In my register,

General PHP Help
#1

how would I make it so only certain characters are allowed?

[php]<?php include "base.php"; ?>

Zeezy.com
<?php if(!empty($_POST['username']) && !empty($_POST['password'])) { $username = mysql_real_escape_string($_POST['username']); $password = md5(mysql_real_escape_string($_POST['password'])); $email = mysql_real_escape_string($_POST['email']); 
 $checkusername = mysql_query("SELECT * FROM users WHERE Username = '".$username."'");  

 if(mysql_num_rows($checkusername) == 1)  
 {  
    echo "<h1>Error</h1>";  
    echo "<p>Sorry, that username is taken. Please go back and try again.</p>";  
 }  
 else  
 {  
    $registerquery = mysql_query("INSERT INTO users (Username, Password, EmailAddress) VALUES('".$username."', '".$password."', '".$email."')");  
    if($registerquery)  
    {  
        echo "<h1>Success</h1>";  
        echo "<p>Your account was successfully created. Please <a href=\"index.php\">click here to login</a>.</p>";  
    }  
    else  
    {  
        echo "<h1>Error</h1>";  
        echo "<p>Sorry, your registration failed. Please go back and try again.</p>";  
    }  
 }

}
else
{
?>

Register

Please enter your details below to register.

<div id="login">
<form method="post" action="register.php" name="registerform" id="registerform">  
<fieldset>  
    <label for="username">Username:</label><input type="text" name="username" id="username" /><br />  
    <label for="password">Password:</label><input type="password" name="password" id="password" /><br />  
    <label for="email">Email Address:</label><input type="text" name="email" id="email" /><br />  
    <input type="submit" name="register" id="register" value="Register" />  
</fieldset>  
</form>  
</div>

<?php

}
?>

[/php]
#2

You need to use the “preg_match” function with regular-expressions (regex) to remove unwanted chars.
If you are experienced in programming PHP, then this link explains it:
http://www.linuxjournal.com/article/9585

But, if you are a beginner, look at this link first:
http://coding.smashingmagazine.com/2009/06/01/essential-guide-to-regular-expressions-tools-tutorials-and-resources/
(This link covers all aspects of pulling only what you want from inputs. There is way more info than you need there, but, if you look down the page a bit, and look at all the links, you will find what you need!)

Good luck…

#3

No, no. I have the preg_match in my register, but it doesn’t filter through. It just goes into the database no matter what. I included the wrong code there, here’s my register:

[php]<?php include "base.php"; ?>

Zeezy.com
<?php if(!empty($_POST['username']) && !empty($_POST['password'])) { $username = mysql_real_escape_string($_POST['username']); $password = md5(mysql_real_escape_string($_POST['password'])); $email = mysql_real_escape_string($_POST['email']); 
 $checkusername = mysql_query("SELECT * FROM users WHERE Username = '".$username."'");  
 if(!preg_match("!^[a-z0-9_~]{1,30}$!i", $uname))

 if ($_POST['password'] == $_POST['confirm_password']) {

}
else {
echo ‘Your passwords did not match’;
}

 if(mysql_num_rows($checkusername) == 1)  
 {  
    echo "<h1>Error</h1>";  
    echo "<p>Sorry, that username is taken. Please go back and try again.</p>";  
 }  
 else  
 {  
    $registerquery = mysql_query("INSERT INTO users (Username, Password, EmailAddress) VALUES('".$username."', '".$password."', '".$email."')");  
    if($registerquery)  
    {  
        echo "<h1>Success</h1>";  
        echo "<p>Your account was successfully created. Please <a href=\"index.php\">click here to login</a>.</p>";  
    }  
    else  
    {  
        echo "<h1>Error</h1>";  
        echo "<p>Sorry, your registration failed. Please go back and try again.</p>";  
    }  
 }

}
else
{
?>

Register

Please enter your details below to register.

<div id="login">
<form method="post" action="register.php" name="registerform" id="registerform">  
<fieldset>  
    <label for="username">Username:</label><input type="text" maxlength="32" name="username" id="username" /><br />  
    <label for="password">Password:</label><input type="password" maxlength="32" name="password" id="password" /><br />  
	<label for="password">Confirm Password:</label><input type="password" maxlength="32" name="confirm_password" id="confirm_password" /><br />  
    <label for="email">Email Address:</label><input type="text" name="email" id="email" /><br />  
    <input type="submit" name="register" id="register" value="Register" />  
</fieldset>  
</form>  
</div>

<?php

}
?>

[/php]
#4

Well, your logic flow of your code is messed up. You run a query BEFORE handling the character check.
This code:
$checkusername = mysql_query(“SELECT * FROM users WHERE Username = '”.$username."’");
if(!preg_match("!^[a-z0-9_~]{1,30}$!i", $uname))

Basically does a query and then the next line does nothing… You have an if-NOT condition and it never does
anything. So that is your error area. Normally, you would check for valid user name and THEN do the query.
Something similar to this:
[php]
// Remove unwanted characters from user name…
$username = preg_match("!^[a-z0-9_~]{1,30}$!i", $username))
// Get user data from database…
$checkusername = mysql_query(“SELECT * FROM users WHERE Username = '”.$username."’");
[/php]
You should check the user name data BEFORE the query. Also, after the query, you should check the record count to see if you actually got back data. If a user types in #@$* and that is removed from the username, it would not find anything in the query.

Hope that helps…

#5

Ok, it imserts into my database as just a “0”. I don’t want it to enter my database at all, just say “Your username contains invalid characters.”

#6

I’m sorry. I did not understand your question… I forgot preg_match will return 0 or 1 if valid or not.
So, you will have to do it this way:
[php]
if (preg_match("!^[a-z0-9_~]{1,30}$!i", $username)) {
echo “Your username contains invalid characters.”;
}else{
// Here continue with valid username and run your query…
}
[/php]

Again, sorry I mixed you up…

Sponsor our Newsletter | Privacy Policy | Terms of Service