Registration / Login All-in-one Form

[chibineku]

I am making an all in one registration / login script, which will first display the registration form if $_POST is not set. If it is, but the required fields are not filled, it redirects to the page again, re-setting $_POST. If all the fields are filled in, then if the name of the submit button $_POST["login"] is set, the form confirms the login and sets a block of text, which is a page redirecting the user to their shopping basket or back to the store. If the submit button $_POST["register"] is set, then the user wants to register and an insert query is built and submitted. If this query returns no affected rows, then the script checks if the user is already registered. If so, logs them in and shows them the redirect page as per normal login. Otherwise, if the script returns 1 row affected, then I assume the insert was successful (I have the script break if the queries fail). Logging in works if you hit login, and if you miss a required field the redirects work, but that's it. I can't see the problem and I get no errors - I just get a blank screen in the event of the other circumstances. It's a big chunk of code, I'm afraid...

<?phpif(!$_POST) {  //hasn't seen the registration form  //display registration form	  $display_block = "	  <form method=\"POST\" action=\"".$_SERVER["PHP_SELF"]."\">	  <p>Please fill in the registration field (required fields marked with <span class=\"req\"><</span>)<br />	  First name: <input type=\"text\" name=\"f_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />	  Last name: <input type=\"text\" name=\"l_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />	  Address: <input type=\"text\" name=\"address\" size=\"50\" maxlength=\"150\" /><br />	  Town: <input type=\"text\" name=\"town\" size=\"50\" maxlength=\"150\" /><br />	  City: <input type=\"text\" name=\"city\" size=\"50\" maxlength=\"150\" /><br />	  Post Code: <input type=\"text\" name=\"postcode\" size=\"10\" maxlength=\"10\" /><br />	  Username: <input type=\"text\" name=\"username\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />	  Confirm username: <input type=\"text\" name=\"usernameConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />	  Password: <input type=\"password\" name=\"password\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />	  Confirm password: <input type=\"password\" name=\"passwordConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />	  <br />	  <input type=\"submit\" name=\"register\" value=\"Register\" /><br /><br />	  Already a member? <input type=\"submit\" name=\"login\" value=\"Login\" />	  </p>";} else if ((!isset($_POST["username"])) || (!isset($_POST["usernameConfirm"])) || (!isset($_POST["password"])) || (!isset($_POST["passwordConfirm"]))) {  //hasn't filled out all the fields  header("Location: ".$_SERVER["PHP_SELF"]."");  exit;} else if($_POST["login"]) {  //user is logging in, so connect to server and select database, check they are registered and their details are right		  $mysqli = mysqli_connect(hostname,username,pass,dbname);	//create and issue the query	$sql = "SELECT f_name, l_name FROM auth_users WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";	$sql_res =mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));	//get the number of rows in the result set; should be 1 if a match	if(mysqli_num_rows($sql_res) == 1) {	  //if authorized, get the values of f_name, l_name	  while($info = mysqli_fetch_array($sql_res)) {		$f_name = stripslashes($info["f_name"]);		$l_name = stripslashes($info["l_name"]);	  }	  //set authorization cookie	  setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);	  //create display string	  $display_block = "<p>".$f_name." ".$l_name." is authorized.</p>	  <p>You are now logged in.</p>	  <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";	} else if($_POST["register"]) {	  //connect to db and issue registration query		  $mysqli = mysqli_connect(hostname,username,pass,dbname);		  $register_sql = "INSERT INTO aromaMaster (username, password, date_registered) VALUES ('".$_POST["username"]."',PASSWORD('".$_POST["password"]."'),now())";		  $register_res = mysqli_query($mysqli, $register_sql) or die(mysqli_error($mysqli));		  if (mysqli_num_rows($register_res) != 1) {			//registration failed - perhaps duplicate account			$check_sql = "SELECT username, password FROM aromaMaster WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";			$check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));			if(mysqli_num_rows($check_res) == 1) {			  //already a member			  //set cookie					//set authorization cookie	  setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);			  $display_block = "			  <p>You are already registered.</p>	  <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";			}		  } else {			//success			$display_block = "			<p>You are registered!</p>	  <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";		  }	}	mysqli_close($mysqli);	}?><html><head><title>Login / Register</title></head><body><?php echo "$display_block"; ?></body></html>

[chibineku]

The thing from before was a problem, but not the solution - do please look

[justsomeguy]

Don't use isset to check if they haven't filled something out. If they submit a blank field it's going to be set, it's just going to be empty. Use the empty function to check instead. I'm not real clear on what else is not working correctly.

If this query returns no affected rows, then the script checks if the user is already registered. If so, logs them in and shows them the redirect page as per normal login.

Is that a security issue? Can someone log in as another user just by trying to register as them?

[chibineku]

I will change the issets, but they are working just now (the right thing happens, in any event).If someone tried to register as someone else, they'd need to choose the same username and password, so I don't think it's likely a security issue.

