It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I have a php script which is supposed to register a user. It was working fine two weeks ago but it stopped working today after making minor changes to an unrelated part of the site. Here is the code:
<?php
$salt="mysecretsalt";
$activationkey = md5(uniqid(rand(), true));
$Firstname = $_POST['firstname'];
$Lastname = $_POST['lastname'];
$Email = $_POST['email'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
function asc2hex ($temp) {
$data = "";
$len = strlen($temp);
for ($i=0; $i<$len; $i++) $data.=sprintf("%02x",ord(substr($temp,$i,1)));
return $data;
}
$Email = stripslashes($Email);
$password = stripslashes($password);
$password2 = stripslashes($password2);
$Firstname = stripslashes($Firstname);
$Lastname = stripslashes($Lastname);
$Email = mysql_real_escape_string($Email);
$password = mysql_real_escape_string($password);
$Lastname = mysql_real_escape_string($Lastname);
$password2 = mysql_real_escape_string($password2);
$Firstname = mysql_real_escape_string($Firstname);
$password_length = strlen($password);
if($password_length > 5)
{
$password = sha1(md5($salt.$password));
$password2 = sha1(md5($salt.$password2));
$Firstname = strtolower($Firstname);
$Firstname = ucfirst($Firstname);
$Lastname = strtolower($Lastname);
$Lastname = ucfirst($Lastname);
$Email = strtolower($Email);
if ($password == $password2){
$con = mysql_connect("localhost","root","password");
if (!$con)
{
die('Could not connect. Please Contact Us: ' . mysql_error());
}
mysql_select_db("members", $con);
$email_check = mysql_query("SELECT Email FROM users WHERE Email='$Email'");
$email_count = mysql_num_rows($email_check);
if(preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $Email)) {
if ($email_count == '0') {
$Email = mysql_real_escape_string($Email);
$password = mysql_real_escape_string($password);
$Lastname = mysql_real_escape_string($Lastname);
$password2 = mysql_real_escape_string($password2);
$Firstname = mysql_real_escape_string($Firstname);
setcookie("Friendsplash", $activationkey, time()+3600);
mysql_query("INSERT INTO users (Firstname, Lastname, Email, password, activationkey) VALUES ('$Firstname', '$Lastname', '$Email', '$password', '$activationkey' )");
//$to = $Email;
//$subject = "Confirmation of Friendsplash.com Membership.";
//$message = "Welcome to our website! $Firstname $Lastname\r\rThis is a confirmation email regarding your recent request for a membership at Friendsplash.com\r\r
//To activate your account follow this confirmation link:\rhttp://localhost/html/activate.php?$activationkey
//\r\rIf you do not wish to activate this account please disregard this email.";
//$from = "postmaster#localhost";
//$headers = "From:" . $from;
//mail($to,$subject,$message,$headers);
mkdir("./usr/$Email", 0755);
echo "<meta http-equiv='REFRESH' content='0;url=confirmation.html'>";
}
else {
echo "<meta http-equiv='REFRESH' content='0;url=existing_email.html'>";
}
}
else {
echo "Please enter a valid email.<meta http-equiv='REFRESH' content='2;url=register.html'>";
}
}
else {
echo "<meta http-equiv='REFRESH' content='0;url=non-matching_passwords.html'>";
}
}
else {
echo "<meta http-equiv='REFRESH' content='15;url=short_password.html'>"; \\ Always taken here
}
}
}
}
?>
I have tried commenting out this if but it then just takes me to the if above it.
Your problem lies in the fact that you mysql_real_escape_string your data before you connect to the database. mysql_real_escape_string needs an existing database connection to do its job, if there is none, it'll return false. So all your data is false, hence your checks are failing. Read the manual page for details.
You should enable error reporting to catch such problems earlier.
error_reporting(E_ALL);
ini_set('display_errors', true);
Also, you shouldn't check the password length against the escaped value, since this may be significantly different from the value the user has entered.
