0

I am using a register script but by some reason this script is not working.

First of all here is my <html> form:

<form action="<?php $_SERVER['PHP_SELF'];?>" method="post">
 <legend>Member Registration</legend>
 <p><label>Username:</label><input name="username" type="text" maxlength="20" <?php if(isset($error)) {echo "value='$username'";} ?> /></p>
 <p><label>Password:</label><input name="password" type="password" maxlength="20" /></p>
 <p><label>Confirm Password:</label><input name="password2" type="password" maxlength="20" /></p>
 <p><label>Email:</label><input name="email" type="text" maxlength="255" <?php if(isset($error)) {echo "value='$email'";} ?> /></p>
 <p><input type="submit" name="submit" value="Register"></p>
</form>

After clicking on the submit button the script needs to get posted. Before adding the values to the database the php script should do a check:

if (strlen($username) < 3){
 $error[] = 'User name must be between 3 and 20 characters.';
}

When I enter just 1 character also this is not checked. When I click on the submit button the script returns into its first state.

Why is this happening? I have set the reporting of errors on, but also when I do that I dont get any error message.

How can I fix this problem?

Here is my full PHP code:

<?php
 $dbhost = 'localhost';
 $dbuser = 'root';
 $dbpass = '';
 $dbname = 'db';

 $conn = mysqli_connect ($dbhost, $dbuser, $dbpass);
 $conn = mysqli_select_db ($conn, $dbname);

 if(!$conn){
  die( "Sorry! There seems to be a problem connecting to our database. Please give us a few minutes to remedy the problem. Thank you.");
 }

 function errors($error){
  if (!empty($error))
  {
   $i = 0;
   while ($i < count ($error)){
    echo '<span class="warning">'.$error[$i].'</span>';
    $i ++;
    }
   }
   if (isset($_POST['submit'])){
    $username = trim($_POST['username']);

    if (strlen($username) < 3){
     $error[] = 'User name must be between 3 and 20 charactors.';
    }

    if(!get_magic_quotes_gpc()){
     $POST[] = addslashes($_POST['username']);
    }

    $usercheck = $_POST['username'];
    $check = mysqli_query($conn, "SELECT username FROM users WHERE username ='".$usercheck."'")or die(mysqli_error());
    $check2 = mysqli_num_rows($check);

    if ($check2 != 0) {
     $error[] = 'Sorry, the username <b>'.$_POST['username'].'</b> is already in use.';
    }

    $password = trim($_POST['password']);
    if (strlen($password) < 5) {
     $error[] = 'password Must be between 5 and 20 characters.';
    }

    if ($_POST['password'] != $_POST['password2']) {
     $error[] = 'Your passwords did not match.';
    }

    if (!get_magic_quotes_gpc()) {
     $_POST[] = addslashes($_POST['email']);
    }

    $emailcheck = $_POST['email'];
    $hash = md5( rand(0,1000) ); 
    $emailcheck1 = mysqli_query($conn, "SELECT email FROM members WHERE email = '".$emailcheck."'")or die(mysqli_error());
    $emailcheck2 = mysqli_num_rows($emailcheck1);

    if ($emailcheck2 != 0) {
     $error[] = 'Sorry, the email address <b>'.$_POST['email'].'</b> is already in use, Please choose another email address.';
    }

    if (!$error ) {
     $username = $_POST['username'];
     $password = $_POST['password'];
     $email = $_POST['email'];

     if(!get_magic_quotes_gpc())
     {
      $username = addslashes($username);
      $password = addslashes($password);
      $email = addslashes($email);
     }

     $username = mysqli_real_escape_string($username);
     $password = mysqli_real_escape_string($password);
     $email = mysqli_real_escape_string($email);
     $username = strip_tags($username);
     $password = strip_tags($password);
     $email = strip_tags($email);
     $username = ucwords(strtolower($username));

     $email = strtolower($email);
     $insert1 = "INSERT INTO members (username, password, email) VALUES ('$username', md5('$password'), '$email')";
     $result1 = mysqli_query($insert1) or die('Error : ' . mysqli_error());

    }
   }
  }
?>
John
  • 904
  • 8
  • 22
  • 56
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 16 '16 at 17:51
  • `strl()` is the string length – John Jun 16 '16 at 18:00
  • Think you mean [strlen()](http://php.net/manual/en/function.strlen.php) which is the native function in PHP that checks the length of a string. Unless you've created a function `strl()` of your own, it does not exist. But that should be throwing a *fatal* error. Weird. – mferly Jun 16 '16 at 18:00
  • your DB code is horrible. magic_quotes is dead/gone. Do **NOT** try checking for it. Anyone still running a PHP version that has magic_quotes available, let alone enabled, should not be supported by any new code. And addslashes() is utterly useless for sql injection defense, plus simply double-escapes some sql metacharacters in your data anyways. And since you then further manipulate your escaped strings, you risk UNDOING all of that escaping anyways. – Marc B Jun 16 '16 at 18:02
  • Yes I see, I have updated the code, but it is still not working – John Jun 16 '16 at 18:03
  • You're overwriting the db connection `$conn` with `$conn = mysqli_select_db($conn, $dbname);` which `$conn` will now be a `bool(true|false)` value. There is no need to assign the result of `mysqli_select_db()` to a variable. I don't know how your code does anything at all. – mferly Jun 16 '16 at 18:26
  • Oh man... where/how are you calling the `function errors($error){ ... }` function? All of your logic is within that function. None of your script (aside from anything *outside* of the function) will execute if you don't call the function. So when you click the submit button, without calling the `errors()` function, nothing will happen (which is expected given your code). – mferly Jun 16 '16 at 18:32

0 Answers0