Validating form before add to database

[Barry]

PHP Code:

<?php

  //Start user season
  session_start();

  //reminder question and anwser
  $rquestion = addslashes($_POST['rquestion']);
  $ranwser = addslashes($_POST['ranwser']);

  //user register post infomation
  $adduser = addslashes($_POST['adduser']);
  $newpass = addslashes($_POST['newpass']);
  $newpass2 = addslashes($_POST['newpass2']);

  
  //user email
  $email = addslashes($_POST['email']);
  $confirmreg = rand(100000,999999);
 
  //user ip and encription
  $md5pass = md5($newpass);
  $userip = $_SERVER['REMOTE_ADDR'];

  //Include the header and config
  include "includes/config.php";
  include "includes/header.php";
 
  //Passwords not matched
  if($newpass != $newpass2)
    echo"<b>Passwords do not match</b>";
    else
     {

  //email activation link
  if(isset($confirm)) {
  $confirmuser = @mysql_fetch_array(@mysql_query("SELECT user FROM cmsusers WHERE confirmreg = $confirm"));
  $confuser = $confirmuser[0];
  $done = @mysql_query("UPDATE cmsusers SET confirmed = 'yes' WHERE user = '$confuser'");
  if($done) echo "Account activated, <a href='login.php?log=in'>login</a>";
   }

  //Submit the form and add to database
   if(submit){
   $validate = array('adduser', 'newpass', 'newpass2', 'rquestion', 'ranwser', 'email');
   $valid = true;
    for($i=0;$i<count($validate);$i++){
    if(trim($_POST[$validate[$i]]) == ''){
    $valid = false;
      }
}
if($valid == true){
  $result = mysql_query("INSERT INTO cmsusers(user,pass,level,confirmed,email,userip,rquestion,ranwser,confirmreg)
  VALUES('".$adduser."','".$md5pass."','0','no','".$email."','".$userip."','".$rquestion."','".$ranwser."','".$confirmreg."')") or die(mysql_error());
  echo "Thankyou for registering at ".$sitename.", your new account has been created with username is  <b>".$adduser."</b> and password <b>".$newpass."</b> \n\n We need to confirm your email address, a email with a confirmation link and login details has been sent to ".$email." all you need to do now is follow the link to activate your account at ".$sitename."\n\n";


} else {

      echo 'Please fill in all fields';

} 
  //Message to be sent to new user in email
  $message = "Hello $adduser,\n\nThankyou for registering at $sitename\n\n Your account has been created with username of: $adduser and account password: $newpass. you need to activate your account by following this link: $siteaddr$_SERVER[PHP_SELF]?confirm=$confirmreg \n\n";

  //Send a email to new user
  mail($email,"Registration at ".$sitename, $message, $from_add);
  echo "\n\n<a href='index.php'>Back to mainpage</a>";
     }
      else
        {
//form here..
     }
   } 
  
?>

This is the code I have and I can't see why its not working right, it comes up with the 'Please fill in all fields' error when loading page when it should not try and valadate the form untill submit

[Iain]

Because your if statement is wrong

PHP Code:


} elseif ( !isset($valid) || $valid == false) {
      echo 'Please fill in all fields';
} 


$valid wasn't set to anything at all when the page loads so your if statement which only looks for true goes for the else branch of the logic

[Iain]

Also you could tidy up your addslashes validation by just doing

PHP Code:

foreach ($_POST as $key=>$value)
{
$_POST[$key] = mysql_real_escape_string($value);
} 


That way it will parse all the values from the submitted form no matter how many there are. Pays to be on the safe side

[killgORE]

and whats more doing it in a loop means u can paste that bad boy into every other script where its needed.. AND you don't have to worry. I made a similar thing recently in java.. One of those "aha" moments when you realise you have been wasting effort for years

[Barry]

I'm still learning php and don't fully understand

You mean replacing this

PHP Code:

} else {

      echo 'Please fill in all fields';

} 


with this

PHP Code:

} elseif ( !isset($valid) || $valid == false) {
      echo 'Please fill in all fields';
} 


and this

PHP Code:

//reminder question and anwser
  $rquestion = addslashes($_POST['rquestion']);
  $ranwser = addslashes($_POST['ranwser']);

  //user register post infomation
  $adduser = addslashes($_POST['adduser']);
  $newpass = addslashes($_POST['newpass']);
  $newpass2 = addslashes($_POST['newpass2']);

  
  //user email
  $email = addslashes($_POST['email']); 


with this

PHP Code:

foreach ($_POST as $key=>$value)
{
$_POST[$key] = mysql_real_escape_string($value);
} 


so it's like this

PHP Code:

<?php

  //Start user season
  session_start();
  
  //Form post 
   foreach ($_POST as $key=>$value)
   {
    $_POST[$key] = mysql_real_escape_string($value);
    }

  //user ip and encription
  $md5pass = md5($newpass);
  $userip = $_SERVER['REMOTE_ADDR'];
  $confirmreg = rand(100000,999999);

  //Include the header and config
  include "includes/config.php";
  include "includes/header.php";

  //Passwords not matched
  if($newpass != $newpass2)
    echo"<b>Passwords do not match</b>";
    else
     {

  //email activation link
  if(isset($confirm)) {
  $confirmuser = @mysql_fetch_array(@mysql_query("SELECT user FROM cmsusers WHERE confirmreg = $confirm"));
  $confuser = $confirmuser[0];
  $done = @mysql_query("UPDATE cmsusers SET confirmed = 'yes' WHERE user = '$confuser'");
  if($done) echo "Account activated, <a href='login.php?log=in'>login</a>";
   }

  //Submit the form and add to database
   if(submit){
   $validate = array('adduser', 'newpass', 'newpass2', 'rquestion', 'ranwser', 'email');
   $valid = true;
    for($i=0;$i<count($validate);$i++){
    if(trim($_POST[$validate[$i]]) == ''){
    $valid = false;
      }
}
if($valid == true){
  $result = mysql_query("INSERT INTO cmsusers(user,pass,level,confirmed,email,userip,rquestion,ranwser,confirmreg)
  VALUES('".$adduser."','".$md5pass."','0','no','".$email."','".$userip."','".$rquestion."','".$ranwser."','".$confirmreg."')") or die(mysql_error());
  echo "Thankyou for registering at ".$sitename.", your new account has been created with username is  <b>".$adduser."</b> and password <b>".$newpass."</b> \n\n We need to confirm your email address, a email with a confirmation link and login details has been sent to ".$email." all you need to do now is follow the link to activate your account at ".$sitename."\n\n";


} elseif ( !isset($valid) || $valid == false) {
      echo 'Please fill in all fields';
}
  //Message to be sent to new user in email
  $message = "Hello $adduser,\n\nThankyou for registering at $sitename\n\n Your account has been created with username of: $adduser and account password: $newpass. you need to activate your account by following this link: $siteaddr$_SERVER[PHP_SELF]?confirm=$confirmreg \n\n";

  //Send a email to new user
  mail($email,"Registration at ".$sitename, $message, $from_add);
  echo "\n\n<a href='index.php'>Back to mainpage</a>";
     }
      else
        {
//form here
     }
   }
  
?>

Edit: can't be because that does not work :/

[Iain]

well you've set all your variables e.g. $adduser in your original script but not in the second. Therefore they won't exist for your SQL queries. You'll still need to set them. In your case since you're setting them to the same variable name as the name of the field in your form so you could use

PHP Code:

foreach ($_POST as $key=>$value)
{
$_POST[$key] = mysql_real_escape_string($value);
eval('$'.$key.'=$_POST["'.$key.'"];');
} 


The eval statement might need some tweaking as they're always a pain to get right first time

Also, if you want help it's usually better to tell us what the error is. Telling us it doesn't work isn't that useful especially in light of your sig

ask a stupid question, get a stupid anwser

[Barry]

Ahh, I see what you mean now

And I knew my sig would haunt me one day