Registration Script Revisited

[chibineku]

I was messing with my registration script, simplifying the form sanitization by using a loop and on testing it, noticed that it fails to create the appropriate record in the aromaAddress table, but it makes the insertion into aromaMaster. These won't mean anything, of course, but aromaMaster holds usernames, emails, passwords, while aromaAddress holds...you guessed it. I also noticed that someone registered that wasn't one of my own guff trial entries, but I tried e-mailing them and got a mailer daemon. Who was it - I know it was one of you! Anyway, here is the script, please see if you can spot why it would fail to create the aromaAddress record:

<?phpsession_start();include_once("db_include.php5");doDB();if(!$_POST) {  //come directly via address bar  header("Location: contact.php5");  exit;}//sanitize input$_CLEAN = array();foreach($_POST as $k=>$v) {if(preg_match("/sername/", $k)) {  $v = check_chars_username($v);} else if(preg_match("/mail/", $k)) {  $v = check_chars_email($v);} else  {  $v = check_chars_address($v);}$v = mysqli_real_escape_string($mysqli,(trim($v)));$_CLEAN[$k] = $v;if(!preg_match("/assword/", $k)) {$_SESSION[$k] = $v;}}if(empty($_CLEAN['f_name']) || empty($_CLEAN['l_name']) || empty($_CLEAN['address']) || empty($_CLEAN['town']) || empty($_CLEAN['country']) || empty($_CLEAN['password']) || empty($_CLEAN['confirmPassword']) || empty($_CLEAN['username']) || empty($_CLEAN['confirmUsername']) || empty($_CLEAN['email']) || empty($_CLEAN['confirmEmail']) || !filter_var($_CLEAN['email'], FILTER_VALIDATE_EMAIL) ||!filter_var($_CLEAN['confirmEmail'], FILTER_VALIDATE_EMAIL) || ($_CLEAN['confirmEmail'] === FALSE) || ($_CLEAN['password'] != $_CLEAN['confirmPassword']) || ($_CLEAN['username'] != $_CLEAN['confirmUsername']) || ($_CLEAN['email'] != $_CLEAN['confirmEmail'])) {  //required fields not set - send them back  header("Location: registration_form.php5?error=ef");  exit;}  //already registered?  //check for pre-existing account with same email address  $check_sql = "SELECT id FROM aromaMaster WHERE LOWER(email)='".strtolower($_CLEAN['email'])."'";  $check_res = mysqli_query($mysqli, $check_sql) or error_log(mysqli_error($mysqli)."\r\n");  if(mysqli_num_rows($check_res) >= 1) {	//duplicate entry	mysqli_free_result($check_res);	header("Location: registerfail.php5?error=ef");	exit;  }	//check for pre-existing account with same username	  $check_sql = "SELECT id FROM aromaMaster WHERE LOWER(username)='".strtolower($_CLEAN['username'])."'";  $check_res = mysqli_query($mysqli, $check_sql) or error_log(mysqli_error($mysqli)."\r\n");  if(mysqli_num_rows($check_res) >=1 ) {	//duplicate entry	mysqli_free_result($check_res);	header("Location: registerfail.php5?error=ef");	exit;} else {  //create query  $register_sql = "INSERT INTO aromaMaster (email, username, password, date_registered, last_seen) VALUES (  '".htmlspecialchars($_CLEAN['email'])."',  '".htmlspecialchars($_CLEAN['username'])."',  '".sha1($_CLEAN['password'])."',  now(), now())";  $register_res = mysqli_query($mysqli, $register_sql) or error_log(mysqli_error($mysqli)."\r\n");	  $userid = mysqli_insert_id($mysqli);	  $_SESSION["userid"] = $userid;	  $_SESSION["username"] = $_CLEAN['username'];	  session_write_close();	$address_sql = "INSERT INTO aromaAddress (userid, f_name, l_name, address, town, city, postcode) VALUES (	'$userid',	  '".htmlspecialchars($_CLEAN['f_name'])."',  '".htmlspecialchars($_CLEAN['l_name'])."',	'".htmlspecialchars($_CLEAN['address'])."',	'".htmlspecialchars($_CLEAN['town'])."',	'".htmlspecialchars($_CLEAN['city'])."',	'".htmlspecialchars($_CLEAN['country'])."',	'".htmlspecialchars($_CLEAN['postcode'])."')";	$address_res = mysqli_query($mysqli, $address_sql) or error_log(mysqli_error($mysqli)."\r\n");	  header("Location: registerredirect.php5");  }  mysqli_close($mysqli);  ?>

A side question: I leave session_write_close() until I am done with writing to the session, but can I write more once I close it, as long as I close it again?

[justsomeguy]

Does the error log have anything? The query looks fine to me.

I leave session_write_close() until I am done with writing to the session, but can I write more once I close it, as long as I close it again?

No, the script loses write access to the session.

[chibineku]

Oh man - I added a 'country' field to the registration form and to the account administration page, and tries to insert it, but didnt add it to the list of columns in my insert statement in the registration script so the column count wasn't right. Fixed, much quicker than usual. Thank you

[Distortion]

Why is it necessary to close the connection at the end of a script?It closes automatically I thought? Is this for some kind of security reason and if yes, then what?

[chibineku]

I don't usually close the connection manually, but when I was working through the tutorials in the book I leaned PHP from, they always manually closed the connection and I sometimes do, sometimes don't. It didn't quite become a reflex. I don't think it's necessary anyway.

[Synook]

Why is it necessary to close the connection at the end of a script?It closes automatically I thought? Is this for some kind of security reason and if yes, then what?

Session data is usually stored after your script terminated without the need to call session_write_close(), but as session data is locked to prevent concurrent writes only one script may operate on a session at any time. When using framesets together with sessions you will experience the frames loading one by one due to this locking. You can reduce the time needed to load all the frames by ending the session as soon as all changes to session variables are done.

[chibineku]

I think he meant why is it necessary to call mysqli_close($mysqli), but thanks for the info