My simple register/deregister script

[lobster_d]

Hi,
I'm learning php from experience and small internet tutorials, and ive come to a bit of a halt. I want this script (below) to beable to register and deregister users that fill out forms on seperate pages. I think ive got the majority of first part (adding users) correct, but im kind of lost as i havnt found any tutorials that talk about deleting users.

The two pages are register.php and deregister.php with form actions of "process.php?id=register" and "process.php?id=deregister" respectivly.

I want the deregister part of the script to check if the user exists, and if so check the entered password, which if it is correct will delete the user from the db.

This page (with the code) is process.php

PHP Code:


<?php
$db_server="localhost";
$db_username="forrestj_admin";
$db_password="";
$db_name="forrestj_bxgmembers";

if ($btnSubmit)
{
    // This is where it processes the register.php form and adds the user
    if ($id=="register")
    {
        $db = mysql_connect($db_server, $db_username, $db_password);
        mysql_select_db($db_name, $db);
        $result = mysql_query("SELECT * FROM attendies", $db);
        $idnum = (mysql_num_rows($result) + 1);
        if ($myrow = mysql_fetch_array($result))
        {
            $tempuser = $myrow["alias"];
            do
            {
            $tempuser = $myrow["alias"];
                if ($txtAlias == $tempuser)
                {
        ?>
        
        <script language="javascript">
        alert('That alias already exists in our database.');
        location.href="register.php";
        </script>
        
        <?
                }
            } while ($myrow = mysql_fetch_array($result));
        }
        $db = mysql_connect("localhost", "forrestj_admin", "");
        mysql_select_db("forrestj_bxgmembers", $db);
        $newpassword = md5($txtPassword);
        $sql = "INSERT INTO attendies (firstname,lastname,alias,password) VALUES ('$firstname','$lastname','$txtAlias','$txtPassword')";
        mysql_query($sql) or die(mysql_error());
        ?>
        
        <script language="javascript">
        alert('You have been added to our database. Thanks for your interest.');
        location.href="attendies.php";
        </script>
        <?
        echo "redirect failed";
    }
    // This is where it processes the deregister.php form and deletes the user
    if ($id="deregister")
    {
        $db = mysql_connect($db_server, $db_username, $db_password);
        mysql_select_db($db_name, $db);
        $result = mysql_query("SELECT * FROM attendies", $db);
        $idnum = (mysql_num_rows($result) + 1);
        if ($myrow = mysql_fetch_array($result))
        {
            $tempuser = $myrow["alias"];
            do
            {
            $tempuser = $myrow["alias"];
                if ($txtAlias == $tempuser)
                {
        //what to do if the alias enter exists
        $db = mysql_connect("localhost", "forrestj_admin", "");
        mysql_select_db("forrestj_bxgmembers", $db);        
        $sql = "DELETE FROM attendies WHERE password=$txtPassword";
          $result = mysql_query($sql);
                }
            } while ($myrow = mysql_fetch_array($result));
        }
        else {
        ?>
        
        <script language="javascript">
        alert('That alias doesnt exist in our database.');
        location.href="deregister.php";
        </script>
        
        <?
        }
        ?>

        <script language="javascript">
        alert('You have been removed from our database.');
        location.href="attendies.php";
        </script>
        <?
        echo "redirect failed";
    }
}
?>

I know its messy, there are probably bugs and it hasnt been completed yet, but if anyone could help me out id be VERY greatfull.

thanks

-lobster d

[plugged]

Some quick notes:

• I wouldn't fetch each row and check if the alias exists. Instead, specify a WHERE clause.
  
  
  PHP Code:

    $result = mysql_query("SELECT 1 FROM attendies WHERE alias = '$txtAlias'");
  if (mysql_num_rows($result))
    print "The alias already exists..";
  else {
    /* add the user to the database */
  } 

• You don't need to connect to the database server and select the database to use for each query you make. You should only connect once.
  
• Look up register_globals and possibly magic_quotes_gpc, as you may suffer from security problems based on the code you've shown.
  

