Editing Register.php - cant get DOB to pass to the database Editing Register.php - cant get DOB to pass to the database
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Editing Register.php - cant get DOB to pass to the database

Started by nymyth, July 20, 2005, 04:32:55 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

nymyth

Ok heres the issue:  On the register page all we wanted was Email address and Date of Birth.  Also the email address would act as the user login.  The DOB has 3 text boxes for MM, DD, YYYY.  Also the email address and the DOB go into another table called cpg_bdays.  I also put an "echo" tag to see what data is being passed when an user signs up. 

So now when the users clicks submit, I see this data being passed from the echo tag:

INSERT INTO cpg_bdays (user_bday_email, bday_month, bday_day, bday_year) VALUES ('yahoo@yahoo.com', '', '', '')

The url is: www.sandbarsaturdays.com/gallery

So i know the email is being passed to the new table (cpg_bdays) but the DOB information isnt.  Can anyone help me out with this, below is the register.php code block:

define('IN_COPPERMINE', true);
define('REGISTER_PHP', true);

require('include/init.inc.php');
require('include/mailer.inc.php');

if (!$CONFIG['allow_user_registration'] || USER_ID) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);

if (defined('UDB_INTEGRATION')) udb_register_page();
// Display the disclaimer
function display_disclaimer()
{
    global $CONFIG, $PHP_SELF;
    global $lang_register_disclamer, $lang_register_php;

    starttable(-1, $lang_register_php['term_cond']);
    echo <<<EOT
        <form method="post" action="$PHP_SELF">
        <tr>
                <td class="tableb" style="padding: 10px;">

EOT;
    echo str_replace('{SITE_NAME}', $CONFIG['gallery_name'], $lang_register_disclamer);

    echo <<<EOT
                </td>
        </tr>
        <tr>
                <td colspan="2" align="center" class="tablef">
                        <input type="submit" name="agree" value="{$lang_register_php['i_agree']}" class="button">
                </td>
        </tr>
        </form>

EOT;
    endtable();
}

function input_user_info($errors = '')
{
    global $CONFIG, $PHP_SELF, $HTTP_POST_VARS;
    global $lang_register_php;

    starttable(-1, $lang_register_php['enter_info'], 2);
    echo <<<EOT
        <form method="post" action="$PHP_SELF">

EOT;

    $form_data = array(
        array('label', $lang_register_php['required_info']),
        //array('input', 'username', $lang_register_php['username'], 25),
        //array('password', 'password', $lang_register_php['password'], 25),
        //array('password', 'password_verification', $lang_register_php['password_again'], 25),
        array('input', 'email', $lang_register_php['email'], 255),
        // taken from line 80 below
        //array('input', 'website', $lang_register_php['website'], 255),
        array('bday', 'bday_month', $lang_register_php['bday_month'], 3),
        //array('input', 'bday_day', $lang_register_php['bday_day'], 2),
        //array('input', 'bday_year', $lang_register_php['bday_year'], 4),
        array('label', $lang_register_php['optional_info']),
        array('input', 'location', $lang_register_php['location'], 255),
        array('input', 'interests', $lang_register_php['interests'], 255)
        //,array('input', 'website', $lang_register_php['website'], 255),
        //array('input', 'occupation', $lang_register_php['occupation'], 255),
        );

    foreach ($form_data as $element) switch ($element[0]) {
        case 'label' :
            echo <<<EOT
        <tr>
            <td colspan="2" class="tableh2">
                        <b>{$element[1]}<b>
        </td>
        </tr>

EOT;
            break;

        case 'input' :
            if (isset($HTTP_POST_VARS[$element[1]])) {
                $value = $HTTP_POST_VARS[$element[1]];
            } else {
                $value = '';
            }
            echo <<<EOT
        <tr>
            <td width="40%" class="tableb"  height="25">
                        {$element[2]}
        </td>
        <td width="60%" class="tableb" valign="top">
                <input type="text" style="width: 100%" name="{$element[1]}" maxlength="{$element[3]}" value="$value" class="textinput">
                </td>
        </tr>

EOT;
            break;


        case 'bday' :
            echo <<<EOT
        <tr>
            <td width="40%" class="tableb"  height="25">
                        Bday
        </td>
        <td width="60%" class="tableb" valign="top">
                <input type="text" style="width: 100%" name="bday_month" maxlength="2" class="textinput" value="MM">
                <input type="text" style="width: 100%" name="bday_day" maxlength="2" class="textinput" value="DD">
                <input type="text" style="width: 100%" name="bday_year" maxlength="4" class="textinput" value="YYYY">
                </td>
        </tr>

