[williamh26]

Hi guys i have this validation code but my email field it does not working.. can you help me please

PHP Code:

<?php

// execute script only if form has been submitted

if (array_key_exists('register', $_POST)) {

  // remove backslashes from the $_POST array



 include("mylibrary/login.php");



  // check length of username and password

  $username = trim($_POST['username']);

  $password = trim($_POST['password']);

  $email = $_POST['email'];

  // initialize error array

  $message = array();

  // check length of username

  if (strlen($username) < 6 || strlen($username) > 15) {

    $message[] = 'Username must be between 6 and 15 characters';

    }

  // validate username

  if (!ctype_alnum($username)) {

    $message[] = 'Username must consist of alphanumeric characters with no spaces';

    }

  //Validate email  eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);

  if (!preg_match('/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}/', $email)) {

        $message[] = 'Please Insert a valid Email</span><br/>';

    }



  // check password

  if (strlen($password) < 6 || preg_match('/\s/', $password)) {

    $message[] = 'Password must be at least 6 characters with no spaces';

    }

  // check that the passwords match

  if ($password != $_POST['conf_pwd']) {

    $message[] = 'Your passwords don\'t match';

    }

  // if no errors so far, check for duplicate username

  if (!$message) {

    // connect to database as administrator



    // check for duplicate username

    $checkDuplicate = "SELECT user_id FROM users

                       WHERE username = '$username'";

    $result = mysql_query($checkDuplicate) or die(mysql_error());

    $numRows = mysql_num_rows($result);

    // if $numRows is positive, the username is already in use

    if ($numRows) {

      $message[] = "$username is already in use. Please choose another username.";

      }

    // otherwise, it's OK to insert the details in the database

    else {

      // create key

      $key = 'takeThisWith@PinchOfSalt';

      // insert details into database

      $insert = "INSERT INTO users (username, password, email)

                 VALUES ('$username', ENCODE('$password', '$key','$email'))";

      $result = mysql_query($insert) or die(mysql_error());

      if ($result) {

        $message[] = "Account created for $username";

        }

      else {

        $message[] = "There was a problem creating an account for $username";

        }

      }

    }

  }

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<title>Register user</title>

<link href="../assets/admin.css" rel="stylesheet" type="text/css" />

</head>



<body>

<h1>Register user</h1>

<?php

if (isset($message)) {

  echo '<ul class="warning">';

  foreach ($message as $item) {

    echo "<li>$item</li>";

    }

  echo '</ul>';

  }

?>

<form id="form1" name="form1" method="post" action="">

    <p>

        <label for="username">Username:</label>

        <input type="text" name="username" id="username" />

    </p>

    <p>

        <label for="email">Email:</label>

        <input type="text" name="email" id="email" />

    </p>

    <p>

        <label for="password">Password:</label>

        <input type="password" name="password" id="pwd" />

    </p>

    <p>

        <label for="conf_pwd">Confirm password:</label>

        <input type="password" name="conf_pwd" id="conf_pwd" />

    </p>

    <p>

        <input name="register" type="submit" id="register" value="Register" />

    </p>

</form>

</body>

</html>

[Nico]

Not sure what you mean with "does not work", but here are a few things:

Your regular expression isn't bad, but it's not perfect. I suggest you use PHP's built in function for that.

PHP Code:

if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
    // ...
} 

*Not* allowing characters in passwords is a bad idea. Don't discourage the users to use safer passwords.

All the hours you've spent on thinking about the security and complexity of your script are worthless unless you escape your user input before throwing it into a SQL query. For your own good, read and apply this: PHP: mysql_real_escape_string - Manual

I'd suggest moving away from the old mysql_* extension at all. It's very old, insecure, and encourages bad coding practices. Take a look at PDO and MySQLi (improved MySQL extension). They're a little more complicated, but you won't regret it.

One last thing, don't use the ENCODE() function to encode user passwords. Passwords should be hashed, and not encrypted. At no point you need to know what the original password was. Use PHP's md5() function instead.

[williamh26]

thanks for your help