registration errors bug

1. <?php
2. require_once ('../includes/config.inc.php');
3. $currentpg = 'register';
4. $page_title = 'Register';
5. $formWidth1 = '340px';
6. $bodyId = 'blueBackground';
7.  
8. include('../includes/default_header.inc');
9.  
10. //if the user has registered
11. if (isset($_POST['submitted'])) {
12.  
13. require_once (MYSQL); //gets the database connection
14.  
15. $errors = array(); // declares the errors array that will be printed at end of validation if needed
16.  
17. //trim spaces off all entered registration data
18. $trimmed = array_map('trim', $_POST);
19.  
20. $spacelessUn = str_replace (" ","",$trimmed['username']);
21.  
22. //Assume all entries are invalid
23. $un = $e = $p = $ic = FALSE; //$un = username, $e = email, $p = password, $ic = invite code
24.  
25. //Validate the username
26. if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $spacelessUn)) {
27.  
28. $un = mysqli_real_escape_string ($dbc, $spacelessUn);
29.  
30. } else { //if validation of the username fails then
31.  
32. $errors[] = '<span>Please enter a valid Username.<span>';
33.  
34. }
35.  
36. //Validate the email
37. if (preg_match ('/^[\w.-]+@[\w.-]+\.[A-Za-z]{2,6}$/', $trimmed['email'])) {
38. $e = mysqli_real_escape_string ($dbc, strtolower($trimmed['email']));
39.  
40. //ensure that the email is not currently in use
41. $q = "SELECT user_id FROM users WHERE email='$e'";
42. $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
43.  
44. if (mysqli_num_rows($r) > 0) { //if the email is available for use
45.  
46. $e = FALSE;
47. $errors[] = '<span>That email is currently registered</span>';
48.  
49. }
50.  
51. } else { //if the email is not valid
52. $errors[] = '<span>Please enter a valid Email.<span>';
53. }
54.  
55. //Validate the password
56. if (preg_match ('/^\w{4,20}$/', $trimmed['password1'])) {
57.  
58. if ($trimmed['password1'] == $trimmed['password2']) {
59. $p = mysqli_real_escape_string ($dbc, $trimmed['password1']);
60. } else { //if the passwords don't match
61. $errors[] = '<span>Your passwords do not match!</span>';
62. }
63.  
64. } else { //if the password does not validate
65.  
66. $errors[] = '<span>Please enter a valid Password.</span>';
67.  
68. }
69.  
70. if (preg_match ('/^\w{4,20}$/', $trimmed['invitecode'])) {
71.  
72. $ic = mysqli_real_escape_string ($dbc, $trimmed['invitecode']);
73.  
74. //verify that invite code is valid
75. $q = "SELECT total_invites FROM invites WHERE code='$ic'";
76. $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
77.  
78. if (mysqli_num_rows($r) == 0) { //if the email is available for use
79.  
80. $ic = FALSE;
81. $errors[] = '<span>That invite code is no longer valid.</span>';
82.  
83. } else {
84.  
85. $q = "UPDATE invites SET total_invites = total_invites - 1 WHERE code = '$ic'";
86. $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
87.  
88. }
89.  
90. } else { //if the invite code was not entered.
91.  
92. $errors[] = '<span>Please enter your invite code.</span>';
93.  
94. }
95.  
96. if (!isset($_POST['tosagree']) || $_POST['tosagree'] != "agreed" ) {//if the user did not agree to ToS
97.  
98. $errors[] = '<span>Please agree to the Terms of Service.<span>';
99.  
100. }
101.  
102. if ($un && $e && $p && $ic) { //if there are no errors
103.  
104. //create email activation code
105. $a = md5(uniqid(rand(), true));
106.  
107. //Add the user to the database
108. $q = "INSERT INTO users (username, pass, email, activated, registration_date) VALUES ('$un', SHA1('$p'), '$e', '$a', NOW() )";
109.  
110. $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
111.  
112. if (mysqli_affected_rows($dbc) == 1) {//if the query ran correctly and the user was added to the database
113.  