Also, fail early. Don't have thousands of nested levels of if-else statements, it's unmaintainable. Rather, do something like:
if (!/* some important condition */) {
header('Location: http://example.com/error-page');
exit; // fail here
}
// business as usual
Related
I have made a registration PHP file that runs through an authentication and connects to my database that I made in phpMyAdmin. The problem is, I can put in the same username without consequence and it adds to the database, so I could put; dogs as the username and then again put the same.
How can I make it so the user is told; that username already exists choose another one.
Here's my php so far;
Also please tell me where to insert it.
<?php
require('db.php');
// If form submitted, insert values into the database.
if (isset($_POST['username'])) {
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$username = stripslashes($username);
$username = mysql_real_escape_string($username);
$email = stripslashes($email);
$email = mysql_real_escape_string($email);
$password = stripslashes($password);
$password = mysql_real_escape_string($password);
$trn_date = date("Y-m-d H:i:s");
$query = "INSERT into `users` (username, password, email, trn_date) VALUES ('$username', '".md5($password)."', '$email', '$trn_date')";
$result = mysql_query($query);
if ($result) {
echo "<div class='form'><h3>You are registered successfully.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}
} else {
?>
You should query the database before inserting any record (user) to users table.
Try the code below:
<?php
$username = mysql_real_escape_string( $username ); //Sql injection prevention
$existance = mysql_query("SELECT username FROM users WHERE username = '" . $username . "'");
if( !$existance ){
$query = "INSERT into `users` (username, password, email, trn_date) VALUES ('$username', '".md5($password)."', '$email', '$trn_date')";
$result = mysql_query( $query );
if ( $result ) {
echo "<div class='form'><h3>You are registered successfully.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}
else{
//unsuccessful insertion
}
} else {
//the user existed already, choose another username
}
?>
Create an if-statement where you check if $username exists in the db. If it does, throw an error. If not, continue with the code.
Note
Your code is vulnerable to SQL-injection. Read this post: How can I prevent SQL injection in PHP?
Rewriting my entire answer to a working example. I'm going to assume your post variables are the same as mine: email, password, username
<?php
$errorMessage = "";
function quote_smart($value, $handle) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value, $handle) . "'";
}
return $value;
}
$email = $_POST['email'];
$password = $_POST['password'];
$username = $_POST['username'];
$email1 = $_POST['email'];
$username1 = $_POST['username'];
$password1 = $_POST['password'];
$email = htmlspecialchars($email);
$password = htmlspecialchars($password);
$username = htmlspecialchars($username);
$connect = mysql_connect("localhost","DBuser", "DBpassword");
if (!$connect) {
die(mysql_error());
}
mysql_select_db("DBName");
$results = mysql_query("SELECT * FROM users WHERE username = '$username'");
while($row = mysql_fetch_array($results)) {
$kudots = $row['username']; }
if ($kudots != ""){
$errorMessage = "Username Already Taken";
$doNothing = 1;
}
$result = mysql_query("SELECT * FROM users WHERE email = '$email'");
while($row2 = mysql_fetch_array($results)) {
$kudots2 = $row2['email']; }
if ($kudots2 != ""){
$errorMessage = "Email Already in use";
$doNothing = 1;
}
//test to see if $errorMessage is blank
//if it is, then we can go ahead with the rest of the code
//if it's not, we can display the error
if ($errorMessage == "") {
$user_name = "DBUsername";
$pass_word = "DBPassword";
$database = "DBName";
$server = "localhost";
$db_handle = mysql_connect($server, $user_name, $pass_word);
$db_found = mysql_select_db($database, $db_handle);
if ($db_found) {
$email = quote_smart($email, $db_handle);
$password = quote_smart($password, $db_handle);
$username = quote_smart($username, $db_handle);
if ($username1 == ""){
$errorMessage = "You need a username";
}
if ($password1 == ""){
$errorMessage = $errorMessage . "<br>You need a password.";
}
if (!(isset($_POST['email']))){
$errorMessage = $errorMessage . "<br>You need an email.";
}
$SQL = "SELECT * FROM users WHERE email = $email";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result);
