Thread: [HELP]need help with php

PHP Code:

$add_user="INSERT INTO `accounts` (`id`, `name`, `password`, `birthday`, `email`, `macs`) VALUES (NULL, $username, $password, $dob, $email, "0")" 


Should be

PHP Code:

$add_user="INSERT INTO `accounts` (`id`, `name`, `password`, `birthday`, `email`, `macs`) VALUES (NULL, '$username', '$password', $dob, '$email', '0')" 


Assuming the fields are string Values.

yea .. my bad.. i fixed it but i didnt post it here cuz i had to go..
anyways after doing what you said, the form showed up but i got these header errors.

Code:

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 40

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 41

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 42

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 50

PHP Code:

        if(($_POST['username'] == "")){header("Location: index.php?maple=register&error=nu");}
        if(($_POST['password'] == "")){header("Location: index.php?maple=register&error=np");}
        if(($_POST['passwordre'] == "")){header("Location: index.php?maple=register&error=nrp");}
        if(($_POST['email'] == "")){header("Location: index.php?maple=register&error=ne");}
        if(($_POST['dob'] == "")){header("Location: index.php?maple=register&error=ndob");}
        $username=mysql_real_escape_string($_POST['username']);
        $dob=mysql_real_escape_string($_POST['dob']);
        $email=mysql_real_escape_string($_POST['email']);
        if(($_POST['password'] == $_POST['passwordre'])){$password=sha1($_POST['password']);} else {header("Location: index.php?maple=register&pne");}
        //check for duplicate usernames...
        $user_query=mysql_query("SELECT COUNT(*) FROM `accounts` WHERE `name` = '". $_POST['username'] ."'") or die(mysql_error());
        $chkuser=mysql_fetch_array($user_query);
        if($chkuser != 0){header ("Location: index.php?maple=register&error=ue");} 


Those are lines 38-50. I remember reading in some other forum about some variable which is to be declared in my config.php which can essentially remove these header errors. Maybe if some1 can explains what these are and a guide on avoiding these errors, ill be really grateful.

And thanks alot m8. YOU have been really helpful

EDIT: And can you also tell me what ob_start(); does?

Originally Posted by RuneMan

yea .. my bad.. i fixed it but i didnt post it here cuz i had to go..
anyways after doing what you said, the form showed up but i got these header errors.

Code:

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 40

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 41

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 42

Warning: Cannot modify header information - headers already sent by (output started at C:\wamp\www\index.php:15) in C:\wamp\www\register.php on line 50

PHP Code:

        if(($_POST['username'] == "")){header("Location: index.php?maple=register&error=nu");}
        if(($_POST['password'] == "")){header("Location: index.php?maple=register&error=np");}
        if(($_POST['passwordre'] == "")){header("Location: index.php?maple=register&error=nrp");}
        if(($_POST['email'] == "")){header("Location: index.php?maple=register&error=ne");}
        if(($_POST['dob'] == "")){header("Location: index.php?maple=register&error=ndob");}
        $username=mysql_real_escape_string($_POST['username']);
        $dob=mysql_real_escape_string($_POST['dob']);
        $email=mysql_real_escape_string($_POST['email']);
        if(($_POST['password'] == $_POST['passwordre'])){$password=sha1($_POST['password']);} else {header("Location: index.php?maple=register&pne");}
        //check for duplicate usernames...
        $user_query=mysql_query("SELECT COUNT(*) FROM `accounts` WHERE `name` = '". $_POST['username'] ."'") or die(mysql_error());
        $chkuser=mysql_fetch_array($user_query);
        if($chkuser != 0){header ("Location: index.php?maple=register&error=ue");} 


Those are lines 38-50. I remember reading in some other forum about some variable which is to be declared in my config.php which can essentially remove these header errors. Maybe if some1 can explains what these are and a guide on avoiding these errors, ill be really grateful.

And thanks alot m8. YOU have been really helpful

EDIT: And can you also tell me what ob_start(); does?

Your code is a total mess; I could give you a quick fix for your problem but it would be a lot better for you (and us), if you tidy up your code.

1. The form data should be processed at the top of the page before you output any HTML. You can then send as many headers as you wish without warnings being spat out.
   
