[SOLVED] md5 argument...

eaglelegend · May 25, 2008

Hey, I am trying to get my files a little bit safer, and less security holes, however, md5 dont like it, look...

Warning: md5() expects parameter 1 to be string, array given in /misc/39/000/171/334/2/user/web/eaglelegend.com/register.php on line 6

Warning: md5() expects parameter 1 to be string, array given in /misc/39/000/171/334/2/user/web/eaglelegend.com/register.php on line 7

here is register, however, for your conveniance, I have not inclided the actual form where you "sighn up", just the code.

<?php
include("header.php");
?>
<?php
$username = strip_tags(stripslashes($_POST));
$password = strip_tags(stripslashes(md5($_POST)));
$password_confirm = strip_tags(stripslashes(md5($_POST)));
$email = strip_tags(stripslashes($_POST));
$sql = mysql_query("UPDATE members SET ip ='{$_SERVER['REMOTE_ADDR']}' WHERE username='$username' LIMIT 1");

if($username && $password && $password_confirm && $email) {

Function RemoveXSS($val) {

   $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val);
   
   $search = 'abcdefghijklmnopqrstuvwxyz';
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $search .= '1234567890!@#$%^&*()';
   $search .= '~`";:?+/={}[]-_|\'\\';
   for ($i = 0; $i < strlen($search); $i++) {

      $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); 

      $val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); 
   }
   
   $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
   $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
   $ra = array_merge($ra1, $ra2);
   
   $found = true; 
   while ($found == true) {
      $val_before = $val;
      for ($i = 0; $i < sizeof($ra); $i++) {
         $pattern = '/';
         for ($j = 0; $j < strlen($ra[$i]); $j++) {
            if ($j > 0) {
               $pattern .= '(';
               $pattern .= '(&#[xX]0{0,8}([9ab])';
               $pattern .= '|';
               $pattern .= '|(&#0{0,8}([9|10|13])';
               $pattern .= ')*';
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= '/i';
         $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); 
         $val = preg_replace($pattern, $replacement, $val);
         if ($val_before == $val) {
            
            $found = false;
         }
      }
   }
   return $val;
}

$siteurl = preg_replace( "/[^a-zA-Z0-9s]/", "", $siteurl );

$check_user = mysql_num_rows(mysql_query("SELECT * FROM `members` WHERE `username`=\"$username\""));
$check_site = mysql_num_rows(mysql_query("SELECT * FROM `members` WHERE `url`=\"$siteurl\""));

if($check_user == 0) {

 	if($password == $password_confirm) {
 	 	$newpass = md5($password);
 	 	$date = date("m/d/y");

		$sql = mysql_query("SELECT * FROM `sites` WHERE `url`='$Z'");
		while($r = mysql_fetch_array($sql)) {
		 	$money = $r["money"];
		 	$points = $r["points"];
		}

		$insert = mysql_query("INSERT INTO `members` (`admin`, `date`, `username`, `password`, `email`, `points`, `money`) VALUES('0', '$date', \"$username\", \"$newpass\", \"$email\", '$points', '$money')"); 
		$sql = mysql_query("UPDATE members SET ip ='{$_SERVER['REMOTE_ADDR']}' WHERE username='$username' LIMIT 1");
		if($insert) {


			print "<h2>Congratulations!</h2><p>
			You are now a registered member of this site!<p>
			Username: $username<br>
			Password: $password<p>
			You can login using the form to the right!";
		}
		else {
		 	print mysql_error();
		}
	}
	else {
	 	print "<p>Passwords do not match!</p>";
	}
}
else {
 	if($check_user > 0) {
 		print "<p>That username already exists!</p>"; 
 	}
}
}
else {
?>

.josh · May 25, 2008

The error tells you the problem. $_POST is an array of all your posted variables. md5 expects a string. You need to break it down to $_POST['blah'] etc.. one for each of your posted vars

EG:

$username = strip_tags(stripslashes($_POST['username'])); //assuming 'username' is the name of your form var
$password = strip_tags(stripslashes(md5($_POST['password']))); // ditto on 'password'

eaglelegend · May 25, 2008

oh I see, OH thanks for the other post, that you helped solve with me XD

Sign In

[SOLVED] md5 argument...

Recommended Posts

eaglelegend

Link to comment

Share on other sites

.josh

Link to comment

Share on other sites

eaglelegend

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information