Jump to content

ou8jonesy

New Members
 View Profile  See their activity

  • Posts

    5

  • Joined

  • Last visited

 Content Type 

Posts posted by ou8jonesy

    Login/Registration Code Issue

    in PHP Coding Help

    Posted

    You should take the form offline. It took me 2 minutes to find your website, and you've just invited all script kiddies to give it a try.

     

    Start by learning to use the PDO interface. This is the “new” database interface for PHP. It also supports parameterized queries as a solution to the dreaded SQL injection problem.

     

    It's also crucial that you understand the basics of web security, in particular how to prevent cross-site scripting and how to store passwords. Escape everything, including variables like $_SERVER['PHP_SELF'].

     

    This will already be a huge step forward.

    Thanks Jacques1

    Login/Registration Code Issue

    in PHP Coding Help

    Posted

    I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse.

     

    I don't even know where to start:

    • The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions.
    • The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time.
    • MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes.
    • You have SQL injection vulnerabilities via the password parameter.
    • You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF']
    • The e-mail check is ... weird. Should “0@0” really be accepted?
    • The check if the e-mail address is already registered doesn't work for simultaneous requests.

    I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you.

     

    But this definitely needs an update. PHP today is very different from the PHP of the 90s.

    Damn that sucks.  Yes it was a Tutorial.  Plus it's live and working.  How do I start fresh without messing up my sql database? Or better yet where do I start?

    Login/Registration Code Issue

    in PHP Coding Help

    Posted

    Replace:

     

    $success[header('Location: index.php')];
    with:

     

    header('Location: thankyou.php');
    Then create the thankyou.php page.

     

    Thanks trq for the quick reply.  My question on top of that then is the ('Location: index.php') is where my users are pointed after they login.  If I replace it then when logging in they would be pointed to the wrong page - correct?

    Login/Registration Code Issue

    in PHP Coding Help

    Posted

    I have this working code except I can't redirect to a thank you page when a new user registers.  When they login it works without issue.  I just don't know where or what to put for the registration part.

     

    Here is my Code.  Any help would be much appreciated.

     

    <?php  
    include_once('config.php');  
      
    // Reset errors and success messages  
    $errors = array();  
    $success = array();  
      
    // Login attempt  
    if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){  
        $loginEmail = trim($_POST['email']);  
        $loginPassword  = trim($_POST['password']);  
          
        if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $loginEmail))  
            $errors['loginEmail'] = 'Your email address is invalid.';  
          
        if(strlen($loginPassword) < 6 || strlen($loginPassword) > 12)  
            $errors['loginPassword'] = 'Your password must be between 6-12 characters.';  
          
        if(!$errors){  
            $query  = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1';  
            $result = mysql_query($query);  
            if(mysql_num_rows($result) == 1){  
                $user = mysql_fetch_assoc($result);  
                $query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1';  
                mysql_query($query);  
                header('Location: index.php');  
                exit;  
            }else{  
                $errors['login'] = 'No user was found with the details provided.';  
            }  
        }  
    }  
      
    // Register attempt  
    if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){  
        $registerEmail = trim($_POST['email']);  
        $registerPassword = trim($_POST['password']);  
        $registerConfirmPassword    = trim($_POST['confirmPassword']);  
          
        if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $registerEmail))   
            $errors['registerEmail'] = 'Your email address is invalid.';  
          
        if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)     
            $errors['registerPassword'] = 'Your password must be between 6-12 characters.';  
          
        if($registerPassword != $registerConfirmPassword)  
            $errors['registerConfirmPassword'] = 'Your passwords did not match.';  
          
        // Check to see if we have a user registered with this email address already  
        $query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1';  
        $result = mysql_query($query);  
        if(mysql_num_rows($result) == 1)   
            $errors['registerEmail'] = 'This email address already exists.';  
          
        if(!$errors){  
            $query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '",  
                                                                            password = MD5("' . mysql_real_escape_string($registerPassword) . '"),  
                                                                            date_registered = "' . date('Y-m-d H:i:s') . '"';  
              
            if(mysql_query($query)){  
                $success[header('Location: index.php')]; 
            }else{  
                $errors['register'] = 'There was a problem registering you. Please check your details and try again.';  
            }  
        }  
          
    }  
    ?>  
     
    //login code
     <form class="box400" name="loginForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">  
            <h2>Login</h2>  
            <?php if($errors['login']) print '<div class="invalid">' . $errors['login'] . '</div>'; ?>  
              
            <label for="email">Email Address</label>  
            <input type="text" name="email" value="<?php echo htmlspecialchars($loginEmail); ?>" />  
            <?php if($errors['loginEmail']) print '<div class="invalid">' . $errors['loginEmail'] . '</div>'; ?>  
              
            <label for="password">Password <span class="info">6-12 chars</span></label>  
            <input type="password" name="password" value="" />  
            <?php if($errors['loginPassword']) print '<div class="invalid">' . $errors['loginPassword'] . '</div>'; ?>  
              
            <label for="loginSubmit"> </label>  
            <input type="hidden" name="loginSubmit" id="loginSubmit" value="true" />  
            <input type="submit" value="Login" /> 
              </form>   
     
    //registration code
    <form class="box400" name="registerForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">  
            <h2>Register</h2>  
            <?php if($success['register']) print '<div class="valid">' . $success['register'] . '</div>'; ?>  
            <?php if($errors['register']) print '<div class="invalid">' . $errors['register'] . '</div>'; ?>  
              
            <label for="email">Email Address</label>  
            <input type="text" name="email" value="<?php echo htmlspecialchars($registerEmail); ?>" />  
            <?php if($errors['registerEmail']) print '<div class="invalid">' . $errors['registerEmail'] . '</div>'; ?>  
              
            <label for="password">Password</label>  
            <input type="password" name="password" value="" />  
            <?php if($errors['registerPassword']) print '<div class="invalid">' . $errors['registerPassword'] . '</div>'; ?>  
              
            <label for="confirmPassword">Confirm Password</label>  
            <input type="password" name="confirmPassword" value="" />  
            <?php if($errors['registerConfirmPassword']) print '<div class="invalid">' . $errors['registerConfirmPassword'] . '</div>'; ?>  
              
            <label for="registerSubmit"> </label>  
            <input type="hidden" name="registerSubmit" id="registerSubmit" value="true" />  
            <input type="submit" value="Register" />  
        </form>

     

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.