Login error messages

[GeraintR]

I am using the standard login artifacts, and it's set up for new users to verify their email addresses to create and activate the account. It's working fine for most users, but if a potential new user leaves a gap in the user name when setting up an account, there's no error message and they are directed to go to their email account to click on the generated link. When they do this, it goes back to the account creation screen, although a record is created in the USER database, albeit with an '0' value activation code. Should the password the user creates be invalid, or if the password confirmation doesn't match the first password that's input, there is an error message. Why is no error message created if there's a gap in the user name? I'm using the standard regex for the user name, which prohibits a gap in the user name. Have I missed something simple?

[Pablo]

Maybe there is an error in the regular expression to validate the username?
What are your settings?
What is the generated PHP code?

[GeraintR]

Hi, the code is below, and includes the regex code:

$error_message = '';
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['form_name']) && $_POST['form_name'] == 'signupform')
{
$newusername = $_POST['username'];
$newemail = $_POST['email'];
$newpassword = $_POST['password'];
$confirmpassword = $_POST['confirmpassword'];
$newfullname = $_POST['fullname'];
$website = $_SERVER['HTTP_HOST'];
$script = $_SERVER['SCRIPT_NAME'];
$timestamp = time();
$code = md5($website.$timestamp.rand(100000, 999999));
if ($newpassword != $confirmpassword)
{
$error_message = 'Password and Confirm Password are not the same';
}
else
if (!preg_match("/^[\x20-\x7E]+$/", $newusername))
{
$error_message = 'Username is not valid, please check and try again!';
}
else
if (!preg_match("/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,}$/", $newpassword))
{
$error_message = 'Password is not valid, please correct';
}
else
if (!preg_match("/^[\x20-\x7E]+$/", $newfullname))
{
$error_message = 'Fullname is not valid, please check and try again!';
}
else
if (!filter_var($newemail, FILTER_VALIDATE_EMAIL))
{
$error_message = 'Invalid email address. Please check and try again.';
}
else
if (isset($_POST['captcha'],$_SESSION['captcha']) && md5($_POST['captcha']) == $_SESSION['captcha'])
{
unset($_POST['captcha'],$_SESSION['captcha']);
}
else
{
$error_message = 'CAPTCHA verification failed.';
}
if (empty($error_message))
{
$db = mysqli_connect($mysql_server, $mysql_username, $mysql_password);
if (!$db)
{
die('Failed to connect to database server!<br>'.mysqli_error($db));
}
mysqli_select_db($db, $mysql_database) or die('Failed to select database<br>'.mysqli_error($db));
mysqli_set_charset($db, 'utf8');
$sql = "SELECT username FROM ".$mysql_table." WHERE username = ?";
$stmt = mysqli_stmt_init($db);
if (!mysqli_stmt_prepare($stmt, $sql))
{
die('Failed to prepare statement<br>'.mysqli_error($db));
}
mysqli_stmt_bind_param($stmt, 's', $newusername);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($data = mysqli_fetch_array($result))
{
$error_message = 'Username already used. Please select another username.';
}
mysqli_stmt_close($stmt);
}
if (empty($error_message))
{
$crypt_pass = md5($newpassword);
$sql = "INSERT INTO `".$mysql_table."` (`username`, `password`, `fullname`, `email`, `active`, `code`, `role`) VALUES (?, ?, ?, ?, ?, ?, ?)";
$stmt = mysqli_stmt_init($db);
if (!mysqli_stmt_prepare($stmt, $sql))
{
die('Failed to prepare statement: ' . mysqli_error($db));
}
$active_status = 0;
$role = 'Member';
mysqli_stmt_bind_param($stmt, 'sssssss', $newusername, $crypt_pass, $newfullname, $newemail, $active_status, $code, $role);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
mysqli_close($db);
$subject = 'CAWOS survey account';
$message = 'Click on the link to activate your account';
$message .= "\r\nUsername: ";
$message .= $newusername;
$message .= "\r\nPassword: ";
$message .= $newpassword;
$message .= "\r\n";
$message .= "\r\nhttp://".$website.$script."?user=".$newusername."&code=$code";
$header = "From: surveys@cawos.org"."\r\n";
$header .= "Reply-To: surveys@cawos.org"."\r\n";
$header .= "MIME-Version: 1.0"."\r\n";
$header .= "Content-Type: text/plain; charset=utf-8"."\r\n";
$header .= "Content-Transfer-Encoding: 8bit"."\r\n";
$header .= "X-Mailer: PHP v".phpversion();
mail($newemail, $subject, $message, $header);
mail('webmaster@cawos.org', $subject, $message, $header);
header('Location: '.$success_page);
exit;
}
}
else
if (isset($_GET['code']) && isset($_GET['user']))
{
$db = mysqli_connect($mysql_server, $mysql_username, $mysql_password);
if (!$db)
{
die('Failed to connect to database server!<br>'.mysqli_error($db));
}
mysqli_select_db($db, $mysql_database) or die('Failed to select database<br>'.mysqli_error($db));
mysqli_set_charset($db, 'utf8');
$sql = "SELECT * FROM ".$mysql_table." WHERE username = ? AND code = ?";
$stmt = mysqli_stmt_init($db);
if (!mysqli_stmt_prepare($stmt, $sql))
