McBryver Posted September 30, 2010 Share Posted September 30, 2010 Ok Here is my Problem the following works great except it does not add the $user var to the account_details. As well as outputs md5 wrong it outputs something but its different than the password should be. Heres my PHP code: <?php session_start(); /** * @author Brian T. Flores * @copyright 2010 - 2014 */ error_reporting(E_ALL); $conn = mysql_connect($db_host, $db_user, $db_pass) or die ('Error connecting to mysql'); mysql_select_db($db_name); if($_GET['goahead']==1){ // If GoAhead Is set if(isset($_GET['user'])){ // If isset GoAhead $user = mysql_real_escape_string($_GET['user']); // Clean User for Transfer. $user_check = mysql_query("SELECT * FROM `account_details` WHERE `username01` = '$user'"); // Check to see if username is taken. $ucount = mysql_num_rows($user_check); // Get Username Check Count if($ucount!=""){ // If Username is Taken. die(3); // Die Error Number 3 } // End If Username is Taken. if(isset($_GET['pass'])){ // If password is set. $pass = mysql_real_escape_string($_GET['pass']); // Clean Password for Transfer. $encPass = md5($pass); // Encrypt Password if(isset($_GET['race'])){// If Race is Set. $race = mysql_real_escape_string($_GET['race']); // Clean Race for Transfer. if(isset($_GET['email'])){ // If Email is set. $email = mysql_real_escape_string($_GET['email']); // Clean Email for Transfer. $email_check = mysql_query("SELECT * FROM `account_details` WHERE `email` = '$email'");// Check to see if Email is Taken. $ecount = mysql_num_rows($email_check); // Get Email Check Count. if($ecount!=""){ // If Email is Taken. die(2); // Die Error Number 2 } // End If Email is Taken. if(isset($_GET['email2'])){ // If email confirmation is set. $email2 = mysql_escape_string($_GET['email2']); // Clean Email Confirmation for Transfer. if($email == $email2){ // If emails match. if(isset($_GET['planet'])){ // If Planet Name is Set. $pname = mysql_real_escape_string($_GET['planet']); // Clean Planet Name for Transfer. if(isset($_GET['security_code'])){ // If Security Code Input is set. $security_code = mysql_real_escape_string($_GET['security_code']); // Clean Security Code. $security_enc = md5($security_code); // Encrypt Security Code. $security_code2 = $_SESSION['image_random_value']; // Get Security Code Session if($security_enc == $security_code2){ // If Codes Match. $randActive = rand(11111111111111111111,99999999999999999999); // Get Activation Link pre-encrypt. $activation_link = md5($randActive); // Get Encrypted Activation Link. $q = "INSERT INTO `account_details` (`username01`, `password01`, `loggedIn`, `currentlyLogged`, `active`, `activelink`, `race`, `email`) VALUES ('$user', '$encPass', 0, 0, 0, '$activation_link', '$race', '$email');"; // ^ Add Account Query. $res = mysql_query($q) or die("Error Detected! <br />".mysql_error()); // ^ Add Account to SQL. $q = mysql_query("SELECT * FROM `account_details` WHERE `username01` = '$user'")or die(mysql_error()); // ^ Get Information from New Account. $newuserinfo = mysql_fetch_array($q);// Get New User Information $id = $newuserinfo['id']; // Set New Account Id. $q="INSERT INTO `planets` (`owner`, `name`, `recource1`, `recource2`, `recource3`, `recource4`, `recource5`, `turns_01`, `untrained_units_01`, `attackers_01`, `defenders_01`, `miners_01`, `covert_01`, `anticovert_01`, `ship_01`, `ship_02`, `ship_03`, `ship_04`, `ship_05`, `ship_06`, `ship_07`, `building01`, `building02`, `building03`, `building04`, `building05`, `building06`, `building07`, `building08`, `building09`) VALUES ('$id', '$pname', 35000, 15000, 12000, 135000, 125000, 220, 150, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0);"; // ^ Add Planet Query. $res2 = mysql_query($q) or die("Error Detected! <br />".mysql_error()); // Add Planet to SQL. $body = " Hello ".$user.", Congradulations! Your account on Ultimate Conquest has been Registed Today! Click the following Link to Activate Account: http://testing.ultimateconquest.net/activate.php?code=".$activation_link." If you have not registered an account and have found this message in error please click the following link to report this error: http://testing.ultimateconquest.net/errorreg.php?account=".