2. The mysql query lacks any quotes around the strings so it is unlikely to work. My suggestion here would be to use MySqli or PDO and take advantage of the paramatised query facilities they offer. This means you won't have to worry about escaping the data or putting it in quotes and you can declare you queries at the top of the script as constants.
   
3. The use of redirects is the correct appraoch when handling form errors, however, when formatting the errors simply have a $error variable which you set using a switch statement and output this later if required in the HTML.
   
   
   PHP Code:

       if (isset($_GET['error'])){
    $errorString = '';

    switch($_GET['error']) {
            case 'nu':
            $errorString = 'You did not enter a username';    
            break;

        case 'np':
            $errorString = 'You did not enter a password';
            break;

        case 'ndob':
            $errorString = 'You did not enter your date of birth.';
            break;

        case 'pne':
            $errorString = 'Passwords do not match.';
            break;

        case 'ue':
            $errorString = 'The username you chose already exists. Choose another one.';
            break;

        case 'suc':
            $errorString = 'Registration is successful.';
            break;
    }
    } 

   Looks a lot tidier then in the HTML:
   
   PHP Code:

   ?>
<form>
    <?php if (isset($errorString)): ?>
        <p><?php echo($errorString) ?></p>
    <?php endif; ?>
4. It is also good practice to format if statements on several lines, even if there is only one statement to be executed. This shows the reader clearly that there is a condition being tested and what is being executed:
   
   PHP Code:

   //bad
if(($_POST['username'] == "")){header("Location: index.php?maple=register&error=nu");}

// good
if(($_POST['username'] == "")) {
    header("Location: index.php?maple=register&error=nu");
} 


Trust me, when you sort out how the code looks, it is a lot easier to troubleshoot both for us and more importantly you.

MySQli = MySql Improved extension. It is an improved version of the MySql which includes the ability to execute parametrized queries and has built in support for transactions.

Your query above for example would look like this using object orientated mysqli:

PHP Code:

$mysqli = new Mysqli('host', 'user', 'pass', 'db');
$statement = $mysqli->prepare("INSERT INTO 
            `accounts` 
             (`name`, `password`, `birthday`, `email`, `macs`) 
             VALUES (?,?,?,?,?)";

$statement->bind_param('ssssi', $username, $password, $dob, $email, 0);
$statement->execute(); 


The use of paramatized queries like this, or late binding in programming speak allows the queries to become reusable; as the initial prepare statement loads the query into mysql and checks the syntax. Initial calls reuse the same query and replace the question marks with the parameters supplied. It also allows you to keep your data logically separate from the protocol (SQL) you are using to insert, update or extract those data. All round a better solution

PDO = PHP Data Objects; it is an abstract driver based API similar to but more powerful than ODBC. You specify which driver you would like with a connection string and create an instance of the PDO object and away you go.

Over the standard mysql extension, it includes built in support for transactional database engines such as Innodb and the ability to execute pre-prepared queries with a set of parameters.

PHP Code:

$pdo = new PDO('mysql:host=balh;dbname=balh', 'user', 'pass');
$prepared = $pdo->prepare('INSERT INTO table VALUES(?, ?, ?, ?, ?)');

$prepared->execute(array(1,"2",true,4,"five")); 


The question marks are replaced with the values in the array upon execution. The driver handles all the type conversions and escaping of string data for you.

IMO PDO is better than MySqli due to its simplicity and object orientated approach. In addition, PDO also provides a largely abstract API which is easily extensible so you or I could add our own drivers if need be and the task of switching from say MySql to Oracle is greatly simplified and if the SQL used in the application follows largly the SQL92 standard, it could be as simple as changing the DSN.

Although i have found that some hosts support mysqli over PDO and in this situation mysqli should be used over mysql. If your host supports neither or they are still using PHP 4, then you need to find another

Finally to your errors, they are caused because something has produced output. The calls to header produce an HTTP header which must appear before the body (HTML) of the response. If you produce any output before calling the header function it will flush the headers through to the browser and start sending the body. Any further attempts to send a header will spit out a warning which you see above. To prevent this from happening you could use an output buffer but that is a slappable offence , instead, ensure all HTML and echo appear after the logic (processing part) of your script (that includes HTML in strings - although that would not cause this).

If there are no echos, ensure you have not got any preceding spaces at the beginning of the file and that when you save the file you (if you use notepad), you save it in ANSI format rather than unicode.