[coo_t2]

I've modified your code to hopefully guide you in the right direction. This code is untested. Hopefully if someone sees something wrong with it, they will point it out.

PHP Code:

   
   <?php
   
   // enable output buffering so headers will be sent first
   ob_start();
   
   $db_server="localhost";
   $db_username="forrestj_admin";
   $db_password="";
   $db_name="forrestj_bxgmembers";
   
   
   if ($_POST['btnSubmit'] )
   {
       $escpFirstname = mysql_escape_string(trim($_POST['firstname']) );
       $escpLastname  = mysql_escape_string(trim($_POST['lastname']) );
       $escpUsername  = mysql_escape_string(trim($_POST['username']) );
       $escpPassword  = mysql_escape_string(trim($_POST['password']) );
   
       // This is where it processes the register.php form and adds the user
       if ($id=="register")
       {
           $db = mysql_connect($db_server, $db_username, $db_password);
           mysql_select_db($db_name, $db);
         $result = mysql_query("SELECT * FROM attendies WHERE username='$escpUusername'", $db);
   
           if (mysql_num_rows($result) > 0 )
           {         
               echo 'That alias already exists in our database.';
   
             header("Location: http://www.yoursite.com/register.php");
   
               // should always "exit;" after sending a header.
               exit;
           }
           else
           {   
               $md5password = md5($escpPassword);
   
             $sql = "INSERT INTO attendies (firstname,lastname,alias,password) VALUES ('$escpFirstname','$escpLastname','$escpUusername','$md5password')";
               mysql_query($sql) or die(mysql_error());
               
             echo 'You have been added to our database. Thanks for your interest.';
   
             header("Location: http://www.yoursite.com/attendies.php");
               
               exit;
           }
       }
   
       // This is where it processes the deregister.php form and deletes the user
       if ($id=="deregister")
       {
           $md5password = md5($escpPassword);
   
           $db = mysql_connect($db_server, $db_username, $db_password);
           mysql_select_db($db_name, $db);
         $result = mysql_query("SELECT * FROM attendies WHERE username='$escpUusername' AND password='$md5password'", $db);
   
           if (mysql_num_rows($result) > 0 )
           {         
             $sql = "DELETE FROM attendies WHERE username='$escpUsername'";
               
               if ($result = mysql_query($sql) )
               {   
                   echo 'You were removed successfully.';
                   
              header("Location: http://www.yoursite.com/deregister.php");
   
                   exit;
               }
               else
               {   echo 'Error removing user';
   
              // may want to log your error to file and maybe do some other stuff 
              // to help you figure out why this failed. This could be a bug that 
                   // happens often.
                   
              header("Location: http://www.yoursite.com/wherever.php");
   
                   exit;
               }
   
           }
           else 
           {   
             echo 'That username/password combination doesnt exist in our database.';
   
             header("Location: http://www.yoursite.com/deregister.php");
   
               exit;
           }
       }
   }
   
   // flush buffered output
   ob_end_flush();
   
   ?>

Edit:


I've just sort of pretended that the values being sent through the form are firstname, lastname, username, and password. You can change these to match the names you are really using. It also looks like you are using 'alias' in the database as your username, you can change it accordingly. I just used the names I felt most comfortable with(the ones I'm used to using).

--ed

[plugged]

Ed: mysql_escape() isn't a function. You're looking for mysql_escape_string().

[coo_t2]

Ed: mysql_escape() isn't a function. You're looking for mysql_escape_string().

Thanks, I edited it.

--ed

[lobster_d]

Thanks very much for the quick responses,

However, im now experiencing some errors of which i don't understand the source.

When trying to register i receive this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/forrestj/public_html/process.php on line 26
No Database Selected

When trying to deregister (a existing or non existing user) i get this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/forrestj/public_html/process.php on line 59
That username/password combination doesnt exist on the attendie list.

The only modifications to the code above have been to make it compatible with my database/website, but if need be i can re-post the script.

Thanks again,

Lobster