[jeffman]

If I'm reading this correctly, this clause: } else if($_POST["register"]) { is hanging off this clause: if(mysqli_num_rows($sql_res) == 1) {But I think you mean for it to hang off this clause????} else if($_POST["login"]) {All the opening braces have a matching close brace, so there's no parsing error. It just seems like the logic is out of whack. You're currently testing for a condition where both the register and the login values would be set at the same time, and I think that wouldn't ever be possible??? (That was the point of your earlier thread, yes?)

[chibineku]

Oooh, that makes sense then. When I first ran the script I had a parse error due to a missing brace, and I thought I had found where it should go, but I reckon there have to be two closing braces before the else if $_POST["register"] statement. Muchos gracias.

[chibineku]

Hm, now I get an error about sending headers which I don't understand because at that point nothing has been output (the error points me to the setcookie line), and one about mysqli_num_rows expecting its argument to be mysqli_result (which I gave it), and not the boolean it has been given. Odd. I am very close to breaking this up into smaller single purpose scripts

[justsomeguy]

The header error tells you which line sent the output. It's probably the other error message. If a MySQL function is complaining that it wasn't given a result that usually means that the query failed.

[chibineku]

Okay, I have decided to seperate my register and login scripts, and this is what I have so far for the new register script:

<?phpinclude("db_include.php5");if(!$_POST) {  //come directly via address bar  header("Location: index.php5");  exit;} else if(empty($_POST["f_name"]) || empty($_POST["f_name"]) || empty($_POST["address"]) || empty($_POST["postcode"]) || empty($_POST["username"])|| empty($_POST["password"]) || empty($_POST["confirmUsername"]) || empty($_POST["confirmPassword"]) || ($_POST["password"] != $_POST["confirmPassword"])|| ($_POST["username"] != $_POST["confirmUsername"])) {  //required fields not set - send them back  header("Location: ".$_SERVER["PHP_SELF"]."");  exit;} else {  //create query  $register_sql = "INSERT INTO aromaMaster (f_name, l_name, email, username, password, date_registered) VALUES (  '".$_POST["f_name"]."',  '".$_POST["l_name"]."',  '".$_POST["email"]."',  '".$_POST["username"]."',  PASSWORD('".$_POST["password"]."'),  now())";  $register_res = mysqli_query($mysqli, $register_sql) or die(mysqli_error($mysqli));  if (mysqli_num_rows($register_res) != 1) {	//account exists - login  } else if(mysqli_num_rows($register_res) == 1) {	//insertion successful, fetch id and insert address	$userid = mysqli_insert_id($mysqli);	$address_sql = "INSERT INTO aromaAddress (userid, address, town, city, postcode) VALUES (	'".$userid."',	'".$_POST["address"]."',	'".$_POST["town"]."',	'".$_POST["city"]."',	'".$_POST["postcode"]."')";	$address_res = mysqli_query($mysqli, $address_sql) or die(mysqli_error($mysqli));	if(mysqli_num_rows($address_res) == 1) {	  //success - set cookie	  setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);	  header("Location: welcome.php5");	}  }  }  mysqli_close($mysqli);  ?>

I am getting an error about the mysqli_query($register_sql) line being null (that would be the first query), and I can't see anything wrong with it. On a separate issue, I'm looking for advice on how to work the whole logged-in thing.If I register the person and set a session cookie, do I just check for the presence of this cookie on all pages that depend on being logged in, like for example if someone clicks on their shopping basket. Do I just check for the cookie value, and if it's correct, show them their basket, or if not show them the login/register page? Or, once signed in, do I start a session?

[justsomeguy]

What's the actual error message you're getting?It's better to use sessions, with the session you can just store the user ID. If you use cookies you need to have it protected in a way where someone can't just write their own cookie and get logged in, but secure enough that one user can't steal another user's cookie and have it work for them. With sessions all of that data is stored on the server, so you don't need to protect it.

[chibineku]

What's the actual error message you're getting?It's better to use sessions, with the session you can just store the user ID. If you use cookies you need to have it protected in a way where someone can't just write their own cookie and get logged in, but secure enough that one user can't steal another user's cookie and have it work for them. With sessions all of that data is stored on the server, so you don't need to protect it.

I can't remember exactly...it says something like: mysqli_num_rows expects first argument to be mysqli result; null provided The query works, tho - I get a new db entry. Feel free to try at www.sinaesthesia.co.uk/form.php5I will use sessions then. How's best to pass userids around on a shopping site though? Just store the session I'd in the db with the user info and then I can use that to find the right names etc.?

[justsomeguy]

I can't remember exactly...it says something like: mysqli_num_rows expects first argument to be mysqli result; null provided

Oh, right - an INSERT query does not return a resource. You might want to check if they're in the database before trying to insert.

I will use sessions then. How's best to pass userids around on a shopping site though? Just store the session I'd in the db with the user info and then I can use that to find the right names etc.?

You can just save their ID in the session and access it on any other page. e.g.:$_SESSION['userid'] = 10;

[chibineku]

Sweet - I believe you have fixed both my problems at once. I'm not at my comp - on my handheld - but I will check asap. Thanks, man

[chibineku]

edit: stupido