ardyandkari

if you google you will get oooooodles of info on sql injection. how tos, how to protect, etc.

thanks

ok...bit the bullet and am not md5ing the random number in the email. works...sort of. here is my code: (located here:http://www.everkleen.biz/testforum/forum/verify.php <?php include ('includes/dbconnect.php'); $email=(stripslashes(htmlentities(mysql_real_escape_string($_GET['email'])))); $rand=(stripslashes(htmlentities(mysql_real_escape_string($_GET['key'])))); $sql="SELECT random FROM ForumUsers WHERE email='$email' AND random='$rand'"; $result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql $num = mysql_num_rows($result); echo "$email<br>$rand<br>$num"; if ($num != 0) { $finresult=(mysql_result($result)); echo "$finresult"; if ($key == $finresult) { $query ="UPDATE ForumUsers SET valid='1' WHERE email='$email'"; $result = mysql_query($query) or die(mysql_error()); echo "Thank you for validating your email, have a nice day!"; } else { echo "Something went horribly, horribly wrong. Please <a href='mailto:[email protected]'>CLICK HERE</a> to email the administrator."; } } else { echo "Something went horribly, horribly wrong. Please <a href='mailto:[email protected]'>CLICK HERE</a> to email the administrator."; } ?> now, when i click on the link in the email it returns: in the db it comes up validated...wondering if it is ok to just shut off error reporting on the page and not worry about it. tried changing mysql_result($result) to mysql_result($result, 0) but it gets this error message: it doesn't change the validity... also tried to have mysql_result($result, 1). throws this: but still validates the address...kinda confused.

comes up "no rows"

bump...

i agree with the previous posts...if you aren't getting much for page views, it doesn't matter what ad service you go with, you wont make any money.

this is the query: SELECT * FROM ForumUsers WHERE email !='' all that it is looking for is anything that has an email that is not blank... edit--- sorry...me stoopid...just realized what you meant... still finds one row...my email

sorry...didnt realize that single quotes and double quotes made a diff...just copied and pasted the code supplied. sorry. also, it shows 1 row.

with that code, i get the output: $num rows found. i had the script echo $num before the if statement and it showed 1.

but the query is going to be "SELECT * FROM ForumUsers WHERE email=" because email echoes nothing. so, since there are no entries where email is nothing, the script is technically working right...my main question is why is $email not getting filled by the emailed link? i think that if that were to work, then everything would fall into place.

/\ correct... i added echo $email; and it returns nothing... i also erased all entries in the db just to make sure that it should work...i have a feeling that there is a problem with the formatting of the email. i am very unsure as to how that is to be done...is the email portion posted above formatted correctly?

added echo $num; before the if statement... also changed to if ($num > 0) {... page output = 0no rows

ok...searched on the net and found out that you should use mysql_num_rows() before doing a mysql_result(). i did that and set it to say no rows if there are no rows returned. also noticed that i had user instead of email...so i changed that. posted below is the code that i am currently using to get this piece of junk to work right...once it is going good on the basic (echo) scale, i will add in the sql update code. $sql="SELECT * FROM ForumUsers WHERE email='$email'"; $result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql $num = mysql_num_rows($result); if ($num != 0) { echo '$num rows found'; } else {echo 'no rows'; } it currently echoes no rows all the time...for some reason it cant find anything with my email...confused again. wondering if the email link is formatted right. i dont know...

the main reason that i am md5ing the value in the email is because i really dont want the user to see the actual code...as you can see, it is just a 7 digit code there and it seems more "official" using the md5. just an image thing. working on the whole process of validation...changed the code to this: $message = "Please click the following URL to verify your email:\n\n". "http://www.everkleen.biz/testforum/forum/validate.php?key=".(md5($rand))."&email=$email"; $message = wordwrap($message, 70); $subject = "Forum Verification"; $headers = 'From: [email protected]'; mail($email, $subject, $message, $headers); echo "You will recieve an automatic email from this site with a verification number.<br>When logging in for the first time, you will be asked for that number.<br><a href = 'index.php'>Click Here</a> to return to the main page."; unset($_SESSION['SignupAttempts']); This outputs the correct message with the hashed code... now, i have made the validation page. the code is this: <?php include ('includes/dbconnect.php'); $safekey = htmlentities(stripslashes(strip_tags($key))); $safeusr = htmlentities(stripslashes(strip_tags($usr))); $sql="SELECT random FROM ForumUsers WHERE user='$safeusr'"; $result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql $finresult=mysql_result($result); if ($safekey == $finresult) { $query ="UPDATE ForumUsers SET valid='1' WHERE user='$safeusr'"; $result = mysql_query($query) or die(mysql_error()); echo "Thank you for validating your email, have a nice day!"; } else { echo "Something went horribly, horribly wrong. Please <a href='mailto:[email protected]'>CLICK HERE</a> to email the administrator."; } ?> when i click the link (the fixed link) the page outputs this: line 17 is the $finresult variable... in the db, the "valid" section is still 0, so the email didn't change anything, but it says that it did... my main concerns here are: 1.)Security...what if the user places his own code into the link? does the stripslashes, strip_tags, and htmlentities take care of that? 2.)mysql_query() doesn't come back with an actual result, just a reference or something, so i tried mysql_resulting the $result...is that a correct way to do things? thanks a lot for all the help, also, i am going to add in something to check if there are dup. emails, just one step at a time...

