用户注册和电子邮件激活

Question

I have the following code for registration--

<?php 
 // Connects to your Database 
 mysql_connect("my serner", "user", "password") or die(mysql_error()); 
 mysql_select_db("ec09580") or die(mysql_error()); 
 //This code runs if the form has been submitted
 if (isset($_POST['submit'])) { 
 //This makes sure they did not leave any fields blank
 if(isset($_POST['firstname']) && isset($_POST['lastname']) && isset($_POST['email']) && isset($_POST['username']) && isset($_POST['pass1']) && isset($_POST['pass2']))
           {
            $fname = $_POST['firstname'];
            $lname = $_POST['lastname'];

            $email_id = $_POST['email'];

            $username_r = $_POST['username'];
            $password_1 = $_POST['pass'];
            $password_2 = $_POST['pass2'];



 // checks if the username is in use
    if (!get_magic_quotes_gpc()) {

        $_POST['username'] = addslashes($_POST['username']);
    }
 $usercheck = $_POST['username'];
 $check = mysql_query("SELECT username FROM User WHERE username = '$usercheck'") 
or die(mysql_error());
 $check2 = mysql_num_rows($check);

 //if the name exists it gives an error
 if ($check2 != 0) {
        die('Sorry, the username '.$_POST['username'].' is already in use.');
    }
 // this makes sure both passwords entered match

    if ($_POST['pass'] != $_POST['pass2']) {
        die('Your passwords did not match. ');
    }
    // here we encrypt the password and add slashes if needed

    $_POST['pass'] = md5($_POST['pass']);

    if (!get_magic_quotes_gpc()) {
        $_POST['pass'] = addslashes($_POST['pass']);
        $_POST['username'] = addslashes($_POST['username']);
    }
}
 // now we insert it into the database
    $insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";
    $add_member = mysql_query($insert);
    ?>
 <h1>Registered</h1>
 <p>Thank you, you have registered - you may now login</a>.</p>
 <?php 
 } 
 else 
 {  
 ?>
 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
 <table border="0">
 <tr><td>Firstname:</td><td>
 <input type="text" name="firstname" maxlength="60">
 </td></tr>
 <tr><td>LastName:</td><td>
 <input type="text" name="lastname" maxlength="60">
 </td></tr>
 <tr><td>Email:</td><td>
 <input type="text" name="email" maxlength="60">
 </td></tr>
 <tr><td>Username:</td><td>
 <input type="text" name="username" maxlength="60">
 </td></tr>
 <tr><td>Password:</td><td>
 <input type="password" name="pass" maxlength="10">
 </td></tr>
 <tr><td>Confirm Password:</td><td>
 <input type="password" name="pass2" maxlength="10">
 </td></tr>
 <tr><th colspan=2><input type="submit" name="submit" 
value="Register"></th></tr> </table>
 </form>
 <?php
 }
 ?> 

And for activation I have the following code--

<?php
if (isset($_GET['x'])) {
    $x = (int) $_GET['x'];
} else {
    $x = 0;
}
if (isset($_GET['y'])) {
    $y = $_GET['y'];
} else {
    $y = 0;
}
if ( ($x> 0) && (strlen($y) == 32)) {
    require_once ('mysql_connect.php');
    $query = "UPDATE User SET active=NULL WHERE (id=$x AND active='" . $y . "') LIMIT 1";  
    $result = mysql_query($query);

    if (mysql_affected_rows() == 1) {
        echo "<h3>Your account is now active. You may now log in.</h3>";
    } else {
        echo '<p><font color="red" size="+1">Your account could not be activated. Please re-check the link or contact the system administrator.</font></p>';
    }
    mysql_close();
} else {
    echo '<b>Activation link not valid!</b>';
}
?>

I keep on getting this error- -

Notice: Undefined variable: fname in /var/www/users/ec09580/project_test/r_test.php on line 87 Notice: Undefined variable: lname in /var/www/users/ec09580/project_test/r_test.php on line 87 Notice: Undefined variable: email_id in /var/www/users/ec09580/project_test/r_test.php on line 87 Notice: Undefined variable: username_r in /var/www/users/ec09580/project_test/r_test.php on line 87 Notice: Undefined variable: password_1 in /var/www/users/ec09580/project_test/r_test.php on line 87

I am confused waht to do. Can anyone please help me? Thankyou.

Answer 1

You need to move these lines:

$insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";

$add_member = mysql_query($insert);

Right now they are outside the conditional that checks if those values are set. So if the form is not properly filled out, you will get those notices since those variables were not set.

To be more clear, those two lines should be moved into the following conditional:

if(isset($_POST['firstname']) && isset($_POST['lastname']) && isset($_POST['email']) && isset($_POST['username']) && isset($_POST['pass1']) && isset($_POST['pass2']))
           {
                //Your existing code here

                //And move these two lines in here also:
                $insert = "INSERT INTO User set FirstName='$fname', LastName='$lname',  Email='$email_id', username='$username_r', password='$password_1'";

                $add_member = mysql_query($insert);
           }

You need to move that code there because if any of your form values were not set, then your variables $fname, $lname, $email_id will not be set, since they are set in that conditional.

PHP will throw notices in this case when you try access a variable that is not set.

As Brad pointed out, your code is not very secure, so you shouldn't use this in a production environment. I just provided a fix for your question.

If you're just learning or doing this for school, it's somewhat ok, but it's definitely a good idea to get into the habit of preventing sql injection and validating user input.

Here is a Stack Overflow Question about preventing SQL injection that explains it a lot better than I can:

How can I prevent SQL injection in PHP?

Answer 2

Notice: Undefined ...

Errors of this type are thrown, when the instance you are using is not instantiated yet.

---

The variables you are using in the query is not instantiated on all the execution flow. So, receive that error.

This can be eliminated by using isset() to check if the variable has been set before or not.

For example:

$fname = isset($fname) ? $fname : '';