$user." Thank you for registering for Ultimate Conquest - ULC, Head Admin Brian Flores AKA Photonic.... "; // Activation Email Information. if (mail($email, "Activate your ULC Ultimate Conquest Account! No-Reply!", $body)) { // If Email Is Sent. die("1"); // Die Error Number 1 } // End Send Email }else{ // If Security Codes do Not Match. die("12"); // Die Error Number 12 } }else{ // If Security Code is Not Set die("11"); // Die Error Number 13 } }else{ // If Planet Name is Not Set. die("10"); // Die Error Number 10. } }else{ // If Emails do not match. die("9"); // Die Error Number 9. } }else{ // If email confirmation is not set. die("8"); // Die Error Number 8. } }else{ // If email is not set. die("7"); // Die Error Number 7. } }else{ // If race is not set. die("6"); // Die Error Number 6. } }else{ // If Password is not set. die("5"); // Die Error Number 5. } }else{ // If Username is not set. die("4"); // Die Error Number 4. } }else{ // If GoAhead is Not Set. die("Go Ahead Not Established By Game System!"); } ?> Here is the Register Function in Javascript: function regMast(){ var user = document.getElementById('username_client').value; var pass = document.getElementById('password_client').value; var race1 = document.getElementById('races1').value; if(race1 !=""){var race = document.getElementById('races1').value;} var race2 = document.getElementById('races2').value; if(race2 !=""){var race = document.getElementById('races2').value;} var race3 = document.getElementById('races3').value; if(race3 !=""){var race = document.getElementById('races3').value;} var race4 = document.getElementById('races4').value; if(race4 !=""){var race = document.getElementById('races4').value;} var planet_name = document.getElementById('pname').value; var email = document.getElementById('email').value; var email2 = document.getElementById('email2').value; var security_code = document.getElementById('security_code').value; var ajaxRequest; // The variable that makes Ajax possible! try{ // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e){ // Internet Explorer Browsers try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ // Something went wrong alert("Your browser broke!"); return false; } } } // Create a function that will receive data sent from the server ajaxRequest.onreadystatechange = function(){ if(ajaxRequest.readyState == 4){ var returni = ajaxRequest.responseText; if(returni == "1"){ document.getElementById('reg_error').innerHTML = 'Registration Completed! Check Activation Email for more information.'; } if(returni == "2"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Address Already Taken!'; } if(returni == "3"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Username Already Taken!'; } if(returni == "4"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Username Field Empty!'; } if(returni == "5"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Password Field Empty!'; } if(returni == "6"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! You must select a race!'; } if(returni == "7"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Field Empty!'; } if(returni == "8"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Confirmation Field Empty!'; } if(returni == "9"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Emails did not Match!'; } if(returni == "10"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Planet Name Field Empty!'; } if(returni == "11"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! You did not Input the Security Code!'; } if(returni == "12"){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! The Security Code you Inputed did not Match the Image!'; }else{ document.getElementById('reg_error').innerHTML = returni; } } } var queryString = "?goahead=1&user=" + user + "&pass=" + pass + "&race=" + race + "&email=" + email + "&email2=" + email2 + "&security_code=" + security_code + "&planet=" + planet_name; ajaxRequest.open("GET", "register.php" + queryString, true); ajaxRequest.send(null); } Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 30, 2010 Share Posted September 30, 2010 There are a few things you can use to clean your code up. For one, take a look at mysql_insert_id, you can use that instead of running a query after inserting the user data to retrieve the new user ID. Are you 100% sure that all variables are being set properly, that is, they are being retrieved and actually contain values both client and server side. I'd also like to recommend using a JavaScript library, such as jQuery. It neatens the whole process up. And when doing that, I'd POST the data, instead of using get. Someone could quite easily navigate to register.php in there browser and spam creation of users or worse. Quote Link to comment Share on other sites More sharing options...