{
die('Failed to prepare SELECT statement<br>'.mysqli_error($db));
}
mysqli_stmt_bind_param($stmt, 'ss', $_GET['user'], $_GET['code']);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
if ($data = mysqli_fetch_array($result))
{
$update_sql = "UPDATE `".$mysql_table."` SET `active` = 1 WHERE `username` = ?";
$update_stmt = mysqli_stmt_init($db);
if (!mysqli_stmt_prepare($update_stmt, $update_sql))
{
die('Failed to prepare UPDATE statement<br>'.mysqli_error($db));
}
mysqli_stmt_bind_param($update_stmt, 's', $_GET['user']);
mysqli_stmt_execute($update_stmt);
mysqli_stmt_close($update_stmt);
}
else
{
die('User not found!');
}
mysqli_stmt_close($stmt);
mysqli_close($db);
header("refresh:5;url=".$activated_page);
echo 'Your user account was succesfully activated. You\'ll be redirected in about 5 secs. If not, click <a href="'.$activated_page.'">here</a>.';
exit;
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>create-survey-account</title>
<meta name="generator" content="WYSIWYG Web Builder 20 - https://www.wysiwygwebbuilder.com">
<link href="CAWOS.css" rel="stylesheet">
<link href="create-survey-account.css" rel="stylesheet">
</head>
<body>
<div id="container">
<div id="wb_Signup1" style="position:absolute;left:257px;top:363px;width:735px;height:597px;z-index:0;">
<form name="signupform" method="post" accept-charset="UTF-8" action="<?php echo basename(__FILE__); ?>" id="signupform">
<input type="hidden" name="form_name" value="signupform">
<table id="Signup1">
<tr>
<td class="header">Sign up for a CAWOS survey account</td>
</tr>
<tr>
<td class="label"><label for="fullname">Full Name</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="fullname" type="text" id="fullname" value="<?php echo htmlspecialchars($newfullname); ?>"></td>
</tr>
<tr>
<td class="label"><label for="username">User Name, no gaps</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="username" type="text" id="username" value="<?php echo htmlspecialchars($newusername); ?>"></td>
</tr>
<tr>
<td class="label"><label for="password">Password: ( Min length 8, at least 1 U'case letter; 1 l'case letter; 1 number)</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="password" type="password" id="password"></td>
</tr>
<tr>
<td class="label"><label for="confirmpassword">Confirm Password</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="confirmpassword" type="password" id="confirmpassword"></td>
</tr>
<tr>
<td class="label"><label for="email">E-mail</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="email" type="text" id="email" value="<?php echo htmlspecialchars($newemail); ?>"></td>
</tr>
<tr>
<td style="text-align:left;height:34px"><img src="signup1_captcha.php" alt="" style="border-width:0;width:100px;height:34px;"></td>
</tr>
<tr>
<td class="label"><label for="captcha">Verification: input the code to confirm you're not a robot!</label></td>
</tr>
<tr>
<td class="row"><input class="input" name="captcha" type="text" id="captcha"></td>
</tr>
<tr>
<td><?php echo $error_message; ?></td>
</tr>
<tr>
<td style="text-align:center;vertical-align:bottom"><input class="button" type="submit" name="signup" value="Create Account" id="signup"></td>
</tr>
</table>
</form>
</div>
<div id="wb_Heading1" style="position:absolute;left:257px;top:59px;width:737px;height:64px;z-index:1;">
<h1 id="Heading1">Create a survey account</h1></div>
<div id="wb_Text1" style="position:absolute;left:371px;top:149px;width:508px;height:178px;z-index:2;">
<span style="color:#483D8B;font-family:'Comic Sans MS';font-size:16px;">CAWOS members can create an account to input survey data and view survey results. The system administrator will authorise new accounts. If your email address format is not accepted, please email: <a href="mailto:surveys@cawos.org">surveys@cawos.org</a><br><br>The account only requires a username, password and email address. The data is not used for any purpose beyond member access to survey data</span></div>
</div>
</body>
</html>

[Pablo]

/^[\x20-\x7E]+$/
is not the default regular expression, so that is most likely why it does not work as expected.
Your regular expression actually does allow spaces, because \x20 is the space character in ASCII.

The default is
/^[A-Za-z0-9-_!@$ ]{1,50}$/

[GeraintR]

Thanks Pablo,
I don't know where the regex I had came from. I had no reason to use anything other than the default, but that was a couple of years back. We don't have many users inputting data, and when this problem arose I got them to enter a user name without gaps. What was interesting is that the regex you copied to me below also permits a space because of the gap between the $ and the closing bracket, and I didn't spot it, so I got the problem again when I uploaded it! Having uploaded a regex that doesn't permit a space, the expected error message appears.
Regards, Geraint

[Pablo]

The default regular expression does not allow spaces and should display an error when it does not validate (as you can see in the code).