql 
$result = mysql_query("SELECT code FROM user2 WHERE username = '$username'");
if (!$result) {
    echo 'Konnte Abfrage nicht ausführen: ' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);


if( $result == $_POST['code']){
header('Location: http://' . $_SERVER['HTTP_HOST'] . '/socialad/login.php');

//$codedelete = mysqli_query("UPDATE user2 SET code='0' WHERE username = '$username'");
}

else {
echo "ERROR";
}

// close connection 
mysql_close();
?>


<?php
session_start(); // auth.php
session_regenerate_id();

if (empty($_SESSION['login'])) {
    header('Location: http://' . $_SERVER['HTTP_HOST'] . '/login.php');
    exit;
} else {
    $username = ($_SESSION['user']['username']);
}
?>

    <?php
     //register.php

    $message = array();
    if (!empty($_POST)) {

                if(isset($_POST['f']['country']) )
{
    $country = $_POST['f']['country'];
}

function generateRandomString($length = 8) {
    $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    $charactersLength = strlen($characters);
    $randomString = '';
    for ($i = 0; $i < $length; $i++) {
        $randomString .= $characters[rand(0, $charactersLength - 1)];
    }
    return $randomString;
}
$randomString = generateRandomString();


        if (
            empty($_POST['f']['username']) ||                       
            empty($_POST['f']['password']) ||
            empty($_POST['f']['password_again']) ||
            empty($_POST['f']['email']) ||
            empty($_POST['f']['firstname']) ||          
            empty($_POST['f']['lastname']) ||
            empty($_POST['f']['phone']) ||
            empty($_POST['f']['town']) ||
            empty($_POST['f']['street']) ||
            empty($_POST['f']['zip']) 
        ) { 

            $message['error'] = 'Es wurden nicht alle Felder ausgefüllt.';
        } else if ($_POST['f']['password'] != $_POST['f']['password_again']) {
            $message['error'] = 'Die eingegebenen Passwörter stimmen nicht überein.';
        } else {
            unset($_POST['f']['password_again']);
            $salt = ''; 
            for ($i = 0; $i < 22; $i++) { 
                $salt .= substr('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789', mt_rand(0, 63), 1); 
            }
            $_POST['f']['password'] = crypt(
                $_POST['f']['password'],
                '$2a$10$' . $salt
            );

            $mysqli = @new mysqli('localhost', 'root', '', '');
            if ($mysqli->connect_error) {
                $message['error'] = 'Datenbankverbindung fehlgeschlagen: ' . $mysqli->connect_error;
            }
            $query = sprintf(
                "INSERT INTO user2 (username, password, email, firstname, lastname, phone, town, street, zip, country, code)
                SELECT * FROM (SELECT '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s') as new_user
                WHERE NOT EXISTS (
                    SELECT username FROM user2 WHERE username = '%s'
                ) LIMIT 1;",
                $mysqli->real_escape_string($_POST['f']['username']),                               
                $mysqli->real_escape_string($_POST['f']['password']),                   
                $mysqli->real_escape_string($_POST['f']['email']),          
                $mysqli->real_escape_string($_POST['f']['firstname']),
                $mysqli->real_escape_string($_POST['f']['lastname']),
                $mysqli->real_escape_string($_POST['f']['phone']),
                $mysqli->real_escape_string($_POST['f']['town']),
                $mysqli->real_escape_string($_POST['f']['street']),
                $mysqli->real_escape_string($_POST['f']['zip']),
                $mysqli->real_escape_string($_POST['f']['country']),
                $mysqli->real_escape_string($randomString),
                $mysqli->real_escape_string($_POST['f']['username'])
            );
            $mysqli->query($query);
            if ($mysqli->affected_rows == 1) {
                $message['success'] = 'Neuer Benutzer (' . htmlspecialchars($_POST['f']['username']) . ') wurde angelegt, <a href="login.php">weiter zur Anmeldung</a>.';
                header('Location: http://' . $_SERVER['HTTP_HOST'] . '//activation.php');

                // $empfaenger = $_POST['f']['email'];
                // $betreff = "Registration";
                // $from = "From: Webmaster <webmaster@somediashout.de>";
                // $text = "Thank you for your registration. Your code is : " + $randomString;

                // mail($empfaenger, $betreff, $text, $from);

                session_start();

                    $_SESSION = array(
                        'login' => true,
                        'user'  => array(
                            'username'  => $row['username']
                        )
                    );

            } else {

            }
            $mysqli->close();
        }
    } 
?>

Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jun 03 '15 at 13:48
"on the page activation.php the error "ERROR" show" What is this error? That will help you find the problem. — Digital Chris, Jun 03 '15 at 13:54

Henders · Accepted Answer · 2015-06-04T09:17:20.383

1

As I understand it, you are asking why you are shown "ERROR" on activation.php. "ERROR" is created by this piece of code, as i'm sure you know:

if( $result == $_POST['code']){
  header('Location: http://' . $_SERVER['HTTP_HOST'] . '/socialad/login.php');
} else {
  echo "ERROR";
}

What you are are currently checking for is: IF $result (which contains the return of mysql_query which would be a resource. See here for more details: PHP Mysql_query) is the same as $_POST['code'] which is probably not what you are looking for. I think what you actually want to check for is this:

if($row[0] == $code){
  header('Location: http://' . $_SERVER['HTTP_HOST'] . '/socialad/login.php');
}

edited Jun 04 '15 at 09:17

answered Jun 03 '15 at 14:13

Henders

1,195
1
21
27

Hey thanks for youre time. I edit my code how you wrote but no the activation.php file wont be shown. I cant call it too in the browser. The variable $result should have the value of the at registration created string and if this have the same value as the user input it into the input element "code" the page login.php should called. – brabus85 Jun 03 '15 at 17:50
Yep, that was my fault. My apologies. You are using mysql_fetch_row() which returns a numeric array not an associative array. I've updated my answer so you'll need to change your code again to: if($row[0] == $code) – Henders Jun 04 '15 at 09:19
I would echo the others though and advise you to move away from mysql_* functions. It's worth it for the security you get and if you're learning mysql_* you might as well just learn mysqli instead. :) – Henders Jun 04 '15 at 09:29
Thanks for your helping. Yes, I try to change my mysql functions into pdo, I created a new ask because I have trouble with it :D – brabus85 Jun 04 '15 at 09:34

if statement mysql value and form value error

1 Answers1