McBryver Posted September 30, 2010 Author Share Posted September 30, 2010 Looking over the php manual link you gave me did not know that function existed. thanks... I cannot use POST as I am using Ajax to transfer the information to the register.php page. Unless you know of a way to transfer using the post method. I have died the information to make sure and it shows up correctly. Been looking over this for a couple hours and cannot figure it out... Brian. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 30, 2010 Share Posted September 30, 2010 You can use POST with AJAX, see this article on how it's done. The reason I suggest you use POST for this kind of request is that you're inserting data, and it's much safer to use POST to send the data to the script then GET. GET should generally be used for when you are fetching data. As I said above, to make life a lot easier you can use the jQuery framework, it'll speed up your development. Quote Link to comment Share on other sites More sharing options...
McBryver Posted September 30, 2010 Author Share Posted September 30, 2010 I know that post is safer and more secure I just did not know it could be used with ajax.. Ill try changing it over to Post and see if that solves the Problem.. Ill be back posting in this post if it does not fix it. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 30, 2010 Share Posted September 30, 2010 It may not solve your problem. You should debug it, ensure that your variables are retrieved correctly with JavaScript. When you send the variables to PHP, again make sure that everything is set and is shown correctly, just die each variable and alert the response text with JavaScript. You need to trace the problem to its source, if you're not getting the correct output check your input. It's usually where it's screwing up. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted September 30, 2010 Share Posted September 30, 2010 Also, there is no need to use mysql_real_escape_string() on a value that will be hashed with md5. Quote Link to comment Share on other sites More sharing options...
McBryver Posted September 30, 2010 Author Share Posted September 30, 2010 Ok I have updated the Ajax to POST method and Updated the PHP right now it does nothing and there is no error in the firefox error console. Let me know if I did it right: PHP: <?php session_start(); /** * @author Brian T. Flores * @copyright 2010 - 2014 */ error_reporting(E_ALL); $db_name = "ultimbq0_ultimatelc"; // Database Name $db_user = "ultimbq0_shoppin"; // Database Account Username $db_pass = "enterprise"; // Database Account Password $db_host = "localhost"; // Database Host Domain $conn = mysql_connect($db_host, $db_user, $db_pass) or die ('Error connecting to mysql'); mysql_select_db($db_name); if($_POST['goahead']==1){ // If GoAhead Is set if(isset($_GET['user'])){ // If isset GoAhead $user = mysql_real_escape_string($_POST['user']); // Clean User for Transfer. $user_check = mysql_query("SELECT * FROM `account_details` WHERE `username01` = '$user'"); // Check to see if username is taken. $ucount = mysql_num_rows($user_check); // Get Username Check Count if($ucount!=""){ // If Username is Taken. die(3); // Die Error Number 3 } // End If Username is Taken. if(isset($_POST['pass'])){ // If password is set. $pass = $_POST['pass']; // Clean Password for Transfer. $encPass = md5($pass); // Encrypt Password if(isset($_POST['race'])){// If Race is Set. $race = mysql_real_escape_string($_POST['race']); // Clean Race for Transfer. if(isset($_POST['email'])){ // If Email is set. $email = mysql_real_escape_string($_POST['email']); // Clean Email for Transfer. $email_check = mysql_query("SELECT * FROM `account_details` WHERE `email` = '$email'");// Check to see if Email is Taken. $ecount = mysql_num_rows($email_check); // Get Email Check Count. if($ecount!