0

The form is ok and it captures all of the information correctly, however, the errors started when I used a function to generate a random string that is used for user activation.

function generateActivationString() {
    $randomSalt = '*&(*(JHjhkjnkjn9898';
    $uniqId = uniqid(mt_rand(), true);
    return md5($randomSalt.$uniqId);
}

if (!get_magic_quotes_gpc()) {
// $_POST['pass'] = addslashes($_POST['pass']);
$username = addslashes($_POST['username']);
$firstname = addslashes($_POST['firstname']);
$surname = addslashes($_POST['surname']);
// $_POST['email'] = addslashes($_POST['email']);
$email = mysql_real_escape_string(addslashes($_POST['email']));
$pass = mysql_real_escape_string(sha1($_POST['pass']));
$activationString = generateActivationString();
}

$insert = "INSERT INTO users (username, password, firstname, surname, email, activation_string) 
VALUES ('".strtolower($username)."', '".$pass."', '".strtolower($firstname)."', '".strtolower($surname)."', '".strtolower($email)."', '".$activationString."')";

Here is the echoed insert statement:

INSERT INTO users (username, password, firstname, surname, email, activation_string) VALUES ('', '', '', '', '', '')

I know it has created a new entry as the auto_increment id row is populated however al of the other fields remain empty.

Here is the code from the generateActivationString() so I know that's working too! - 264361eeb6e75d3934ce249a0d05f2c1

Any suggestions are more than welcome and greatly appreciated!

Ikke
  • 99,403
  • 23
  • 97
  • 120
Michael
  • 4,282
  • 9
  • 55
  • 89
  • There is no error, but when I echo out the sql statement all of the fields within the VALUES are blank. Here is the echoed statement: INSERT INTO users (username, password, firstname, surname, email, activation_string) VALUES ('', '', '', '', '', '') I know it has Thank you. You have successfully registered. here is the code from the generateActivationString() so I know that's working! - 264361eeb6e75d3934ce249a0d05f2c1 – Michael Aug 27 '11 at 13:54
  • Try to give the output of `echo $insert`. That will show you the actual query (edit it into your question) – Ikke Aug 27 '11 at 13:55
  • Have you tried printing the value of `$insert`, to check that it's a valid query string? – Oliver Charlesworth Aug 27 '11 at 13:55
  • If the fields seem blank, do they even have a value in the post array? Try `echo print_r($_POST)`. – Ikke Aug 27 '11 at 13:55
  • 1
    probably the if (!get_magic_quotes_gpc()) { return false and all the variables are not set. try var_dump(!get_magic_quotes_gpc()) before the if statement to see what's the value. – Book Of Zeus Aug 27 '11 at 13:57
  • try checking whether the code inside the if block is executed or not?.. else the variables will be unset – Mithun Satheesh Aug 27 '11 at 13:58
  • 1
    [Use prepared statements][1]. [1]: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php/60496#60496 – Kaleb Brasee Aug 27 '11 at 13:59
  • 1
    Maybe `get_magic_quotes_gpc()` is `true` and variables aren't getting set? BTW, it's a really bad idea to depend on magic quotes. It's a deprecated feature, the right thing to do is to check for them and undo any changes it does. – piotrp Aug 27 '11 at 14:00
  • Might it be because you anly assign these values when `!get_magic_quotes_gpc()`? – Mchl Aug 27 '11 at 14:01
  • Hopefully you're not planning to leave your `randomSalt` hard-coded for your production version. :P –  Aug 27 '11 at 14:09

3 Answers3

1

Going strictly by the code above, your variables like $username,$password etc are in the scope of your if block, move them outside of the if.

Ali
  • 12,354
  • 9
  • 54
  • 83
  • Thank you, I deleted the if block as @mithunsatheesh said and it worked fine with a few other errors that I sorted. – Michael Aug 27 '11 at 14:12
0

I don't see you send that query anywhere, maybe that's your problem...

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
  • I left that out as I thought that that was a given, the query was executing fine, just the magic_quotes was stopping the activation code form being inserted. – Michael Aug 27 '11 at 14:12
0

Oh dear. The biggest problem with your statement is that you are not using prepared statement and taking info directly from the POST parameters. This is a recipe for disaster and how most sites get hacked.

Stefan Arentz
  • 34,311
  • 8
  • 67
  • 88