EOT;
            break;


        case 'password' :
            echo <<<EOT
        <tr>
            <td width="40%" class="tableb"  height="25">
                        {$element[2]}
        </td>
        <td width="60%" class="tableb" valign="top">
                <input type="password" style="width: 100%" name="{$element[1]}" maxlength="{$element[3]}" value="" class="textinput">
                </td>
        </tr>

EOT;
            break;

        default:
            cpg_die(CRITICAL_ERROR, 'Invalid action for form creation ' . $element[0], __FILE__, __LINE__);
    }

    if ($errors) {
        echo <<<EOT
        <tr>
                <td colspan="2" class="tableh2" align="center">
                        <b>&#149;&nbsp;&#149;&nbsp;&#149;&nbsp;{$lang_register_php['error']}&nbsp;&#149;&nbsp;&#149;&nbsp;&#149;</b>
                </td>
        </tr>
        <tr>
                <td colspan="2" class="tableb">
                        <b><ul>$errors</ul><b>
                </td>
        </tr>

EOT;
    }
    echo <<<EOT
        <tr>
                <td colspan="2" align="center" class="tablef">
                        <input type="submit" name="submit" value="{$lang_register_php['submit']}" class="button">
                </td>
        </tr>
        </form>

EOT;
    endtable();
}

function get_post_var($var)
{
    global $HTTP_POST_VARS, $lang_errors;

    if (!isset($HTTP_POST_VARS[$var])) cpg_die(CRITICAL_ERROR, $lang_errors['param_missing'] . " ($var)", __FILE__, __LINE__);
    return trim($HTTP_POST_VARS[$var]);
}

function check_user_info(&$error)
{
    global $CONFIG, $HTTP_SERVER_VARS, $PHP_SELF;
    global $lang_register_php, $lang_register_confirm_email, $lang_continue;

    // substituted username for email
    $user_name = trim(get_post_var('email'));

    // set all passwords to the same
    // took out the following: $password = trim(get_post_var('password'));
    $password = 'password';

    // took out the following: $password_again = trim(get_post_var('password_verification'));
    $password_again = 'password';
    $email = trim(get_post_var('email'));

    // taken from line 189 below
    //$website = addslashes(get_post_var('website'));
    $website = '';

    $location = addslashes(get_post_var('location'));
    $interests = addslashes(get_post_var('interests'));

    // $website = addslashes(get_post_var('website'));
    //$website = 'www.sandbarsaturdays.com';

    // $occupation = addslashes(get_post_var('occupation'));
    $occupation = '';

    $sql = "SELECT user_id " . "FROM {$CONFIG['TABLE_USERS']} " . "WHERE user_name = '" . addslashes($user_name) . "'";
    $result = db_query($sql);

    if (mysql_num_rows($result)) {
        $error = '<li>' . $lang_register_php['err_user_exists'];
        return false;
    }
    mysql_free_result($result);

    if (strlen($user_name) < 2) $error .= '<li>' . $lang_register_php['err_uname_short'];
    if (strlen($password) < 2) $error .= '<li>' . $lang_register_php['err_password_short'];
    if ($password == $user_name) $error .= '<li>' . $lang_register_php['err_uname_pass_diff'];
    if ($password != $password_again) $error .= '<li>' . $lang_register_php['err_password_mismatch'];

    if (!eregi("^[_\.0-9a-z\-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,6}$", $email)) $error .= '<li>' . $lang_register_php['err_invalid_email'];

    if ($error != '') return false;

    if (!$CONFIG['allow_duplicate_emails_addr']) {
        $sql = "SELECT user_id " . "FROM {$CONFIG['TABLE_USERS']} " . "WHERE user_email = '" . addslashes($email) . "'";
        $result = db_query($sql);

        if (mysql_num_rows($result)) {
            $error = '<li>' . $lang_register_php['err_duplicate_email'];
            return false;
        }

        mysql_free_result($result);
    }

    if ($CONFIG['reg_requires_valid_email']) {
        $active = 'NO';
        list($usec, $sec) = explode(' ', microtime());
        $seed = (float) $sec + ((float) $usec * 100000);
        srand($seed);
        $act_key = md5(uniqid(rand(), 1));
    } else {
        $active = 'YES';
        $act_key = '';
    }

