0

When using the '>' in my 'strlen' function, everything that comes after it just appears in code form on the screen, do i have to use a '>' alternative or is there something i don't know about using that character, many thanks in advance!

<?
$reg = @$_POST['reg'];
//declaring variables to prevent errors
$firstname = ""; //First Name
$lastname = ""; //Last Name 
$username = ""; //Username
$email = ""; //Email
$email2 = ""; //Email 2
$password = ""; //Password
$password2 = ""; // Password 2
$signupdate = ""; // Sign up Date
$usercheck = ""; // Check if username exists
//registration form
$firstname = strip_tags(@$_POST['firstname']);
$lastname = strip_tags(@$_POST['lastname']);
$username = strip_tags(@$_POST['username']);
$email = strip_tags(@$_POST['email']);
$email2 = strip_tags(@$_POST['email2']);
$password = strip_tags(@$_POST['password']);
$password2 = strip_tags(@$_POST['password2']);
$signupdate = date("Y-m-d"); // Year - Month - Day

if ($reg) {
if ($email==$email2) {
// Check if user already exists
$usercheck = mysql_query("SELECT username FROM users WHERE           username='$username'");
// Count the amount of rows where username = $un
$check = mysql_num_rows($usercheck);
//Check whether Email already exists in the database
$echeck = mysql_query("SELECT email FROM users WHERE email='$email'");
//Count the number of rows returned
$emailcheck = mysql_num_rows($echeck);
if ($check == 0) {
  if ($emailcheck == 0) {
//check all of the fields have been filed in
if      ($firstname&&$lastname&&$username&&$email&&$email2&&$password&&$password2) {
// check that passwords match
if ($password==$password2) {
// check the maximum length of username/first name/last name does not exceed   25 characters
if (strlen($username)>25||strlen($firstname)>25||strlen($lastname)>25) {
echo "The maximum limit for username/first name/last name is 25  characters!";
}
else
{
// check the maximum length of password does not exceed 25 characters and is     not less than 5 characters
if (strlen($password)>30||strlen($password)<5) {
echo "Your password must be between 5 and 30 characters long!";
}
else
{
//encrypt password and password 2 using md5 before sending to database
$password = md5($password);
$password2 = md5($password2);
$query = mysql_query("INSERT INTO users VALUES  ('','$firstname','$lastname','$username','$email','$passwordd','$signupdate','0','Bio','','','no')");
die("Login Below");
}
}
}
else {
echo "Your passwords don't match!";
}
}
else
{
echo "Please fill in all of the fields";
}
}
else
{
 echo "Sorry, but it looks like someone has already used that email!";
}
}
else
{
echo "Username already taken ...";
}
}
else {
echo "Your E-mails don't match!";
}
}
?>
Andrew Bird
  • 11
  • 5
  • 2
    If you're writing new code, **_please_ don't use the `mysql_*` functions**. They are old and broken, were deprecated in PHP 5.5 (which is so old it no longer even receives security updates), and completely removed in PHP 7. Use [`PDO`](https://secure.php.net/manual/en/book.pdo.php) or [`mysqli_*`](https://secure.php.net/manual/en/book.mysqli.php) with _prepared statements_ and _parameter binding_ instead. See http://stackoverflow.com/q/12859942/354577 for details. – ChrisGPT was on strike Mar 05 '17 at 18:27
  • 1
    You are using the short-form `` PHP start tag instead of the recommended ` – ChrisGPT was on strike Mar 05 '17 at 18:28
  • 1
    Change `` to ` – Barmar Mar 05 '17 at 18:28
  • @AndrewBird, no, the `mysql_` vs. `mysqli_` vs `PDO` issue is a separate (very important) recommendation. – ChrisGPT was on strike Mar 05 '17 at 18:29
  • 2
    `strip_tags` does nothing to stop a SQL injection. Use parameterized queries and update your driver. You also should update your hashing. The `@` also is discouraged, you are hiding useful errors. – chris85 Mar 05 '17 at 18:29
  • I didn't realise i had short tagged it ahah, my code works fine now, thank you all for your time! – Andrew Bird Mar 05 '17 at 18:30
  • 1
    @AndrewBird It may "work", it is not safe to use this code. – chris85 Mar 05 '17 at 18:31

0 Answers0