Welcome to the list, Chris.
Your code is going to require some rewriting to save you a lot of
headaches and serious security issues down the road. So here we go:
On Thu, Jan 15, 2009 at 12:46, Chris Carter <chandan9sharma@xxxxxxxxx> wrote:
<?php
/* Always use full tags. If short_open_tags is on, the code will
still work just fine, but if you use just short tags and it's not
turned on, your code won't run. Also, full open tags allow
cohabitation of PHP and XML. */
/*
It would be better to keep this in a separate file, outside of
the web-accessible root. For example, perhaps in
/home/user/php_includes/db.inc.php
This way, if anything happens - say your web host messes
something up and doesn't add PHP into the httpd.conf for
Apache - your code source may display, but your passwords
will remain secure. Keep in mind: you may not be able to
access a page via the web unless it's in ~/public_html/, www/,
htdocs/, etc., but PHP can still read it.
And, to make it easy to switch from one host (or account) to
another, you can use dirname(). And we use include_once()
here in case you decide to expand. So, for example, say this
script is in /home/user/public_html/register.php - you would do:
*/
include_once(dirname(dirname(__FILE__)).'/php_includes/db.inc.php');
/*
And in /home/user/php_includes/db.inc.php:
<?php
// database information
$host = 'xxx';
$user = 'xxx';
$password = 'xxx';
$dbName = 'xxx';
// Store this here so you only have to set it once, then include
this file elsewhere.
// Connect and select the database.
$conn = mysql_connect($host, $user, $password) or die(mysql_error());
$db = mysql_select_db($dbName, $conn) or die(mysql_error());
?>
*/
if($_POST['submit']) {
// Check to see if the user already exists.
$sql = "SELECT emailAddress AS email FROM owners ";
$sql .= "WHERE
emailAddress='".mysql_real_escape_string($_POST['emailAddress'])."' ";
$sql .= "LIMIT 0,1";
/*
Several things are happening here:
1.) We're spanning the variable by using $sql = ""
followed by $sql .= "" to append.
2.) We're using MySQL's `AS` aliasing syntax to shorten
the column name on output (not in the DB)
3.) We're checking to see if $_POST['emailAddress'] is
already registered.
4.) We're SANITIZING INPUT(!!!!) with
mysql_real_escape_string(). VERY IMPORTANT!!!!
5.) We're telling MySQL that we only need the first result
returned, because that will still be a positive result.
*/
$result = mysql_query($sql); // Get the resource ID of this query
connection as $result.
if(($row = mysql_fetch_assoc($result)) == True) { // Allows error
suppression and validation in one shot
/* This record already exists in the database, and it's
accessible in $row['email']
So now you can do as you please. For example: */
echo "The user already exists ding ding ding.\n";
} else { // If there was no matching record....
// Insert new entry in the database if entry submitted
$emailAddress = $_POST['emailAddress'];
$confEmail = $_POST['confEmail'];
$password = $_POST['password'];
$confPassword = $_POST['confPassword'];
$body = "Some email text";
// insert new entry into database --- REMEMBER TO SANITIZE USER INPUT HERE!
$sql = "insert into `owners` (emailAddress, confEmail,
password,confPassword) VALUES (";
$sql .= "'".mysql_real_escape_string($emailAddress)."',";
$sql .= "'".mysql_real_escape_string($confEmail)."',";
$sql .= "'".mysql_real_escape_string($password)."',";
$sql .= "'".mysql_real_escape_string($confPassword)."')";
if(mysql_query($sql)) {
mail($emailAddress, "Thank you for registering!", $body,
"From: someone@xxxxxxxxxxx");
header("Location: thankYou.php");
} else {
/* If there's an error, don't show this to the user - log it
with a simple log mechanism instead. */
$err = mysql_error();
$logfile =
dirname(dirname(__FILE__)).'/php_includes/sqlerror.log'; // Store the
log out of the web directory.
// The following line writes the current file, line, SQL
query, and error message received.
$message = "SQL Error in ".__FILE__." near line
#".__LINE__.": \"".$sql."\" (".$err.")\n";
file_put_contents($logfile,$message,FILE_APPEND); // Append
the entry to the log; if the file doesn't exist, create it.
// Output an error message to the user.
echo "We're sorry. We're experiencing temporary issues with
our database. We are working to repair this problem.\n";
}
} // And thus ends the if($_POST['submit']) block
?>
There are a bunch of different styles, methods, and options, which
would take days to discuss.... but this should get you going on the
right path. From here on, RTFM and STFW, and feel free to ask any
questions here that you could find answers to on the web.
Good luck!
--
</Daniel P. Brown>
daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
http://www.parasane.net/ || http://www.pilotpig.net/
Unadvertised dedicated server deals, too low to print - email me to find out!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
