So, the code is not stopping…

Okay, so how do I make it stop? I know about using exit(), but this turns everything into a blank white page…

Well, there’s a couple of ways of going about this.

If you want it to just stop at the first error it comes across, instead of doing

if X {
  A
}
if Y {
  B
}

, string them all together as one great big if:

if X {
  A
} elseif Y {
 B
}
...
else {
  There were no errors, do Z.
}

Alternatively, you can gather up the individual errors into an array, and let the user know they missed multiple things, outputting something like:

First Name is required
A username is required
So, something like this?

if(empty($_POST['first_name']) && empty($_POST['last_name']) && empty($_POST['username']) && empty($_POST['password']) && empty($_POST['confirm_pwd'])) {
		$msg = "Please complete the form to add a new user";
	} elseif(empty($_POST['first_name'])) {
		$msg = "First Name is required";
	} elseif(empty($_POST['last_name'])) {
		$msg = "Last Name is required";
	} elseif(empty($_POST['username'])) {
		$msg = "A username is required";
	} elseif(empty($_POST['password'])) {
		$msg = "A password is required";
	} elseif(!preg_match("/[A-Za-z0-9]+/", $_POST['username'])) {
 		$msg = "The username provided is invalid";
	} elseif(strlen($_POST['password']) > 20 || strlen($_POST['password']) < 5) {
		$msg = "Password must be between 5 and 20 characters";
	} elseif($_POST['password'] != $_POST['confirm_pwd']) {
		$msg = "The two passwords do not match";
	}elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
  		$msg = "The email address provided is invalid";
	} else {
	
	/*
	$sql = "INSERT INTO users (first_name, last_name, email, username, password) VALUES (?, ?, ?, ?, ?)";
	$stmt = $pdo->prepare($sql);
	$stmt->bindParam(1, $_POST['first_name']);
	$stmt->bindParam(2, $_POST['last_name']);
	$stmt->bindParam(3, $_POST['email']);
	$stmt->bindParam(4, $_POST['username']);
	$stmt->bindParam(5, $password);
	$result = $stmt->execute();
	header('Location: users.php');
	exit(); */

	}
To steal a line from Rudy…
“What happens when you try it?” ™

It works, but I just thought of something that I don’t have.

I need to add a constraint to prevent a user signing up with a duplicate username.

How do I do this?

Depends on how you have constructed your table.

Is username a key on your table?

Yes, it is:

it doesnt appear to be a key on the table. There’s no Unique constraint visible, the primary key is “id”.

Oh, I see what you mean:

If you’ve made it a Unique field in the table, then when you try to insert it, it will fail if you insert a duplicate username, so you would check to see if your query succeeded or not.

So:

if(!$stmt) {
     $msg = "Another account with this username already exists."
}
$result is the result of your query, not $stmt.

#17

Notice: Undefined variable: result in C:\xampp\htdocs\cabgop\user_new.php on line 49

if($_SERVER["REQUEST_METHOD"] == "POST") {
	$first_name = $_POST['first_name'];
	$last_name = $_POST['last_name'];
	$email = $_POST['email'];
	$username = $_POST['username'];
	$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

	if(empty($_POST['first_name']) && empty($_POST['last_name']) && empty($_POST['username']) && empty($_POST['password']) && empty($_POST['confirm_pwd'])) {
		$msg = "Please complete the form to add a new user";
	} elseif(empty($_POST['first_name'])) {
		$msg = "First Name is required";
	} elseif(empty($_POST['last_name'])) {
		$msg = "Last Name is required";
	} elseif(empty($_POST['username'])) {
		$msg = "A username is required";
	} elseif(empty($_POST['password'])) {
		$msg = "A password is required";
	} elseif(!preg_match("/[A-Za-z0-9]+/", $_POST['username'])) {
 		$msg = "The username provided is invalid";	
	} elseif(strlen($_POST['password']) > 20 || strlen($_POST['password']) < 5) {
		$msg = "Password must be between 5 and 20 characters";
	} elseif($_POST['password'] != $_POST['confirm_pwd']) {
		$msg = "The two passwords do not match";
	}elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
  		$msg = "The email address provided is invalid";
	} else {
	
	$sql = "INSERT INTO users (first_name, last_name, email, username, password) VALUES (?, ?, ?, ?, ?)";
	$stmt = $pdo->prepare($sql);
	$stmt->bindParam(1, $_POST['first_name']);
	$stmt->bindParam(2, $_POST['last_name']);
	$stmt->bindParam(3, $_POST['email']);
	$stmt->bindParam(4, $_POST['username']);
	$stmt->bindParam(5, $password);
	$result = $stmt->execute();
	header('Location: users.php');
	exit();

	}
	
	if(!$result) {
		$msg = "Another account with this username already exists.";
	}
Think about where you should be putting that if. It’s in the wrong place.