=""){ // If Email is Taken. die(2); // Die Error Number 2 } // End If Email is Taken. if(isset($_POST['email2'])){ // If email confirmation is set. $email2 = mysql_escape_string($_GET['email2']); // Clean Email Confirmation for Transfer. if($email == $email2){ // If emails match. if(isset($_POST['planet'])){ // If Planet Name is Set. $pname = mysql_real_escape_string($_POST['planet']); // Clean Planet Name for Transfer. if(isset($_POST['security_code'])){ // If Security Code Input is set. $security_code = $_POST['security_code']; // Clean Security Code. $security_enc = md5($security_code); // Encrypt Security Code. $security_code2 = $_SESSION['image_random_value']; // Get Security Code Session if($security_enc == $security_code2){ // If Codes Match. $randActive = rand(11111111111111111111,99999999999999999999); // Get Activation Link pre-encrypt. $activation_link = md5($randActive); // Get Encrypted Activation Link. $q = "INSERT INTO `account_details` (`username01`, `password01`, `loggedIn`, `currentlyLogged`, `active`, `activelink`, `race`, `email`) VALUES ('$user', '$encPass', 0, 0, 0, '$activation_link', '$race', '$email');"; // ^ Add Account Query. $res = mysql_query($q) or die("Error Detected! <br />".mysql_error()); // ^ Add Account to SQL. $q = mysql_query("SELECT * FROM `account_details` WHERE `username01` = '$user'")or die(mysql_error()); // ^ Get Information from New Account. $newuserinfo = mysql_fetch_array($q);// Get New User Information $id = $newuserinfo['id']; // Set New Account Id. $q="INSERT INTO `planets` (`owner`, `name`, `recource1`, `recource2`, `recource3`, `recource4`, `recource5`, `turns_01`, `untrained_units_01`, `attackers_01`, `defenders_01`, `miners_01`, `covert_01`, `anticovert_01`, `ship_01`, `ship_02`, `ship_03`, `ship_04`, `ship_05`, `ship_06`, `ship_07`, `building01`, `building02`, `building03`, `building04`, `building05`, `building06`, `building07`, `building08`, `building09`) VALUES ('$id', '$pname', 35000, 15000, 12000, 135000, 125000, 220, 150, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0);"; // ^ Add Planet Query. $res2 = mysql_query($q) or die("Error Detected! <br />".mysql_error()); // Add Planet to SQL. $body = " Hello ".$user.", Congradulations! Your account on Ultimate Conquest has been Registed Today! Click the following Link to Activate Account: http://testing.ultimateconquest.net/activate.php?code=".$activation_link." If you have not registered an account and have found this message in error please click the following link to report this error: http://testing.ultimateconquest.net/errorreg.php?account=".$user." Thank you for registering for Ultimate Conquest - ULC, Head Admin Brian Flores AKA Photonic.... "; // Activation Email Information. if (mail($email, "Activate your ULC Ultimate Conquest Account! No-Reply!", $body)) { // If Email Is Sent. die("1"); // Die Error Number 1 } // End Send Email }else{ // If Security Codes do Not Match. die("12"); // Die Error Number 12 } }else{ // If Security Code is Not Set die("11"); // Die Error Number 13 } }else{ // If Planet Name is Not Set. die("10"); // Die Error Number 10. } }else{ // If Emails do not match. die("9"); // Die Error Number 9. } }else{ // If email confirmation is not set. die("8"); // Die Error Number 8. } }else{ // If email is not set. die("7"); // Die Error Number 7. } }else{ // If race is not set. die("6"); // Die Error Number 6. } }else{ // If Password is not set. die("5"); // Die Error Number 5. } }else{ // If Username is not set. die("4"); // Die Error Number 4. } }else{ // If GoAhead is Not Set. die("Go Ahead Not Established By Game System!"); } ?> Ajax/Javascript: function regMast(){ var user = document.getElementById('username_client').value; var pass = document.getElementById('password_client').value; var race = document.getElementById('race').value; var planet_name = document.getElementById('pname').value; var email = document.getElementById('email').value; var email2 = document.getElementById('email2').value; var security_code = document.getElementById('security_code').value; var ajaxRequest; // The variable that makes Ajax possible! try{ // Opera 8.0+, Firefox, Safari ajaxRequest = new XMLHttpRequest(); } catch (e){ // Internet Explorer Browsers try{ ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try{ ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e){ // Something went wrong alert("Your browser broke!"); return false; } } } http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); // Create a function that will receive data sent from the server ajaxRequest.onreadystatechange = function(){ if(ajaxRequest.readyState == 4 && http.status == 200){ var returni = ajaxRequest.responseText; if(returni == 1){ document.getElementById('reg_error').innerHTML = 'Registration Completed! Check Activation Email for more information.'; } if(returni == 2){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Address