ok, i put it up, but it doesnt look right. it also doesnt place the $usr and $key values in the email. here is the code i have for the email: $message = '<html><head><title>Automatic Email</title></head><body>This is an automatic email, please do not respond. Click the link to verify the authenticity of your email address: <a href="http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))"> http://www.everkleen.biz/testforum/forum/validate.php?usr=$user&key=(md5($rand))</a></body></html>';

ok...just puked this out in about 20 min...wondering if it will work. no time to change the rest of the code, upload, or anything...want to go to bed, big day of work ahead of me. (some days i feel as if i am working in the movie office space, but it isnt nearly as funny) here is the code: <?php include ('includes/dbconnect.php'); $safekey = htmlentities(mysql_real_escape_string($key)); $safeusr = htmlentities(mysql_real_escape_string($usr)); $sql="SELECT random FROM ForumUsers WHERE user='$safeusr'"; $result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql if ($safekey == $result) { $query ="UPDATE ForumUsers SET valid='1' WHERE user='$safeusr'"; $result = mysql_query($query) or die(mysql_error()); echo "Thank you for validating your email, have a nice day!"; } else { echo "Something went horribly, horribly wrong. Please <a href='mailto:[email protected]'>CLICK HERE</a> to email the administrator."; } ?> i would be sending the email as discussed in the post of mine above.

ok...have about 45 spare minutes for today, so i am sitting down and trying to set up a verification link system... here is what i have. nothing. just ideas and questions. lets say that i have a link (http://www.someplace.com/validateemail.php?key=somenumber). if the user clicks on the link i am assuming that if i have in validateemail.php something like <<if $key == $valid ((the number in the db))>> then it will work, right? how about this: http://www.someplace.com/validateemail.php?dat=username&key=md5edvalidation number when i click on the link, the script would search the database for $dat (the username) and check $key against md5(validation number), right? i think that i am on the right track...if not just stop me. then i would have something like : if $key == (md5($validationnumber)) { some sql stating that the "valid" field is now to be set to "1".; echo "Thanks for validating your email for me."; } else { echo "Something went wrong! Please CLICK HERE to email the administrator."; } right? also, is there a way do decrypt md5 hashes? i was looking in the php manual and i didnt see anything about that...just a lot of junk on google about decrypting online, but i read that those are actually just a db with a bunch of words put in with md5 hashes, and not actual decryption......

i went to icanhazcheezburger.com... hillarious!!!

/\ | fixed. just one more thing...this is my email validation function: <?php error_reporting(0); function checkEmail($email) { if(eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email)) { return FALSE; } list($Username, $Domain) = split("@",$email); if(getmxrr($Domain, $MXHost)) { return TRUE; } else { if(fsockopen($Domain, 25, $errno, $errstr, 30)) { return TRUE; } else { return FALSE; } } } ?> without the error_reporting(0) in there i got a massive error...i am assuming it was a xss vulnerability...but anyways, i shut off the error reporting and it works just fine.

i forgot to re-activate the email verification function. i am working on a windows machine and getmxrr() doesnt work in windows. it kept throwing an error, so i just commented out that section. just uncommented it, so hopefully it works.

thanks for looking at the site... i know that it only says forum. it is coming along VERY slowly (not much time to work on the project as it is just something that i am doing in my spare time and with two kids, a wife, a full time job and a couple of prospective jobs on the way to be worked on that leaves almost nothing. i do know that the user doesn't need to be verified at this time. trying to work that in to the mix. i am doing one piece at a time. i really dont know how to have the info that is ok get filled in if the registration fails, that will be something to look into in the future. i will also look into the error about the email. i dont get an error, what did it say for you? thanks a lot for all the help and ideas. as i said, this will be a continuing project and if anyone wants to steal anything from it feel free. if you have any questions or suggestions all are welcome.

ok...just had to add a <?php session_start(); ?> at the very top. thanks dark water and robos. if you want to look at what i have it is here: http://www.everkleen.biz/testforum/forum it isnt much yet. i have added a mail() function to the signup section where it will mail you a verification number, but dont know what to do from here. i want it to check the db and if the user is verified then to send them on their merry way, but if it is not verified, then have them punch in their number and it will change the value in the db to 1. i tried to do that, but it got too weird and screwed up, so for now, i am just using the basic index. one other thing... i dont know how secure the site is (using htmlentities and mysql_real_escape_string) but if you would like to try sql injections, go ahead...just please no destructiveness. thanks a lot and i will be back...just have to get away from the computer for a while.

ok, but do i need the html?

so, basically what youre saying is that i dont even need any of that html at the beginning of the page or at the end?

hello, i am trying to build a forum from the ground up to help me learn php. i am kinda stumped now... when i was testing on my server at home, all was good. put it up on a live server and it just poops all over the place. i open the main page and get this error: this is the code that i have for the index page: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Untitled Document</title> </head> <body> <?php include ("includes/dbconnect.php"); if ((isset($_POST['user'])) || (isset($_POST['pass']))) { $user=htmlentities(mysql_real_escape_string($_POST['user'])); $pass=md5(htmlentities(mysql_real_escape_string($_POST['pass']))); $sql="SELECT * FROM ForumUsers WHERE user='$user' and password='$pass'"; $result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $user and $pass, table row must be 1 row if($count==1){ // Register $user, $pass and redirect to file "login_success.php" $_SESSION['user'] = $user; $_SESSION['pass'] = $pass; echo 'forum'; } if($count!=1) { echo '<div align="center">INCORRECT USERNAME AND/OR PASSWORD</div>'; include "includes/loginform.php"; } } // close top if else {include "includes/loginform.php";} ?> </body> </html> loginform.php does not have anything to do with sessions, it is just a table. dbconnect.php is just my connection settings... very confused. if i dont have session-start() there (i removed it just to try to fix it myself. also deleted all cookies.) it shouldnt try to start a session...