Even with an invalid email address, code still inputs to database...huh?

[yduk]

Hey,
Ok below is the sign up script for my site, now I have a problem. I am validating email addresses so that I don't get any addresses without @ in them. Thing is, even though I tell it to output an error message, it still inputs the information into the database. Can you guys spot anything wrong?

PHP Code:

<?php 

#open session#
session_save_path('/home/mydir/data'); 
session_start(); 

if ($access_name=="") {
$title = "Hello, you are not logged in. Please click <a href=\"login.php\">here</a> to log in. To sign up click 
<a href=signup.php>here</a>.";
}else{ 
$title = "Hello $access_name, please click <a href=/members/welcome.php>here</a> to visit the members section.";
}


$form_complete="";
if ($formsubmit==1) {$formsubmit="";$sucess="";

#db connection#
include("access/data.inc.php");
mysql_connect ($SQLhost, $SQLuser, $SQLpass);
mysql_select_db ($SQLdb);

#null error report.#
$error="";

if ( ($firstname=="") || ($lastname=="") || ($addressline1=="") || ($city=="") || ($postcode=="") || ($telephonenumber=="") || ($email=="") )
    {
        $error_field=1;
        $error.="Please ensure that you have entered all information requested by the signup form.";
    }else{

#Check email address validity#
if(!ereg("^[_a-zA-Z0-9-]+(.[_a-zA-Z0-9-]+)*@([a-zA-Z0-9-]+.)+([a-zA-z]{2,3})$",$email)) {
  $error .= "Your email address is not valid, please try again.<br>\n";
}else{

}

#search for id#
$res_access = mysql_query ("SELECT id, userid, registered, password FROM users where userid='$id'");
$num_access = mysql_num_rows ($res_access);

#duplicates found#
if ($num_access>1) 
    { 
    $error .= "Duplicates found, please contast  the webmaster about this problem.<br>\n"; 

#no user found#
    }else if ($num_access==0) 
    {     
    $error .= "ID wasn't found in our database.<br>\n";
    }else{

#insert user into database#
$registered = mysql_result ($res_access,0,"registered");
$password = mysql_result ($res_access,0,"password");
        if ($registered=="0")
            {

$name = $firstname." ".$lastname;
$address = $addressline1.", ".$addressline2.", ".$city.", ".$county.", ".$postcode;
$telephonenumber;
$email;

$name = strtolower ($name);
$name = ucwords ($name);
$postcode = strtoupper ($postcode);
$postcode = ucwords ($postcode);
$address = strtoupper ($address);
$address = ucwords ($address);
$address = str_replace (", , ",", ",$address);
$telephonenumber = str_replace (" ", "", $telephonenumber);
$telephonenumber = str_replace ("-", "", $telephonenumber);
$telephonenumber = trim ($telephonenumber);

#update db#
@mysql_query ("update users set name='$name', address='$address', telephone='$telephonenumber', email='$email', registered='1' WHERE userid='$id' ");
$error .= "New user registration completed. You have been emailed your password.<br>\n";

#send email with password#
$From = 'Registration <chris@yduk.net>';
$headers .= "From: $From\r\n";

$subject = "Your details...";
$message = "Dear $name,\n\nThank you for registering!\n\nBelow are your login details needed to access the website.  We advise you to keep these details in a secure place.\n\nID: $id \nPassword: $password";
mail($email, $subject, $message, $headers);

//mail($contactemail, $subject, $message, $headers);
header("Location: success.php?Name=$name&Email=$email");

$sucess=1;
            }else{
#user already registered#
$error .= "This ID has already been registered.<br>\n";
            }
    }

    }

$form_complete="1";
}

?>

Cheers,
Chris

[MethoD]

PHP Code:

  $error .= "Your email address is not valid, please try again.<br>\n";
}else{

}

#search for id#
$res_access 


You closed your else tag causing the script to parse the rest. Either remove that } and put it after the section where it adds the entry to your database or you could put an exit after:

PHP Code:

$error .= "Your email address is not valid, please try again.<br>\n"; 


[mbenson]

if ( ($firstname=="") || ($lastname=="") || ($addressline1=="") || ($city=="") || ($postcode=="") || ($telephonenumber=="") || ($email=="") )


you have email being null (""), but you want to check for an @ in the address..

I got this from PHP Builder


if (!ereg("([[:alnum:]\.\-]+)(\@[[:alnum:]\.\-]+\.+)", $email)) {
$result = 'Not a valid email address';
}