Newgrounds.com — Everything, By Everyone.

I'm having a problem with my validation page. My validation page validates a user account each time the link is clicked from an e-mail. My web server doesn't support the "mysql_num_rows" function, so I have been forced to use the COUNT statement. I can't seem to get it to work:

<?php

  require("connect.php");
  
  $validate_key=$_GET['validate_key'];
  
  $result = mysql_query("COUNT(*) FROM users WHERE validcode='$validate_key' AND usergroup!=1");
  
  if($result==1) {
    die('This user has already validated their account!');
  }
  
  mysql_query("UPDATE users SET usergroup=2 WHERE validcode='$validate_key';");
  
  mysql_close();
  
  echo 'Your account has been validated successfully.  You may log into it now.  In 15 seconds you will be redirected to the main page.';
  
?>

At 5/9/08 12:34 PM, FallingTears wrote: I'm having a problem with my validation page. My validation page validates a user account each time the link is clicked from an e-mail. My web server doesn't support the "mysql_num_rows" function, so I have been forced to use the COUNT statement. I can't seem to get it to work:

Wow. I've never even heard of a site that supports mysql connections by not mysql_num_rows...

Anyway, problem is that you don't get the result of the COUNT until you pass the query result through a mysql_fetch_* function. You may want to add an AS clause to the COUNT() bit to make it easier to deal with as well.

$result = mysql_fetch_assoc( mysql_query("COUNT(*) AS results FROM users WHERE validcode='$validate_key' AND usergroup!=1") );
if($result['results'] == 1) {

Thanks so much, that really helps.

FallingTears

are you trying to use mysql_num_rows with a query that includes count? if so then that wont work, because it will always return 1 row- the one row that contains the result of the count function, not the actual rows themselves

At 5/12/08 03:28 PM, Afro-Ninja wrote: are you trying to use mysql_num_rows with a query that includes count? if so then that wont work, because it will always return 1 row- the one row that contains the result of the count function, not the actual rows themselves

If you'll notice, I said in my original post My webserver doesn't support the mysql_num_rows function

So, I solved that problem by switching servers, lol.

At 5/12/08 03:39 PM, FallingTears wrote: If you'll notice, I said in my original post My webserver doesn't support the mysql_num_rows function

I did notice that but I had to question it anyway, because that's just silly and doesn't make sense :(

I'm still having problems with my validation page. I followed the example given in PHP Main for making a member system (except I added and changed some things). Anyways .... here is my registration code: (You'll also notice that I have absolutely no security)

<?php

require("connect.php");

$firstName=$_POST['firstName'];
$middleIn=$_POST['middle'];
$lastName=$_POST['lastName'];
$userAddress=$_POST['address'];
$userState=$_POST['state'];
$userZIP=$_POST['zip'];
$userCountry=$_POST['country'];
$year=$_POST['theyear'];
$month=$_POST['month'];
$day=$_POST['day'];
$username=$_POST['username'];
$password=$_POST['password'];
$password2=$_POST['confirmPass'];
$email=$_POST['email'];
$validate_key=md5(time()+rand(1000,9999).$username);
$message="Thank you for singing up at Tears Fall. Your user info is below:\n\n
Username: $username\n
Password: $password\n\n
Before you can log into your account, you must activate your account. Go to the url below to activate your
account:\n\n
http://tearsfall.pcriot.com/validate.php?validate_key=$validate_key\n\n
Please don't reply to this email, it's automated.";

if(empty($firstName)||empty($lastName)||empty($username)||empty($password)||empty($password2)||empty($email)) {
die('One or more fields are missing. Please return to the <a href="./registration.php">Registration</a> page.');
}

if($password!=$password2) {
die('Passwords do not match.');
}

$password=sha1($password);

if($userZIP!="") {
  if(strlen($userZIP)<5) {
    die('Please make sure your ZIP code is at least 5 digits long.');
  }
}

if($userState!="" && $userCountry=="") {
  $usercountry="USA";
}

if($month=="January"){
  $month=1;
}
elseif($month=="February") {
  $month=2;
}
elseif($month=="March") {
  $month=3;
}
elseif($month=="April") {
  $month=4;
}
elseif($month=="May") {
  $month=5;
}
elseif($month=="June") {
  $month=6;
}
elseif($month=="July") {
  $month=7;
}
elseif($month=="August") {
  $month=8;
}
elseif($month=="September") {
  $month=9;
}
elseif($month=="October") {
  $month=10;
}
elseif($month=="November") {
  $month=11;
}
elseif($month=="December") {
  $month=12;
}

