Member Avatar for Will Gresham

I have got a slight problem with the code below, I am getting entries into the Database with null values, which as far as I can see should not be possible I have both Client-side JS to validate the fields are not empty and PHP to do the same, Just wanted to know if anyone with a bit more knowledge of PHP has any ideas on this..

I know the code isn't perfect, I am working on improving it but it is on a live site which I have recently taken over for a friend but I would like to get this issue resolved before proceeding.

<?
session_start();
if($_REQUEST['action'] == "check") {
  foreach($_POST as $key => $value) {
    $_SESSION[$key] = $value;
    if(trim($value) == "" && $key != "send") {
      $dirtyPage = 1;
      $emptyFields.= $key . "=1&";
}
}
  if($emptyFields != "") {
    header("Location: /signup.php?empty=1&$emptyFields");
    end();
}
$_REQUEST['action'] = "submit";
}
  include("resc/header.php");
?>
    <script type="text/javascript">
	// Cut AJAX code for checking if username exists and form checker for null fields
</script>
<br />
	<table width="100%" border="0" width="80%">
		<tr>
			<td class="content" valign="top">
<?
  if($_REQUEST['empty']==1) {
    if ($_REQUEST['un'] == 1) { $fieldList .= "<li>Username</li>"; }
    if ($_REQUEST['fn'] == 1) { $fieldList .= "<li>First Name</li>"; }
    if ($_REQUEST['ln'] == 1) { $fieldList .= "<li>Last Name</li>"; }
    if ($_REQUEST['email'] == 1) { $fieldList .= "<li>E-Mail Address</li>"; }
    if ($_REQUEST['password'] == 1) { $fieldList .= "<li>Password</li>"; }
    if ($_REQUEST['confirm'] == 1) { $fieldList .= "<li>Password Confirm</li>"; }
    echo 
    "<div style=\"border: 1px #000000 solid; background-color: #FFFFFF; width: 95%; padding: 5px; margin-bottom: 15px;\">
    <table width=\"95%\"><tr><td width=\"20%\" valign=\"top\">
    Unfortunately we cannot register you because the following fields are empty:
    <ul> $fieldList </ul> Please fill these and then try again.
    </td></tr></table></div>"; 
  }
?>
				<h2>Signup for an account.</h2>
				<center>
				<?
					if($level!="4") {
						die("You cannot sign up for an account while you are logged in.");
					}
					if($_REQUEST['action']=="submit" && $_REQUEST['empty'] == "" && $dirtyPage != 1) {
					    $newpassword=md5($_POST['password']);
					    $newpassword2=md5($_POST['confirm']);
					    if($newpassword!=$newpassword2) {
						    die("Passwords do not match. Please go <a href=\"signup.php\">back</a> and try again.");
					    }
					    else {
						    $newusername=mysql_real_escape_string( $_POST['un'] );
						    $newemail=mysql_real_escape_string( $_POST['email'] );
						    $fname=mysql_real_escape_string( $_POST['fn'] );
						    $lname=mysql_real_escape_string( $_POST['ln'] );
						    mysql_query("INSERT INTO users (un, pw, email, status, level, fname, lname) VALUES('$newusername', '$newpassword', '$newemail', '1', '3', '$fname', '$lname') ")or die(mysql_error());
						    echo "Thank you for signing up. Our admin have been alerted to this and they will activate your account or contact you shortly.";
                                                    session_unset();
                                                    session_destroy();
					    }
				    }
				    else {
                                            
					    ?>
					    When you apply for an account here, we require you to fill out all of the fields in the form.<br />
					    Once the form is successfully complete and sent off, one of our Admin will review the application and either accept or decline it.
					    <br /><br />
					    We ask for your first and last name when you sign up, we use this information to vefiry who you are.

					    <br />
					    Whether the account is accepted or declined, these names will be deleted from the database after the application is reviewed.
					    <form name="signup" action="<? $_SERVER['PHP_SELF'] ?>?action=check" method="post" onsubmit="Javascript:return CheckForm()">
							    <table>
								    <tr>
									    <td>Username</td>
									    <td><input type="text" name="un" onchange="sndReq(this.value)" value="<? echo $_SESSION['un'] ?>"></td>
								    </tr>
								    <tr>
									    <td colspan="2" align="right"><span id="usernamecheck"><br /></span></td>
								    </tr>
								    <tr>
									    <td>First Name</td>
									    <td><input type="text" name="fn" value="<? echo $_SESSION['fn'] ?>"></td>
								    </tr>
								    <tr>
									    <td>Last Name</td>
									    <td><input type="text" name="ln" value="<? echo $_SESSION['ln'] ?>"></td>
								    </tr>
								    <tr>
									    <td>E-mail Address
									    <td><input type="text" id="emailaddress" onchange="checkEmail(this.value);" name="email" value="<? echo $_SESSION['email'] ?>"></td>
								    </tr>
								    <tr>
									    <td>Password</td>
									    <td><input type="password" name="password"></td>
								    </tr>
								    <tr>
									    <td>Confirm Password</td>
									    <td><input type="password" name="confirm"></td>
								    </tr>
								    <tr>
									    <td colspan="2"><button type="submit" name="send" <? echo($_SESSION['un'] != "") ? "" : "disabled=\"true\""; ?>>Signup</button></td>
								    </tr>
							    </table>
						    </form>
					    <?
				    }
			    ?>
		    </center>
	    </td>
	<?
	include("resc/links.php");
	include("resc/footer.php");
?>
  • 2 Contributors
  • 2 Replies
  • 105 Views
  • 16 Hours Discussion Span
  • Latest Post Latest Post by Will Gresham

Recommended Answers

All 2 Replies

Member Avatar for cwarn23

I must ask about line 13. You used the function end(); which returns the value of an array between the brackets. If you want line 13 to end/exit the code, you must use the exit element or the code as showen below.

exit;

So now lines 11 to 14 would look as below if you want that if statement to exit the code.

if($emptyFields != "") {
header("Location: /signup.php?empty=1&$emptyFields");
exit; //needed to skip below code.
}
//rest of below code
Member Avatar for Will Gresham

Thanks, I wasn't sure about that one.

Still trying to find the weak point in the code which is allowing null db entries..

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.