Jump to content

Can someone check my scripts.....

nut legend

By nut legend
in PHP Coding Help

Recommended Posts

nut legend Newbie

nut legend

Posted
Posted

Hey

 

I have a few scripts, could someone check if they work?:

 

<?php

$target = "upload/";

$target = $target . basename( $_FILES['uploaded']['name']) ;

$ok=1;

 

//This is our size condition

if ($uploaded_size > 350000)

{

echo "Your file is too large.<br>";

$ok=0;

}

 

//This is our limit file type condition

if ($uploaded_type =="text/php")

{

echo "No PHP files<br>";

$ok=0;

}

 

//Here we check that $ok was not set to 0 by an error

if ($ok==0)

{

Echo "Sorry your file was not uploaded";

}

 

//If everything is ok we try to upload it

else

{

if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))

{

echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been uploaded";

}

else

{

echo "Sorry, there was a problem uploading your file.";

}

}

?>

 

That was the first one, the second one is, btw I called it test.com although I don't think its a website....:

 

<?php

// Connects to your Database

mysql_connect("test.com", "username", "password") or die(mysql_error());

mysql_select_db("Database_Name") or die(mysql_error());

 

//This code runs if the form has been submitted

if (isset($_POST['submit'])) {

 

//This makes sure they did not leave any fields blank

if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {

die('You did not complete all of the required fields');

}

 

// checks if the username is in use

if (!get_magic_quotes_gpc()) {

$_POST['username'] = addslashes($_POST['username']);

}

$usercheck = $_POST['username'];

$check = mysql_query("SELECT username FROM users WHERE username = '$usercheck'")

or die(mysql_error());

$check2 = mysql_num_rows($check);

 

//if the name exists it gives an error

if ($check2 != 0) {

die('Sorry, the username '.$_POST['username'].' is already in use.');

}

 

// this makes sure both passwords entered match

if ($_POST['pass'] != $_POST['pass2']) {

die('Your passwords did not match. ');

}

 

// here we encrypt the password and add slashes if needed

$_POST['pass'] = md5($_POST['pass']);

if (!get_magic_quotes_gpc()) {

$_POST['pass'] = addslashes($_POST['pass']);

$_POST['username'] = addslashes($_POST['username']);

}

 

// now we insert it into the database

$insert = "INSERT INTO users (username, password)

VALUES ('".$_POST['username']."', '".$_POST['pass']."')";

$add_member = mysql_query($insert);

?>

 

 

<h1>Registered</h1>

<p>Thank you, you have registered - you may now login</a>.</p>

 

The final code for now:

 

<?php

}

else

{

?>

 

 

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<table border="0">

<tr><td>Username:</td><td>

<input type="text" name="username" maxlength="60">

</td></tr>

<tr><td>Password:</td><td>

<input type="password" name="pass" maxlength="10">

</td></tr>

<tr><td>Confirm Password:</td><td>

<input type="password" name="pass2" maxlength="10">

</td></tr>

<tr><th colspan=2><input type="submit" name="submit" value="Register"></th></tr> </table>

</form>

 

<?php

}

?>

 

Thanks

 

nut legend

 

P.S. If anyone has a database code which can store all the information for the usernames and passwords I would be very grateful....

 

Link to comment
https://forums.phpfreaks.com/topic/101195-can-someone-check-my-scripts/
Share on other sites
psychowolvesbane Member

psychowolvesbane

Posted
Posted

Okay, I've only had a quick look at both scripts and I can think of a few things that might make things easier. Bare in mind I would not be able to properly test this myself without making a dummy database which I can't atm.

 

First a minor change:

 

You could change $ok to increment and count how many times an error has occurred, then if there are no errors ($ok == 0)  then run the last bit of script. To increment use: $ok++;

 

As far as I'm aware (as long as $uploaded_size and uploaded_type are working) the first script is okay.

 

Now the second one...

 

On the line "<p>Thank you, you have registered - you may now login[/url].</p>" why do you have a closing [/url] tag without an open one?

 

Another thing is that md5 encryption isn't as safe as the sha1() function, but that's up to you

 

$_POST['pass'] = sha1($_POST['pass']);

 

 

Then when it comes to the login form you just sha1() the password they enter against the value in the record which is already encrypted and no one knows what it is, even the Admin.

 

Lastly is this sql script:

 

$insert = "INSERT INTO users (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')";

 

Should look like:

 

$insert = "INSERT INTO users (username, password) VALUES ('$_POST['username']', '$_POST['pass']')";

 

There is no need to use the quoting on top of the usual ' ' for values, even for variables.

 

The rest of the script and the form looks okay, but as I said I can't use it to be 100% positive.

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.