0

This is my first question, so here it is:

Whenever I submit my register form, I send the data through 3 checks (only 3 as of now anyway). However, even when the data submitted do not meet the requirements of the checks, it still stores a value in my database.

A further example would be if I submitted a username with less than 8 characters, the error displayed, however the values are still get stored. Please Help.

<?php
//VARIABLES FOR POST DATA               //OTHER VARIABLES
$username = $_POST['register_username'];        $userlen = strlen($username);
$password = $_POST['register_password'];        
$submit = $_POST['register_submit'];

if(isset($submit)){
if( $password == $username ){$errors[] = 'Same Username and Pass';}
if( $userlen < 8 ){$errors[] = 'Username must be atleast 8 characters.';}
if( $userlen > 32 ){$errors[] = 'Username must only contain 32 characters';}


else{
require 'db/connect.php';
$insertUser = "INSERT INTO users (username, password) VALUES ('$username','$password')";
mysql_query($insertUser);
}

}
?>
mymiracl
  • 583
  • 1
  • 16
  • 24
Eugene Stamp
  • 158
  • 1
  • 11

2 Answers2

2

Change your if else pattern like,

<?php
//VARIABLES FOR POST DATA               //OTHER VARIABLES
$username = $_POST['register_username'];        $userlen = strlen($username);
$password = $_POST['register_password'];        
$submit = $_POST['register_submit'];

if(isset($submit)){
if( $password == $username ){$errors[] = 'Same Username and Pass';}
if( $userlen < 8 ){$errors[] = 'Username must be atleast 8 characters.';}
if( $userlen > 32 ){$errors[] = 'Username must only contain 32 characters';}

if(empty($errors)){
    require 'db/connect.php';
    $insertUser = "INSERT INTO users (username, password) VALUES ('$username','$password')";
    mysql_query($insertUser);
    }
}
    ?>

It maybe work. Just try it

Vignesh Bala
  • 889
  • 6
  • 25
1

There is more suitable code:

<?php
//VARIABLES FOR POST DATA               //OTHER VARIABLES
$username = $_POST['register_username'];        $userlen = strlen($username);
$password = $_POST['register_password'];        
$submit = $_POST['register_submit'];

if(isset($submit))
{
    $errors = array();

    if( $password == $username )
    {
        $errors[] = 'Same Username and Pass';
    }
    if( $userlen < 8 )
    {
        $errors[] = 'Username must be atleast 8 characters.';
    }
    if( $userlen > 32 )
    {
        $errors[] = 'Username must only contain 32 characters';
    }

    if (count($errors) == 0)
    {
        require 'db/connect.php';
        $insertUser = "INSERT INTO users (username, password) VALUES ('$username','$password')";
        mysql_query($insertUser);
    }
}
?>

IMPORTANT

Security warning

But that code in not for production purpose. You should not bypass all data came from user to your database. You need to process $username and $password values or you'll SQL Injection instead.

You'd better use PDO and prepared statements ($db->prepare() and $statement->bindParam()):

$statement = $db->prepare("INSERT INTO users (username, password) VALUES (:username', :password)");
$statement->bindParam(':username', $username);
$statement->bindParam(':password', $password);
$statement->execute();
Vlad DX
  • 4,200
  • 19
  • 28