114. //Send activation email
115. $body = "Hey $un,\n\nWelcome to \n\nThanks for registering. I am very excited to hear what you think of it. We are currently in Alpha testing stage so expect it to only get better!\n\nOne last thing, to finish your registration you need to confirm your email address. To activate your email address please click this link:\n\n";
116.  
117. $body .= BASE_URL . 'activate.php?x=' . urlencode($e) . "&y=$a";
118.  
119. $body .= "\n\nIf at any time you need help, have thoughts, or just want to talk you can email me at  . I would love to here from you! \n\nThanks and I hope you have fun learning";
120.  
121. mail($trimmed['email'], 'Thanks for registering!', $body, 'From: [email protected]');
122.  
123. echo '<p>Thanks for registering! Please check your email to confirm your account. If you do not see the email make sure to check your spam folder for an email from <a href="mailto:[email protected]">[email protected]</a>.<p>';
124.  
125. echo '<p>Get started: <a>Home</a>, <a>Create a Test</a>, <a>My Setttings</a></p>';
126.  
127. $q = "SELECT user_id, username, user_level FROM users WHERE (email='$e' AND pass=SHA1('$p'))";
128. $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
129.  
130. if (@mysqli_num_rows($r) == 1) { //the user matches a user in the db
131.  
132. $_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC);
133.  
134. } else {
135.  
136. echo 'could not log you in!';
137. }
138.  
139. include('../includes/default_footer.inc');
140.  
141. exit(); //Stop page from loading anything else
142.  
143. } else { //if db query did not run correctly
144.  
145. echo 'I am sorry. You could not be registered because of a system error. Please try again later.';
146.  
147. }
148.  
149. }
150.  
151. mysqli_close($dbc);
152.  
153. }//end of isset if (checks to see if user has registered and if it should handle the form)
154. ?>
155.  
156. <div id="formContainer">
157. <form id="centeredForm" action="?" method="post">
158. <p id="formTitle">Register</p>
159. <?php
160. if (isset($_POST['submitted'])) {
161. echo '<div id="formErrors">';
162. if (!empty($errors)){
163. foreach ($errors as $value) {
164.     echo "$value<br />\n";
165. }
166. }
167. echo '</div>';
168. }
169. ?>
170. <table id="formTable">
171. <tr class="rowHover"><td class="hoverPad">
172. <label>Username</label>
173. </td><td>
174. <input type="text" class="formInput" name="username" value="<?php if(isset($spacelessUn)) echo $spacelessUn; ?>" >
175. </td></tr>
176. <tr class="rowHover"><td class="hoverPad">
177. <label>Email</label>
178. </td><td>
179. <input type="text" class="formInput" name="email" value="<?php if(isset($trimmed['email'])) echo $trimmed['email']; ?>" >
180. </td></tr>
181. <tr class="rowHover"><td class="hoverPad">
182. <label>Password</label>
183. </td><td>
184. <input type="password" class="formInput" name="password1">
185. </td></tr>
186. <tr class="rowHover"><td class="hoverPad">
187. <label>Retype Password</label>
188. </td><td>
189. <input type="password" class="formInput" name="password2">
190. </td></tr>
191. <tr class="rowHover"><td class="hoverPad">
192. <label>Alpha Code</label>
193. </td><td>
194. <input type="text" class="formInput" name="invitecode" value="<?php if(isset($trimmed['invitecode'])) echo $trimmed['invitecode']; ?>" >
195. </td></tr>
196. <tr><td>
197. </td><td>
198. <input type="hidden" value="TRUE" name="submitted">
199. </td></tr>
200. <tr><td>
201. </td><td class="rowHover" id="tosRow">
202. <input id="tosagreeCheck" type="checkbox" name="tosagree" value="agreed">
203. <label for="tosagreeCheck">I agree to the <a>Terms of Service</a></label>
204. </td>
205. </tr><tr>
206. <td></td>
207. <td>
208. <input type="submit" value="Sign Up" class="formBttn" name="submit">
209. </td></tr>
210. </table>
211. </form>
212. </div>
213.  
214. <?php
215.  
216. include('../includes/default_footer.inc');
217. ?>