    $sql = "INSERT INTO {$CONFIG['TABLE_USERS']} " . "(user_regdate, user_active, user_actkey, user_name, user_password, user_email, user_location, user_interests, user_website, user_occupation) " . "VALUES (NOW(), '$active', '$act_key', '" . addslashes($user_name) . "', '" . addslashes($password) . "', '" . addslashes($email) . "', '$location', '$interests', '$website', '$occupation' )";
    $sql2 = "INSERT INTO cpg_bdays " . "(user_bday_email, bday_month, bday_day, bday_year) " . "VALUES ('$email', '" . addslashes($bday_month) . "', '$bday_day', '$bday_year')";
    $result = db_query($sql);
    $result2 = db_query($sql2);
    echo $sql2;
   
    if ($CONFIG['reg_requires_valid_email']) {
        $act_link = $CONFIG['ecards_more_pic_target'] . 'register.php?activate=' . $act_key;
        $template_vars = array('{SITE_NAME}' => $CONFIG['gallery_name'],
            '{USER_NAME}' => $user_name,
            '{PASSWORD}' => $password,
            '{ACT_LINK}' => $act_link
            );
        if (!cpg_mail($email, sprintf($lang_register_php['confirm_email_subject'], $CONFIG['gallery_name']), strtr($lang_register_confirm_email, $template_vars))) {
            cpg_die(CRITICAL_ERROR, $lang_register_php['failed_sending_email'], __FILE__, __LINE__);
        }
        msg_box($lang_register_php['information'], $lang_register_php['thank_you'], $lang_continue, 'index.php');
    } else {
        msg_box($lang_register_php['information'], $lang_register_php['acct_active'], $lang_continue, 'index.php');
    }

    // email notification to admin
        if ($CONFIG['reg_notify_admin_email'])
        {
        cpg_mail($CONFIG['gallery_admin_email'], sprintf($lang_register_php['notify_admin_email_subject'], $CONFIG['gallery_name']), sprintf($lang_register_php['notify_admin_email_body'], $user_name));
        }

    return true;
}

pageheader($lang_register_php['page_title']);
if (isset($HTTP_POST_VARS['agree'])) {
    input_user_info();
} elseif (isset($HTTP_POST_VARS['submit'])) {
    $errors = '';
    if (!check_user_info($errors)) {
        input_user_info($errors);
    }
} elseif (isset($HTTP_GET_VARS['activate'])) {
    $act_key = addslashes(substr($HTTP_GET_VARS['activate'], 0 , 32));
    if (strlen($act_key) != 32) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $sql = "SELECT user_active " . "FROM {$CONFIG['TABLE_USERS']} " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = db_query($sql);
    if (!mysql_num_rows($result)) cpg_die(ERROR, $lang_register_php['acct_act_failed'], __FILE__, __LINE__);

    $row = mysql_fetch_array($result);
    mysql_free_result($result);

    if ($row['user_active'] == 'YES') cpg_die(ERROR, $lang_register_php['acct_already_act'], __FILE__, __LINE__);

    $sql = "UPDATE {$CONFIG['TABLE_USERS']} " . "SET user_active = 'YES' " . "WHERE user_actkey = '$act_key' " . "LIMIT 1";
    $result = db_query($sql);

    msg_box($lang_register_php['information'], $lang_register_php['acct_active'], $lang_continue, 'http://www.sandbarsaturdays.com');
} else {
    display_disclaimer();
}
pagefooter();
ob_end_flush();

?>

Nibbler

It doesn't work because you are using made up variables, $bday_month does not exist unless you assign a value to it in a similar way to the code at the top of check_user_info().

nymyth


Nibbler


nymyth

yeah sorry nibbler, i kinda figured it out...

    // birthday information
    $bday_month = trim(get_post_var('bday_month'));
    $bday_day = trim(get_post_var('bday_day'));
    $bday_year = trim(get_post_var('bday_year'));


still cant believe i forgot to assign the variables...hahaha...thanks alot......

ps..is there anyway to check a number has been placed instead of a letter in the DOB fields.

THANKS AGAIN

Peace

Nibbler


nymyth


kegobeer

if (is_numeric($variable)) {
     is a number...
} else {
     not a number
}


(int) makes the variable a number.  The code Nibbler posted sanitizes the variable.  Just perform a check to make sure the number is within parameters.
Do not send me a private message unless I ask for one.  Make your post public so everyone can benefit.

There are no stupid questions
But there are a LOT of inquisitive idiots