0

I'm currently writing a script that preforms basic user registration.

When the user arrives on the landing page, I have a JS script that identifies their email from the URL and fills it in the email input box (which is disabled). After, the user just needs to put in their password to create an account. However, PHP throws the error "Email is required" even though it's been filled by the JS script.

I've tried to change the status of the input box to disabled to enabled which doesn't do much to help. I've attached the files involved in the process below. Any help would be greatly appreciated.

fillEmail.js

$(document).ready(function() {
var link = window.location.href;

var emailIndex = link.indexOf("email");

if(emailIndex != -1) {
link = link.substring(emailIndex + 6);
} else {
    link = "";
}

document.getElementById("email").value = link;
//$('#email').attr('disabled', 'disabled');});

register.php

<?php include('server.php') ?>

<!DOCTYPE html>
<html>
<head>
  <title>Register</title>
  <link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
  <div class="header">
    <h2>Register</h2>
  </div>

  <form method="post" action="register.php">
    <?php include('errors.php'); ?>
    <div hidden class="input-group">
      <label>Username</label>
      <input type="text" name="username" value="user">
    </div>
    <div class="input-group">
      <label>Email</label>
      <input type="email" name="email" id="email" value="<?php echo $email; ?>" disabled>
    </div>
    <div class="input-group">
      <label>Password</label>
      <input type="password" name="password_1">
    </div>
    <div class="input-group">
      <label>Confirm password</label>
      <input type="password" name="password_2">
    </div>
    <div class="input-group">
      <button type="submit" class="btn" name="reg_user">Register</button>
    </div>
  </form>
</body>
<script
  src="https://code.jquery.com/jquery-3.4.1.js"
  integrity="sha256-WpOohJOqMqqyKL9FccASB9O0KwACQJpFTUBLTYOVvVU="
  crossorigin="anonymous">
</script>
<script type='text/javascript' src="fillEmail.js"></script>
</html>

server.php

<?php
session_start();

// initializing variables
$username = "";
$email = "";
$errors = array(); 

// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'registration');

// REGISTER USER
if (isset($_POST['reg_user'])) {
  // receive all input values from the form
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $email = mysqli_real_escape_string($db, $_POST['email']);
  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

  // form validation: ensure that the form is correctly filled ...
  // by adding (array_push()) corresponding error unto $errors array
  if (empty($username)) { array_push($errors, "Username is required"); }
  if (empty($email)) { array_push($errors, "Email is required"); }
  if (empty($password_1)) { array_push($errors, "Password is required"); }
  if ($password_1 != $password_2) {
    array_push($errors, "The two passwords do not match");
  }

  // first check the database to make sure 
  // a user does not already exist with the same username and/or email
  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";
  $result = mysqli_query($db, $user_check_query);
  $user = mysqli_fetch_assoc($result);

  if ($user) { // if user exists
    if ($user['username'] === $username) {
      array_push($errors, "Username already exists");
    }

    if ($user['email'] === $email) {
      array_push($errors, "email already exists");
    }
  }

  // Finally, register user if there are no errors in the form
  if (count($errors) == 0) {
    $password = md5($password_1);//encrypt the password before saving in the database

    $query = "INSERT INTO users (username, email, password) 
              VALUES('$username', '$email', '$password')";
    mysqli_query($db, $query);
    $_SESSION['username'] = $username;
    $_SESSION['success'] = "You are now logged in";
    header('location: index.php');
  }
}
?>

I'm fairly new to PHP so any help would be greatly appreciated. Thanks so much in advance!

Andrew Wang
  • 39
  • 7
  • After going to the page before clicking on your Register button go into 'inspect element' and check if it actually gives the value of email into the value attribute of your input. – Tom Truyen Apr 14 '20 at 13:18
  • 2
    ___Tip: Disabled elements in a form will not be submitted!___ – RiggsFolly Apr 14 '20 at 13:19
  • 1
    disabled input are never submitted – Pierre Apr 14 '20 at 13:20
  • 1
    if you want to submit the email, use an hidden input field, and leave the disabled input as it is (or remove it) – Pierre Apr 14 '20 at 13:22
  • Wow thanks so much.... guess I wasn't paying too much attention. Is there a work around so I can submit it? – Andrew Wang Apr 14 '20 at 13:22
  • you can use a `readonly` instead – Rotimi Apr 14 '20 at 13:24
  • 1
    Don't use MD5 to hash/save passwords with. Use `password_hash()`. – Funk Forty Niner Apr 14 '20 at 15:05
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Apr 14 '20 at 22:08

2 Answers2

2

As per my comment, you can simply use readonly instead of disabled to achieve a similar effect. Also please use prepared statements to protect against SQL injection. mysqli_real_escape_string is not enough

Rotimi
  • 4,783
  • 4
  • 18
  • 27
0

In order for the value to be submitted the field cannot be disabled.

Simple solution, create another fields as (hidden), these are submitted

<input type="email" id="email" value="<?php echo $email; ?>" disabled>
<input type="hidden" name="email" value="<?php echo $email; ?>">

Or you could simply change the attribute from disables to readonly

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149