Already Taken!'; } if(returni == 3){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Username Already Taken!'; } if(returni == 4){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Username Field Empty!'; } if(returni == 5){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Password Field Empty!'; } if(returni == 6){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! You must select a race!'; } if(returni == 7){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Field Empty!'; } if(returni == { document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Email Confirmation Field Empty!'; } if(returni == 9){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Emails did not Match!'; } if(returni == 10){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! Planet Name Field Empty!'; } if(returni == 11){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! You did not Input the Security Code!'; } if(returni == 12){ document.getElementById('reg_error').innerHTML = 'Registration Incomplete! The Security Code you Inputed did not Match the Image!'; }else{ document.getElementById('reg_error').innerHTML = returni; } } } var queryString = "?goahead=1&user=" + user + "&pass=" + pass + "&race=" + race + "&email=" + email + "&email2=" + email2 + "&security_code=" + security_code + "&planet=" + planet_name; ajaxRequest.open("POST", "register.php", true); ajaxRequest.send(queryString); } function register(){ document.getElementById('reg_error').innerHTML = '<img src="images/loading.gif" />'; regMast(); } All it does is displays the loading gif and does not move on.... Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 30, 2010 Share Posted September 30, 2010 You're using http as the object in JavaScript, when your object is called ajaxRequest, so you need to change these lines: http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-length", params.length); http.setRequestHeader("Connection", "close"); To: ajaxRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); ajaxRequest.setRequestHeader("Content-length", params.length); ajaxRequest.setRequestHeader("Connection", "close"); Also move these lines: var queryString = "?goahead=1&user=" + user + "&pass=" + pass + "&race=" + race + "&email=" + email + "&email2=" + email2 + "&security_code=" + security_code + "&planet=" + planet_name; ajaxRequest.open("POST", "register.php", true); ajaxRequest.send(queryString); So that they are above the setRequestHeader calls and in the Content-length header change params to queryString. You can also remove the ? from in front of goahead. In your PHP you are using $_GET in a few places still. Quote Link to comment Share on other sites More sharing options...
gizmola Posted September 30, 2010 Share Posted September 30, 2010 I know that post is safer and more secure I just did not know it could be used with ajax.. Ill try changing it over to Post and see if that solves the Problem.. Ill be back posting in this post if it does not fix it. This is one of my pet peeves, but there is nothing more secure about POST. It may be slightly more obscure, but not enough so to make the argument that you added security to your app. Even script kiddies know how to use tools that show you the HTTP headers and let you manipulate them. If you need security, you have to engineer it in somehow. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted September 30, 2010 Share Posted September 30, 2010 I know that post is safer and more secure I just did not know it could be used with ajax.. Ill try changing it over to Post and see if that solves the Problem.. Ill be back posting in this post if it does not fix it. This is one of my pet peeves, but there is nothing more secure about POST. It may be slightly more obscure, but not enough so to make the argument that you added security to your app. Even script kiddies know how to use tools that show you the HTTP headers and let you manipulate them. If you need security, you have to engineer it in somehow. True, but POST is still the better option in this instance. Quote Link to comment Share on other sites More sharing options...
gizmola Posted September 30, 2010 Share Posted September 30, 2010 If it was a form, I might agree, but in this instance, since ajax is being used, I really don't see that it makes any difference. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.