if ($num_rows > 0) {
$errorMessage = "email already exists";
$doNothing = 1;
}
if ($errorMessage == "") {
$SQL = "INSERT INTO users (email, username, password) VALUES ($email, $username, $password)";
$result = mysql_query($SQL);
mysql_close($db_handle);
//=================================================================================
// START THE SESSION AND PUT SOMETHING INTO THE SESSION VARIABLE CALLED login
// SEND USER TO A DIFFERENT PAGE AFTER SIGN UP
//=================================================================================
session_start();
$_SESSION['email'] = "$email1";
$_SESSION['password'] = "$password1";
header ("Location: myaccount.php");
else {
$errorMessage = "Database Not Found";
}
}
OK, now echo $errorMessage right below or above the form, to inform the user that the Email, or Username is taken. I'm pretty sure I have a duplicate function in here for the Email, but this code does work; disregard if somebody says it's vulnerable to SQL injection; this is a working EXAMPLE! If you want to do MySQL real escape string, just Google it. I had to rewrite a couple things because I don't want my full code on a public board, if for some odd reason this doesn't work; send me an eMail(canadezo121#gmail.com) and I'll send you the full page code. (Which WORKS!) This code will probably raise some concerns with other more professional coders, this example gives you a good logical viewpoint of what goes on and how it works. You can adjust it to MySQLi, PDO, etc as you get more familiar with PHP and MySQL.
1 you must verify if the username all ready exists in database (Select)
2 if not exists after you can insert the new user
I am using below code to encrypt user registration password during registration. But the problem is that I can't get login with same password again, I might be because password in DB is different and encrypted and not same as the password user enter.
<?php
if(isset($_POST['submit'])) {
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
if(!empty($firstname) && !empty($lastname) && !empty($username) && !empty($email) && !empty($password)) {
$firstname = mysqli_real_escape_string($db_connect, $firstname);
$lastname = mysqli_real_escape_string($db_connect, $lastname);
$username = mysqli_real_escape_string($db_connect, $username);
$email = mysqli_real_escape_string($db_connect, $email);
$password = mysqli_real_escape_string($db_connect, $password);
$sql = "SELECT randsalt FROM user ";
$select_randsalt_query = mysqli_query($db_connect, $sql);
if(!$select_randsalt_query) {
die("Query failed".mysqli_error($db_connect));
}
while($row = mysqli_fetch_array($select_randsalt_query)) {
$salt = $row['randsalt'];
///crypt function takes 2 parameter. one from DB
///and other from user input.
// $password = crypt($password, $salt);
}
$sql_register ="INSERT INTO user(user_firstname, user_lastname, username, user_email, user_password, user_role )";
$sql_register .="VALUES('{$firstname}', '{$lastname}', '{$username}', '{$email}', '{$password}', 'Unknown' ) ";
$query_register = mysqli_query($db_connect, $sql_register);
if(!$query_register) {
die("Query failed".mysqli_error($db_connect));
}
$message = "<h3>Your Registration has been Submitted</h3>";
} else {
$message = "<h3>You Can't leave field Empty</h3>";
}
} else {
$message = '';
}
?>
I tried to do something like this in login.php
<?php
if(isset($_POST['submit'])){
$Username = $_POST['Username'];
$Password = $_POST['Password'];
//To prevent SQL injection and store into new variable
$Username = mysqli_real_escape_string($db_connect, $Username);
$Password = mysqli_real_escape_string($db_connect, $Password);
$sql_login = "SELECT * FROM user WHERE username = '{$Username}' ";
$query_login = mysqli_query($db_connect, $sql_login);
if(!$query_login){
die("Query Failed".mysqli_error($db_connect));
}
while($row = mysqli_fetch_assoc($query_login)){
$username = $row['username'];
$user_password = $row['user_password'];
$user_firstname = $row['user_firstname'];
$user_lastname = $row['user_lastname'];
$user_email = $row['user_email'];
$user_role = $row['user_role'];
}
$Password = crypt($Password, $user_password);
///User validation
if( ($Username === $username && $Password === $user_password) && $user_role === "Admin"){
//Using session to store information from db
//Using session from right to left. Right is the variable got from db.
