Show error/success when submitting form not working

Question

I got a registration/login system on my site, and as it is right now it displays errors and success text at top of the page. I want it to display it under the form. But whenever I try to add it below the form, it's not working!

session_start();
include_once('class.register.php');
$register = new Register();

if(isset($_POST['register']))
{

if($register->process())
echo "Successfully Signed Up!";
else
$register->show_errors();
}

$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));

This works, but it outputs the text on top of the page.

I tried to put this code below the 'form' end tag:

<?php

if(isset($_POST['register']))
{

if($register->process())
echo "Successfully Signed Up!";
else
$register->show_errors();
}

?>

But when I move it down under the form then it says 'Invalid Submission', which is caused by this:

public function valid_token()
{
if(!isset($_SESSION['token']) || $this->token != $_SESSION['token'])
$this->errors[] = 'Invalid Submission';

return count($this->errors)? 0 : 1;
}

THIS IS THE FORM I AM TALKING ABOUT

 <form role="form" method="POST" action="<?php echo $_SERVER['PHP_SELF'];?>">
              <div class="form-group">

              <div class="row">
                  <div class="col-sm-6">
                  <label for="firstname">Firstname</label>
                  <input type="text" class="form-control" id="firstname" name="firstname" placeholder="Firstname">
                  </div>
                  <div class="col-sm-6">
                  <label for="surname">Surname</label>
                  <input type="text" class="form-control" id="surname" name="surname" placeholder="Surname">
                  </div>
              </div>
              </div>
              <div class="form-group">
                <label for="username">Username</label>
                <input type="text" class="form-control" id="ruser" name="ruser" placeholder="Username">
              </div>
              <div class="form-group">
                <label for="email2">Email address</label>
                <input type="email" class="form-control" id="remail" name="remail" placeholder="Enter email">
              </div>
              <div class="form-group">
                <div class="row">
                  <div class="col-sm-6">
                  <label for="password2">Password</label>
                  <input type="password" class="form-control" id="rpass" name="rpass" placeholder="Password">
                  </div>
                  <div class="col-sm-6">
                  <label for="password2">Repeat password</label>
                  <input type="password" class="form-control" id="rpass2" name="rpass2" placeholder="Password">
                  </div>
                </div>
              </div>
              <div class="checkbox">
                <label>
                  <input type="checkbox"> I agree to the <a href="#">Terms of Service</a> and <a href="#">Privacy Policy</a>
                </label>
              </div>
               <input type="hidden" name="token" value="<?php echo $token;?>"/>
              <button type="submit" name="register" class="btn btn-block btn-color btn-xxl">Create an account</button>
            </form>

Answer 1

So since the if test in the valid_token() function is failing either the token isn't in the session anymore (make sure session_start(); is still at the top of your code), or more likely $this->token != $_SESSION['token'] is the culprit.

I have a hunch that maybe you are doing this line of code out of order now:

$token = $_SESSION['token'] = md5(uniqid(mt_rand(),true));

If this line runs before your call to $register->process() then the token inside the session will be be changed before you try to match it, causing the problem in the valid_token() function.

If this is not the case, I would investigate exactly when and where $this->token gets set to make sure it is populated correctly before $register->process() happens.