#19

I moved it inside the query, and I get this:

Fatal error: Uncaught PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'jmyrtle' for key 'username' in C:\xampp\htdocs\cabgop\user_new.php:43 Stack trace: #0 C:\xampp\htdocs\cabgop\user_new.php(43): PDOStatement->execute() #1 {main} thrown in C:\xampp\htdocs\cabgop\user_new.php on line 43

if($_SERVER["REQUEST_METHOD"] == "POST") {
	$first_name = $_POST['first_name'];
	$last_name = $_POST['last_name'];
	$email = $_POST['email'];
	$username = $_POST['username'];
	$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

	if(empty($_POST['first_name']) && empty($_POST['last_name']) && empty($_POST['username']) && empty($_POST['password']) && empty($_POST['confirm_pwd'])) {
		$msg = "Please complete the form to add a new user";
	} elseif(empty($_POST['first_name'])) {
		$msg = "First Name is required";
	} elseif(empty($_POST['last_name'])) {
		$msg = "Last Name is required";
	} elseif(empty($_POST['username'])) {
		$msg = "A username is required";
	} elseif(empty($_POST['password'])) {
		$msg = "A password is required";
	} elseif(!preg_match("/[A-Za-z0-9]+/", $_POST['username'])) {
 		$msg = "The username provided is invalid";	
	} elseif(strlen($_POST['password']) > 20 || strlen($_POST['password']) < 5) {
		$msg = "Password must be between 5 and 20 characters";
	} elseif($_POST['password'] != $_POST['confirm_pwd']) {
		$msg = "The two passwords do not match";
	/*}elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
  		$msg = "The email address provided is invalid";*/
	} else {
	
	$sql = "INSERT INTO users (first_name, last_name, email, username, password) VALUES (?, ?, ?, ?, ?)";
	$stmt = $pdo->prepare($sql);
	$stmt->bindParam(1, $_POST['first_name']);
	$stmt->bindParam(2, $_POST['last_name']);
	$stmt->bindParam(3, $_POST['email']);
	$stmt->bindParam(4, $_POST['username']);
	$stmt->bindParam(5, $password);
	$result = $stmt->execute();
	header('Location: users.php');
	exit();

	if(!$result) {
		$msg = "Another account with this username already exists.";
	}
	}
}
Oh sorry, you’ve got PDO in Exception throwing mode. try your execute, and if you catch a result then there was a duplication of a username.

#21

Sorry, I don’t quite understand what that means…

#22

that’s why I put it in as a link :wink:

Checks done this way lead to hard to use UIs. Let’s say I first forget my last name and fill a password that is too short. When I submit I see that I forgot my last name, so I submit again and see that my password is too short. It would have been nice to see both those messages, so I fix everything in one go.

I’d modify the code like so:

$errors = [];
if (empty($_POST['first_name'])) {
    $errors[] = "First Name is required";
}

if (empty($_POST['last_name'])) {
    $errors[] = "Last Name is required";
}

if (empty($_POST['username'])) {
    $errors[] = "A username is required";
}

if (empty($_POST['password'])) {
    $errors[] = "A password is required";
}

if (!preg_match("/[A-Za-z0-9]+/", $_POST['username'])) {
    $errors[] = "The username provided is invalid";
}

if (strlen($_POST['password']) > 20 || strlen($_POST['password']) < 5) {
    $errors[] = "Password must be between 5 and 20 characters";
}

if ($_POST['password'] != $_POST['confirm_pwd']) {
    $errors[] = "The two passwords do not match";
}

if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    $errors[] = "The email address provided is invalid";
}

if (count($errors) === 0) {
    // perform insertion logic
}

A few assorted remarks:

  1. Why do you have a maximum length on passwords?
  2. Avoid == and != - always use === and !== instead. The difference is that == and != check that values are more or less (not) the same, as an example == will deem the string foobar equal to the integer 0, while these are clearly different things. === will deem the string foobar not equal to the integer 0 because one is a string and the other is an integer, so by definition they can’t be the same.
  3. How about a first name, last name, username that consists of just spaces, would that be valid?
@rpkamp is right how you should do this.

One thing not shown, is that you need to trim the POST array otherwise a space will pass the validation which he asked about.

I would suggest you fail as soon as possible. So the change I would make to @rpkamp’s example would be at the last line replacing

if (count($errors) === 0) {
    // perform insertion logic
}

with

if ($errors){
// Handle Errors - Loop over errors array
}
else{
//Process Form/perform insertion logic
}

It also continues with the logic flow of error code instead of jumping over a block of non error related code and then coming back to dealing with the errors after that block.