$_SESSION['USERNAME'] = $username;
$_SESSION['PASSWORD'] = $user_password ;
$_SESSION['FIRSTNAME'] = $user_firstname;
$_SESSION['LASTNAME'] = $user_lastname;
$_SESSION['EMAIL'] = $user_email;
$_SESSION['ROLE'] = $user_role;
header("Location: ../admin/index.php");
}else{
header("Location: ../index.php");
}
}
?>
but this is not working. Sorry people I just entered to the PHP world and don't have deep understanding.
Welcome to PHP development. Let me make your life a lot easier:
Regardless of what your tutorial/book/friend said, don't escape strings, use prepared statements instead. They're a lot easier to implement safely and your life becomes a heck of a lot easier. (If you rely on escaping, and you remember to escape 2999 out of 3000 parameters a user can control, you're still vulnerable.)
Instead of mucking about with crypt(), just use password_hash() and password_verify().
There are updated guides everywhere that can explain how to use these features better, but http://www.phptherightway.com is the one the community points to the most.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am switching from MySQL to MySQLi and I am upon an error which i Google and was unable to solve. The problem is with the selection (mysqli_select_db) of the database which was okay prior to the transition where i was using (mysql_select_db). Hope your can help me solve this problem.
UPDATE - MY CURRENT CODE
<?php
$submit = $_POST['submit'];
//form data
$name = mysqli_real_escape_string($_POST['name']);
$name2 = mysqli_real_escape_string($_POST['name2']);
$email = mysqli_real_escape_string($_POST['email']);
$password = mysqli_real_escape_string($_POST['password']);
$password2 = mysqli_real_escape_string($_POST['password2']);
$phone2 = mysqli_real_escape_string($_POST['phone2']);
$email2 = mysqli_real_escape_string($_POST['email2']);
$address = mysqli_real_escape_string($_POST['address']);
$address2 = mysqli_real_escape_string($_POST['address2']);
$address3 = mysqli_real_escape_string($_POST['address3']);
$address4 = mysqli_real_escape_string($_POST['address4']);
if ($submit) {
//connect database
$connect = mysqli_connect("localhost", "root", "Passw0rd", "logindb") or die ("Connection Error");
//namecheck
$namecheck = mysqli_query($connect, "SELECT * FROM users WHERE email='{$email}'");
//check for existance
if($name&&$name2&&$email&&$password&&$password2&&$phone2&&$email2&&$address&&$address2&&$address3&&$address4) {
if(strlen($password)<8) {
echo "Password must be least 8 characters";
}
if(!preg_match("#[A-Z]+#",$password)) {
echo "Password must have at least 1 upper case characters";
}
if(!preg_match("#[0-9]+#",$password)) {
echo "Password must have at least 1 number";
}
if(!preg_match("#[\W]+#",$password)) {
echo "Password must have at least 1 symbol";
}
if($_POST['password'] != $_POST['password']) {
echo "Password does not match";
}
if($_POST['email2'] == $_POST['email']) {
echo "Secondary email must not be the same as Email";
}
//encrypt password
$password = sha1($password);
$password2 = sha1($password2);
//generate random code
$random = rand(11111111,99999999);
if(isset($error)&&!empty($error)) {
implode($error);
}
else
{
//register the user
$register = mysqli_query($connect, "INSERT INTO users VALUES ('','$name','$name2','$email','$password','$password2','$phone2','$email2','$address','$address2','$address3','$address4','$random','0')");
$lastid = mysqli_insert_id($connect);
echo "<meta http-equiv='refresh' content='0; url=Activate.php?id=$lastid&code=$random'>";
die ();
}
}
}
?>
pass connection ref in 1st param in mysqli_select_db() function, try this
mysqli_select_db($connect, "logindb") or die("Selection Error");
and also in mysqli_query($connect, "query here")
UPDATE all mysqli_* functions required connection ref except result functions
Quick complete solution
<?php
$submit = $_POST['submit'];
//connect database
$connect = mysqli_connect("localhost", "root", "Passw0rd") or die ("Connection Error");
//select database
mysqli_select_db($connect, "logindb") or die("Selection Error");
//form data
$name = mysqli_real_escape_string($connect, $_POST['name']);
$name2 = mysqli_real_escape_string($connect, $_POST['name2']);
