PHP :| Form Checking Problems

[JonM]

Hey guys

PHP Code:

    if( ( strlen( $username ) > 3 ) AND ( strlen( $pass ) > 5 ) AND isset( $repass ) AND isset( $email ) ) { 


that line is not checking the forms right. It will check the username, and if it is less than 3 it will return an error message. But if the username checks out, the other forms don't matter...? ideas? Try it at http://timetorant.com/user.php?mode=register

PHP Code:

<?php
/*
* Created By:  Jonathon M.
* Created On:  Jan 17, 2005
* Page:        register.inc.php
* Details:     
* This page is to easily display a registration form
*/

$tpl->set_var('title','time2rant | user.php;register');

if( !isset( $_POST['submit'] ) ) {
    //No submit yet, display form :)
    $display = '<form method="POST" action="' . $_SERVER['PHP_SELF'] . '?mode=register">
 <p align="center">
  Username*:&nbsp; <br>
  <input type="text" name="username" size="31"></p>
  <p align="center">Password*: <br>
  <input type="password" name="password" size="31"></p>
  <p align="center">Re-Type Your Password*:&nbsp; <br>
  <input type="password" name="repassword" size="31"></p>
  <p align="center">Email*:&nbsp; <br>
  <input type="text" name="email" size="31"></p>
  <p align="center">You will be allowed to post your info such as your MSN 
  account after you fully registered.&nbsp; By clicking the submit button you 
  agree to the terms of this site.&nbsp; If you break these terms, we reserve 
  the right to delete your account, whether or not you are a featured member.&nbsp; 
  (If you are looking to become a featured member, then register here, then 
  click upgrade account in your profile.)</p>
  <p align="center"><input type="submit" value="Submit" name="submit"><input type="reset" value="Reset" name="B2"></p>
</form>';
    
} else {
    $username = addslashes( $_POST['username'] );
    $pass = md5( $_POST['password'] );
    $repass = md5( $_POST['repassword'] );
    $email = addslashes( $email );
    $signup = date("Y, d, M");
    if( ( strlen( $username ) > 3 ) AND ( strlen( $pass ) > 5 ) AND isset( $repass ) AND isset( $email ) ) {
        if( $pass !== $repass ) {
            $display = "<b>Error<br />Your passwords do not match.</b>";
        } else {
            $q1 = "SELECT * FROM ttr_blog_users WHERE user_name='" . $username . "'";
            $r1 = $DB->rnum( $q1 );
            if( $r1 != "1" ) {
                $q2 = "INSERT INTO ttr_blog_users VALUES(
                'NULL',
                '$username',
                '$pass',
                '$email',
                '',
                '',
                '',
                '',
                '',
                '$signup',
                '',
                '',
                '',
                '',
                '0')";
                if( $DB->query( $q2, "1" ) ) {
                    $display = "Thank you for registering <b>" . $username . "</b>.  You are now a registered member, and may log on!  Start posting!";
                } else {
                    $display = "There has been some kind of error, we will try to fix it soon.";
                }
            } else {
                $display = "Oops, some one already has that name!";
            }
        }
    } else {
        $display = "Please fill in all the forms";
    }
}

$tpl->set_var('Content',$display);
$tpl->set_file('text', './' . $config['templates'] . '/index.tpl');
echo $tpl->process('', 'text');

?>

[Capers]

You are MD5 hashing the passwords before you're validating the string lengths, so the $pass variable is greater than 5 when checked.

If repass is not set, either way MD5 hashing a NULL value will return d41d8cd98f00b204e9800998ecf8427e, so the variable is always set.

Also, what templating engine are you using mate? I haven't ever bothered using one before but had just started looking into it.

[JonM]

phemplate. I love it. It's simple, and not complicated as Smarty, yet works and loads fast. I don't really like smarty, and creating my own, I realized that it wasn't as advanced. So ici redirected me to phemplate.

I can't believe I forgot about the md5. sigh. lol.

[Capers]

Cheers mate.

Yeh i've made a similar mistake with MD5 before. Function i use for such debugging is var_dump()

[JonM]

I'll have to research var_dump. Just barely got this strlen() in my head lol. Finally the funcitons and stuff are making sense to me