I am having a few issues with my register script for my site. First let me say that I'm still gettin the hang of php so I am looking for any tips and/or suggestions that can help me learn and improve my skills.

I will attach a full copy of my register.php script entitled register_updated.txt

The first issue I'm having is that I keep on getting the following parse error:

"Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /homepages/41/d245653625/htdocs/gaming/register.php on line 56"

The second issue I am having is that when I submit my register form nothing is saved into the database. A table is created in the database but it only fills in the auto-incr "ID" field and an empty time stamp (All zero's). Also the email is not being dispatched.

Other then the parse error I am not receiving any other kind of error. After submitting the form it looks like everything went fine but nothing is saved and the confirmation page that tells you that you will be receiving an activation email is missing the new member's username. I have been trying to get this working correctly for some time, searching all over the net and on various forms and sites looking for answers.

I look forward to any help and tips that you guys may be able to give me.

Thank You

I have attached a changed file which takes away the compile-time bug. Here are some notes to help you. Some things are preferences, not requirements, but it will help you if you follow them anyway:

1) Don't use <? . Instead, use <?php to open PHP. The second is guaranteed to be available on PHP servers, while the first is not.

2) Always quote stuff as the array key. That is, $member['cool'] instead of $member[cool]. This protects against conflicts w/ constants.

3) Use CSS and classes to change styles instead of doing it inline. When you need to make a change, you will then only need to update 1 line of code instead of dozens (or hundreds).

4) Be cautious about using " and including variables in the middle. That is to say that:

PHP Code:

echo "My best friend $user_details['best_friend']['first_name'] made $45.00."; 


will be harder to debug than:

PHP Code:

echo 'My best friend '.$user_details['best_friend']['first_name'].' made $45.00.'; 


5) Variables inside of strings can be a pain. Keep them outside (like the single-quote example above).

6) I rather doubt that your name="" variables (e.g. name='".$member['country']."') are correct. The name is not the value.

7) Tables are for data, not layouts. Visit places like http://www.csszengarden.com/ for guidance on proper layout principles.

8) An IP address is not a unique identifier for a user. Verifying that as you are doing on line 313 is bad practice. For example, AOL users are given new IPs quite frequently -- even while browsing the same site. What is one user's IP on one page call may be another user's IP on another page visit while the original user's IP is totally different on their next page call.

9) Verify data to ensure that it contains only what you want and actually meets your requirements. For example,

PHP Code:

if(!$member['pass']){
  $mes.="You must enter a username.<br />";
} 


could evaluate true if the user's pass was all zeroes. OK. Not the best example there, but what you really want to do is ensure they have entered a password. Comparing it's string length would be better.

Here's a bit better example:

PHP Code:

if(mysql_num_rows(mysql_query("SELECT id FROM members WHERE name='$member[name]'"))){ 


Doesn't actualy match what you're looking for. This query means that "UserName" and "userName" are different.

10) Make sure that you have sanitized data. If, for example, the query above is presuming to use $member['name'] as submitted by the user, then you're wide open for SQL injection. Search this forum (especially the stickies) for tips here.

11) Using mysql_num_rows on the outside of mysql_query assumes that there won't be database query errors. Better to use something like this:

PHP Code:

$sanitized_member_name = str_replace('_','\_',str_replace('%','\%',mysql_real_escape_string($member['name'])));
//Alternatively, the member name could be sanitized with
$sanitized_member_name = preg_replace('/[^a-z0-9\-]/i','',$member['name']); //allows only letters, numbers, and a dash in the username

// "LIKE" here ensures case-insensitive matching.
$member_exists = mysql_query("SELECT id FROM members WHERE name LIKE '".$sanitized_member_name."'");
if(mysql_errno() == 0) {
  if (mysql_num_rows($member_exists) > 0) {
    //User exists
  } else {
    //User does not exist
  }
} else {
  //There was a database error.
  echo 'Database error: '.mysql_error();
} 


12) You're using plain md5 without a hash for saving passwords (and other stuff). Search this forum (and the net) for information about secure password storage. Specifically search for "hash seed php password".

13) Don't kill scripts on people. That's just rude. You took all that time to write error messaging for registration errors, but then did this:

PHP Code:

mysql_query($query) or die ('Error Updating The Database...Please Contact XXXX@YYYY.com'); 


Add error trapping there and show friendly messages. Your customers will appreciate it.

14) Don't tell customers to contact support. You give them an opportunity to go elsewhere. Instead, on failure email support with the details and have someone contact them. Of course, I mean if you have the ability to do that -- you may not have their information, but you can at least tell them that customer support has been contacted and ask if they'd like to be notified when someone can help them complete whatever process they were in.

15) Last thing: Be careful about spelling errors like "charecters". Plenty of code editors will check spelling for you and that will save you headaches for when you get the spelling correct and are trying to find why $characters isn't working as expected.

Well, that should get you started! Best wishes.

I would like to thank you very much for your hard work and all of your information. I have made most of the changes you have suggested but now my form is not submitting at all into the database nor is it sending out the activation email, it just refreshes the page. I have attached a copy of the updated script titled: adjusted_update.txt

It's your name="" tags. Checking those was my number 6. Very often, input tags are styled like this:

PHP Code:

$my_variable_sanitized = sanitize($_POST['my_variable']);
echo '<input type="text" name="my_variable" value="'.$my_variable_sanitized.'" />'; 


The sanitize function is made up there, but all data should be sanitized before being sent to the browser or otherwise used for anything.

Im' sorry but I dont understand how to code that into my script...would it be possible to give me an example with my Username input on my form? also how would I get that to work with the Country and Gender selections as the value= w/e their selection is?

I'm sorry dude, but you're taking this to a whole other level: Coding it for you instead of helping you. I provided an example that should help you, copious notes, and adjusted your code already. If you're really in over your head then you should be hiring someone to do this for you -- your code will be more robust, secure, and efficient.

In case you try to do it on your own, selects must have a "selected" attribute set if they are the selected one, so an if/else will help you there. My method is to use the ternary operator, but that confuses most people.

I'm sorry I didn't mean to make it sound like I wanted you to do it for me...I will keep on playing around with it...and thank you for your help so far. But incase I wanted to hire someone to recode it so that it works how much do you think it would cost?

No problem. I'm not trying to run you off from asking question either. We all get stuck and it's nice to be able to have a little hand-holding every now and then.

Best wishes!

But incase I wanted to hire someone to recode it so that it works how much do you think it would cost?

Oh, I only read the post that came via email. As for cost, it really depends on who you get. I personally don't give hourly rates b/c then I get compared to coders who charge $2-$5 per hour. Never mind that I code 2-3 times faster than them and generate substantially higher quality code and that you'll likely get hit with quite a few change charges by them until the project exceeds what I would have charged.

The best thing is to look around (we have a marketplace forum here) and see what people quote. Always ask to see their code. You're a bit more intelligent than the average employer, so looking at the code will help you to have an idea of the value for the money. Checking out a reputation is very important too, but only with well-done comments on the performance of the individual and not simply platitudes.

Hope that helps!