$email = mysqli_real_escape_string($connect, $_POST['email']);
$password = mysqli_real_escape_string($connect, $_POST['password']);
$password2 = mysqli_real_escape_string($connect, $_POST['password2']);
$phone2 = mysqli_real_escape_string($connect, $_POST['phone2']);
$email2 = mysqli_real_escape_string($connect, $_POST['email2']);
$address = mysqli_real_escape_string($connect, $_POST['address']);
$address2 = mysqli_real_escape_string($connect, $_POST['address2']);
$address3 = mysqli_real_escape_string($connect, $_POST['address3']);
$address4 = mysqli_real_escape_string($connect, $_POST['address4']);
if ($submit) {
//namecheck
$namecheck = mysqli_query($connect, "SELECT * FROM users WHERE email='{$email}'");
$count = mysqli_num_rows($namecheck);
if(strlen($email)<5) {
echo "Email must have at least 5 characters";
}
else
{
if($count==0) {
}
else
{
if($count==1) {
echo "User already Exists";
}
}
}
//check for existance
if($name&&$name2&&$email&&$password&&$password2&&$phone2&&$email2&&$address&&$address2&&$address3&&$address4) {
if(strlen($password)<8) {
echo "Password must be least 8 characters";
}
if(!preg_match("#[A-Z]+#",$password)) {
echo "Password must have at least 1 upper case characters";
}
if(!preg_match("#[0-9]+#",$password)) {
echo "Password must have at least 1 number";
}
if(!preg_match("#[\W]+#",$password)) {
echo "Password must have at least 1 symbol";
}
if($_POST['password'] != $_POST['password']) {
echo "Password does not match";
}
if($_POST['email2'] == $_POST['email']) {
echo "Secondary email must not be the same as Email";
}
//encrypt password
$password = sha1($password);
$password2 = sha1($password2);
//generate random code
$random = rand(11111111,99999999);
if(isset($error)&&!empty($error)) {
implode($error);
}
else
{
//register the user
$register = mysqli_query($connect, "INSERT INTO users VALUES ('','$name','$name2','$email','$password','$password2','$phone2','$email2','$address','$address2','$address3','$address4','$random','0')");
$lastid = mysqli_insert_id($connect);
echo "<meta http-equiv='refresh' content='0; url=Activate.php?id=$lastid&code=$random'>";
die ();
}
}
}
?>
You also have to write fields after table name on line 70 $register = mysqli_query($connect, "INSERT INTO users and before values VALUES ( like example below.
INSERT INTO users(username,userpass,name,email,userrole,joined,userstatus) VALUES('$username','$userpass','$name','$email','$userrole','$joined','$userstatus')
Replace you line #70 with the following one
$register = mysqli_query($connect, "INSERT INTO users(name,name2,email,password,password2,phone2,email2,address,address2,address3,address4,random,active) VALUES ('$name','$name2','$email','$password','$password2','$phone2','$email2','$address','$address2','$address3','$address4','$random','0')");
Here is the code
<?php
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$phone = $_POST['phone'];
$referral = $_POST['refer'];
$referred = false;
mysql_connect("localhost","username","password") or die (mysql_error());
mysql_select_db("database") or die ("Cannot connect to database");
$query = mysql_query("Select * from member");
while($row = mysql_fetch_array($query))
{
$table_users = $row['username'];
$table_email = $row['email'];
$table_phone = $row['phone'];
if($referral == $table_users)
{
$referred = true;
}
if($username == $table_users || $email == $table_email || $phone == $table_phone)
{
$bool = false;
}
}
if(($bool))
{
$username = mysql_real_escape_string($username);
mysql_query("INSERT INTO member (username, password, email, phone, refer) VALUES ('$username', '$password', '$email', '$phone', '$referral')");
if($referred)
{
$from="Sent from test";
$subject="New user referred.";
$message="A new user " . $username . " has been referred by " . $referral . "Please stay updated. ";
mail("mymail", $subject, $message, $from);
}
$_SESSION['login'] = true;
echo "Thank you for registering with us.You can login now to start earning.";
}
If the referral code field is left empty or it does not match any value in database it still sends
the mail. So, what is going on here? I have added some more code. I left a part of it earlier.
