ou8jonesy
-
Posts
5 -
Joined
-
Last visited
Posts posted by ou8jonesy
-
-
I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse.
I don't even know where to start:
- The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions.
- The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time.
- MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes.
- You have SQL injection vulnerabilities via the password parameter.
- You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF']
- The e-mail check is ... weird. Should “0@0” really be accepted?
- The check if the e-mail address is already registered doesn't work for simultaneous requests.
I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you.
But this definitely needs an update. PHP today is very different from the PHP of the 90s.
Damn that sucks. Yes it was a Tutorial. Plus it's live and working. How do I start fresh without messing up my sql database? Or better yet where do I start?
-
Replace:
$success[header('Location: index.php')];
with:header('Location: thankyou.php');
Then create the thankyou.php page.Thanks trq for the quick reply. My question on top of that then is the ('Location: index.php') is where my users are pointed after they login. If I replace it then when logging in they would be pointed to the wrong page - correct?
-
Thanks trq for the quick reply. My question on top of that then is the ('Location: index.php') is where my users are pointed after they login. If I replace it then when logging in they would be pointed to the wrong page - correct?
-
I have this working code except I can't redirect to a thank you page when a new user registers. When they login it works without issue. I just don't know where or what to put for the registration part.
Here is my Code. Any help would be much appreciated.
<?phpinclude_once('config.php');// Reset errors and success messages$errors = array();$success = array();// Login attemptif(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){$loginEmail = trim($_POST['email']);$loginPassword = trim($_POST['password']);if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $loginEmail))$errors['loginEmail'] = 'Your email address is invalid.';if(strlen($loginPassword) < 6 || strlen($loginPassword) > 12)$errors['loginPassword'] = 'Your password must be between 6-12 characters.';if(!$errors){$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1';$result = mysql_query($query);if(mysql_num_rows($result) == 1){$user = mysql_fetch_assoc($result);$query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1';mysql_query($query);header('Location: index.php');exit;}else{$errors['login'] = 'No user was found with the details provided.';}}}// Register attemptif(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){$registerEmail = trim($_POST['email']);$registerPassword = trim($_POST['password']);$registerConfirmPassword = trim($_POST['confirmPassword']);if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $registerEmail))$errors['registerEmail'] = 'Your email address is invalid.';if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)$errors['registerPassword'] = 'Your password must be between 6-12 characters.';if($registerPassword != $registerConfirmPassword)$errors['registerConfirmPassword'] = 'Your passwords did not match.';// Check to see if we have a user registered with this email address already$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1';$result = mysql_query($query);if(mysql_num_rows($result) == 1)$errors['registerEmail'] = 'This email address already exists.';if(!$errors){$query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '",password = MD5("' . mysql_real_escape_string($registerPassword) . '"),date_registered = "' . date('Y-m-d H:i:s') . '"';if(mysql_query($query)){$success[header('Location: index.php')];}else{$errors['register'] = 'There was a problem registering you. Please check your details and try again.';}}}?>//login code<form class="box400" name="loginForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"><h2>Login</h2><?php if($errors['login']) print '<div class="invalid">' . $errors['login'] . '</div>'; ?><label for="email">Email Address</label><input type="text" name="email" value="<?php echo htmlspecialchars($loginEmail); ?>" /><?php if($errors['loginEmail']) print '<div class="invalid">' . $errors['loginEmail'] . '</div>'; ?><label for="password">Password <span class="info">6-12 chars</span></label><input type="password" name="password" value="" /><?php if($errors['loginPassword']) print '<div class="invalid">' . $errors['loginPassword'] . '</div>'; ?><label for="loginSubmit"> </label><input type="hidden" name="loginSubmit" id="loginSubmit" value="true" /><input type="submit" value="Login" /></form>//registration code<form class="box400" name="registerForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"><h2>Register</h2><?php if($success['register']) print '<div class="valid">' . $success['register'] . '</div>'; ?><?php if($errors['register']) print '<div class="invalid">' . $errors['register'] . '</div>'; ?><label for="email">Email Address</label><input type="text" name="email" value="<?php echo htmlspecialchars($registerEmail); ?>" /><?php if($errors['registerEmail']) print '<div class="invalid">' . $errors['registerEmail'] . '</div>'; ?><label for="password">Password</label><input type="password" name="password" value="" /><?php if($errors['registerPassword']) print '<div class="invalid">' . $errors['registerPassword'] . '</div>'; ?><label for="confirmPassword">Confirm Password</label><input type="password" name="confirmPassword" value="" /><?php if($errors['registerConfirmPassword']) print '<div class="invalid">' . $errors['registerConfirmPassword'] . '</div>'; ?><label for="registerSubmit"> </label><input type="hidden" name="registerSubmit" id="registerSubmit" value="true" /><input type="submit" value="Register" /></form>
Login/Registration Code Issue
in PHP Coding Help
Posted
Thanks Jacques1