$theDate = mktime(0,0,0,$month,$day,$year);

$userbirthDate = date("Y-m-d", $theDate);

$result = mysql_query("SELECT * FROM users WHERE username='$username';");
if(mysql_num_rows($result)==1) {
die("The username $username is already in use.");
}

$result = mysql_query("SELECT * FROM users WHERE email='$email';");
if (mysql_num_rows($result)==1) {
die("The e-mail address $email is already in use.");
}


mysql_query("INSERT INTO users(firstName,middleIn,lastName,userAddress,userState,userZIP,userCountry,userbirthDate,username,password,validcode,email,usergroup) VALUES('$firstName','$middleIn','$lastName','$userAddress','$userState','$userZIP','$userCountry','$userbirthDate','$username','$password','$validate_key','$email', 1);") or die(mysql_error());
mysql_close();

mail($email,"Validate Your Account",$message);

echo "Thank you for registering. You'll receive an e-mail shortly with instructions to validate your account. You will be redirected to the main page in 15 seconds.";
?>

And here is my validation code:

<?php

  require("connect.php");
  
  $validate_key=$_GET['validate_key'];
  
  $result = mysql_query("SELECT * FROM users WHERE validcode='$validate_key' AND usergroup!=1");
  
  if (mysql_num_rows($result)==1) {
    die('You have already validated your account!');
  }
  
  mysql_query("UPDATE users SET usergroup=2 WHERE validcode='$validate_key'");
  
  mysql_close();
  
  echo 'Your account has been validated successfully.  You may log into it now.  In 15 seconds you will be redirected to the main page.';
  
?>

Where have I went wrong? *Dies*

Without any error messages or anything we can't really diagnose the problem.

You could probably streamline that a lot though. Less code is generally easier to look after. For starters, on the page that posts to this try this:

<select name="month>
  <option value="1">January</option>
  <option value="2">February</option>
  <!-- Etc. -->
</select>

That would get rid of all the if statements for month. You could alternatively use a switch/case block.

Also you see the top set of variables you set? $username = $_POST['username'] etc.? Wrap these inside of the mysql_escape_string() function. It will help prevent SQL injection.

$firstName= mysql_escape_string( $_POST['firstName'] );
$middleIn=mysql_escape_string( $_POST['middle'] );

...Actually I think I see the problem. Your dates in the database are datetimes yes?

$userbirthDate = date("Y-m-d", $theDate);

That doesn't produce a datetime formated string. Try:

$userbirthDate = date("Y-m-d H:i:s", $theDate);

Really you just need to work out where it's failing and why; just add a few temporary echo $variables to see if everything matches what you think it should be.

At 5/13/08 02:42 AM, BoneIdol wrote: You could probably streamline that a lot though. Less code is generally easier to look after. For starters, on the page that posts to this try this:

<select name="month>
<option value="1">January</option>
<option value="2">February</option>
<!-- Etc. -->
</select>

You know, I didn't think of that before. You'd think with the experience I have with programming I would realize something as simple as that. The good thing is .... after this happen's once ... you never need to be told again.

Also you see the top set of variables you set? $username = $_POST['username'] etc.? Wrap these inside of the mysql_escape_string() function. It will help prevent SQL injection.

I'll definitely take care of that problem. Does the mysql_escape_string() change any of the data that's actually sent to the database? Does it change my log in script? Thanks again.

...Actually I think I see the problem. Your dates in the database are datetimes yes?

$userbirthDate = date("Y-m-d", $theDate);

No, actually, I'm just using the general date format: YYYY-mm-dd (if that makes sense).

mysql_escape_string() works by adding \s in front of potentially harmful characters like quotes. When MySQL's SQL parser encounter a \, it knows to ignore any side effects of the next character.

If you want to add a \ without escaping something, put "\\" without the quotes. The first \ escapes the second one.

PHP supports \ escaping as well.

$foo = 'I'm escaping the 's in this string';
$bar = 'I\'m escaping the \'s in this string';

$foo will generate parse errors while $bar will not. With double quotes you can use \ to escape dollar signs too.

$string = 'Rawr!'
$foo = "I like using the variable name $string";
$bar = "I like using the variable name \$string";

$foo will output "I like using the variable name Rawr!" whereas $bar will output "I like using the variable name $string".