This statement if($referral == $table_users) doesn't look right. You have not set the $referral variable anywhere in your code.
I am trying to make a user system for my website but having some trouble with submitting it. It always submit a 0 to the database for everything. I have read on w3schools about global and local variables and I think this may be my problem but I don't know for sure.
Heres my code
<?php
$con = mysql_connect(localhost, 262096, 9201999);
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("262096", $con);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$password = $_POST['password'];
$passwordconf = $_POST['passwordconf'];
$email = $_POST['email'];
$securityq = $_POST['securityq'];
$qanswer = $_POST['qanswer'];
if(!isset($firstname) || !isset($lastname) || !isset($username) || !isset($password) || !isset($passwordconf) || !isset($email) || !isset($securityq) || !isset($qanswer))
{
echo "You did not fill out the required fields.";
}
$uname = "SELECT * FROM users WHERE username='{$username}'";
$unamequery = mysql_query($uname) or die(mysql_error());
if(mysql_num_rows($unamequery) > 0)
{
echo "The username you entered is already taken";
}
$emailfind = "SELECT * FROM users WHERE email='{$email}'";
$emailquery = mysql_query($emailfind) or die(mysql_error());
if(mysql_num_rows($emailquery) > 0)
{
echo "The email you entered is already registered";
}
if($password != $passwordconf)
{
echo "The passwords you entered do not match";
}
$regex = "/^[a-z0-9]+([_.-][a-z0-9]+)*#([a-z0-9]+([.-][a-z0-9]+)*)+.[a-z]{2,}$/i";
if(!preg_match($regex, $email))
{
echo "The email you entered is not in name#domain format";
}
else
{
$salt = mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
$hpassword = crypt($password,$salt);
$insert = "INSERT INTO users (firstname, lastname, username, password, email, securityq, qanswer, salt)
VALUES ('$firstname','$lastname','$username','$hpassword','$email','$securityq','$qanswer','$salt')";
mysql_query($insert);
if(!mysql_query($insert))
{
die('Could not submit');
}
else
{
echo "Information was submited. Please check your email for confirmation";
}
}
?>
Let me try to answer.
First of all, I agree with advice to move to PDO. mysql_* functions are deprecated. But if you wish to use it, escape every variable directly before sql due to '-symbols in your sql:
$hpassword = mysql_real_escape_string($hpassword );
As for me, the following syntax is easier to view rather than insert ... values():
$insert = "INSERT INTO `users`
SET `firstname` = '$firstname',
SET `hpassword` = '$hpassword'..."
Actually, I am trying to forgot this kind of code. I use PDO or comfortable uniDB class for simple apps.
Is it correct behaviour that it inserts user no matter errors like matching password? You should fix conditions.
Your conditions logic is wrong. You submit after if(!preg_match($regex, $email)). So if email is correct, it submits. Fix it as follows using ELSEIF
$regex = "/^[a-z0-9]+([_.-][a-z0-9]+)*#([a-z0-9]+([.-][a-z0-9]+)*)+.[a-z]{2,}$/i";
if(mysql_num_rows($emailquery) > 0){
echo "The email you entered is already registered";
}elseif($password != $passwordconf){
echo "The passwords you entered do not match";
}elseif(!preg_match($regex, $email))
{
echo "The email you entered is not in name#domain format";
}else{
// insertion code HERE
}