Untitled

<?php
session_start();
switch (@$_POST['Button'])
{
  case "Log in":
  include("rmb.php");
    $cxn = mysqli_connect($host,$user,$password,$dbase)
             or die("Query died: connect");
    $sql = "SELECT username FROM user
              WHERE username='$_POST[fusername]'";
    $result = mysqli_query($cxn,$sql)
                or die("Query died: fusername ");
                //.mysqli_error($cxn));
    $num = mysqli_num_rows($result);
    if($num > 0)  //login name was found
    {
      $sql = "SELECT username FROM user
              WHERE username='{$_POST['fusername']}'
              AND password='".md5($_POST['password'])."'";
      $result2 = mysqli_query($cxn,$sql)
                   or die(mysqli_error($cxn));
      $num2 = mysqli_num_rows($result2);
      if($num2 > 0)  //password matches
      {
        //include("rmb.php");
    //$cxn = mysqli_connect($host,$user,$password,$dbase)
    //or die("Query died: connect");
        $_SESSION['auth']="yes";
        $_SESSION['logname'] = $_POST['fusername'];
        $sql = "INSERT INTO login (username,logintime)
                VALUES( '" . $_SESSION [ 'logname' ] . "', NOW() )";
                //VALUES ($_SESSION[logname],NOW())";
        $result = mysqli_query($cxn,$sql) or die(mysqli_error($cxn));
        header('Location: home.php');
      }
      else  // password does not match
        {
        $message_1="The Login Name, '$_POST[fusername]'
                exists, but you have not entered the
                correct password! Please try again.";
        $fusername = strip_tags(trim($_POST['fusername']));
        include("form.php");
      }
    }
    else  // login name not found
    {
      $message_1 = "The User Name you entered does not
                    exist! Please try again.";
      include("form.php");
    }
  break;

  case "Register":
   /* Check for blanks */
    foreach($_POST as $field => $value)
    {
        if(empty($value))
        {
          $blanks[] = $field;
        }
        else
        {
          $good_data[$field] = strip_tags(trim($value));
        }
    }
    if(isset($blanks))
    {
      $message_2 = "The following fields are blank.
            Please enter the required information:  ";
      foreach($blanks as $value)
      {
        $message_2 .="$value, ";
      }
      extract($good_data);
      include("form.php");
      exit();
    }
  /* validate data */
    foreach($_POST as $field => $value)
    {
      if(!empty($value))
      {
        if(preg_match("/name/i",$field) and
          !preg_match("/user/i",$field) and
          !preg_match("/log/i",$field))
        {
          if (!preg_match("/^[A-Za-z' -]{1,50}$/",$value))
          {
             $errors[] = "$value is not a valid name. ";
          }
        }
        if(preg_match("/street/i",$field) or
           preg_match("/addr/i",$field) or
           preg_match("/city/i",$field))
        {
          if(!preg_match("/^[A-Za-z0-9.,' -]{1,50}$/",
                          $value))
          {
            $errors[] = "$value is not a valid address
                          or city.";
          }
        }
        if(preg_match("/state/i",$field))
        {
          if(!preg_match("/^[A-Z][A-Z]$/",$value))
          {
            $errors[] = "$value is not a valid state code.";
          }
        }
        if(preg_match("/email/i",$field))
        {
          if(!preg_match("/^.+@.+\\..+$/",$value))
          {
            $errors[]="$value is not a valid email address.";
          }
        }
        if(preg_match("/zip/i",$field))
        {
          if(!preg_match("/^[0-9]{5}(\-[0-9]{4})?$/",$value))
          {
            $errors[] = "$value is not a valid zipcode. ";
          }
        }
        if(preg_match("/phone/i",$field) or
           preg_match("/fax/i",$field))
        {
          if(!preg_match("/^[0-9)(xX -]{7,20}$/",$value))
          {
            $errors[]="$value is not a valid phone number.";
          }
        }
      } // end if not empty
    }
    foreach($_POST as $field => $value)
    {
      $$field = strip_tags(trim($value));
    }
    if(@is_array($errors))
    {
      $message_2 = "";
      foreach($errors as $value)
      {
        $message_2 .= $value." Please try again<br />";
      }
      include("form.php");
      exit();
    } // end if errors are found

   /* check to see if user name already exists */
    include("rmb.php");
    $cxn = mysqli_connect($host,$user,$password,$dbase)
             or die("Couldn't connect to server");
    $sql = "SELECT username FROM user
                WHERE username='$username'";
    $result = mysqli_query($cxn,$sql)
                or die("Query died: username.");
    $num = mysqli_num_rows($result);
    if($num > 0)
    {
      $message_2 = "$username already used. Select
                       another User Name.";
      include("form.php");
      exit();
    } // end if user name already exists
    else // Add new user to database
    {
      $sql = "INSERT INTO user (username,password,firstName,lastName,email)
        VALUES ('$username',md5('$password'),
               '$firstName', '$lastName','$email')";
      mysqli_query($cxn,$sql);
      $_SESSION['auth']="yes";
      $_SESSION['logname'] = $username;
      /* send email to new Customer */
      $emess = "You have successfully registered. ";
      $emess .= "Your new user name and password are: ";
      $emess .= "\n\n\t$username\n\t";
      $emess .= "$password\n\n";
      $emess .= "We appreciate your interest. \n\n";
      $emess .= "If you have any questions or problems,";
      $emess .= " email service@ourstore.com";
      $subj = "Your new customer registration";
     # $mailsend=mail("$email","$subj","$emess");
      header("Location: home.php");
    }
  break;

  default:
    include("form.php");
}
?>