Jump to content


Photo

PHP Form


  • Please log in to reply
2 replies to this topic

#1 steelmanronald06

steelmanronald06
  • Staff Alumni
  • Advanced Member
  • 2,004 posts
  • LocationOk

Posted 26 September 2006 - 05:42 PM

I know this is alot of code, but please bare with me:

<?php
switch($_REQUEST['cmd'])
{
 default:
	echo "<h1>Join LAMPGeekz!</h1>";
	
	?>
		<form name="form1" method="post" action="register.php">
		First Name: <input type="text" name="first_name" id="<? echo $first_name; ?>" /><br />
		Last Name: <input type="text" name="last_name" id="<? echo $last_name; ?>" /><br />
		Email: <input type="text" name="email_address" id="<? echo $email_address; ?>" /><br />
		Username: <input type="text" name="username" id="<? echo $username; ?>" /><br />
		Password: <input type="text" name="password" id="<? echo $password; ?>" /><br />
		Confirm Password: <input type="text" name="confirm" id="<? echo $confirm; ?>" /><br />
   		<input type="submit" value="Join Now!" />
		<input type="hidden" name="cmd" value="uregister" />
		</td>
   		</form>
	<?php
	//Show bottom layout
	require_once('../includes/bot.php');
	
	//Break the case
	break;

 //Case that registers the user
 case "uregister":
	
	// Define post fields into simple variables
	$first_name = $_POST['first_name'];
	$last_name = $_POST['last_name'];
	$email_address = $_POST['email_address'];
	$username = $_POST['username'];
	$password = $_POST['password'];
	$confirm = $_POST['confirm'];
	
	/* Let's strip some slashes in case the user entered
	any escaped characters. */
	$first_name = stripslashes($first_name);
	$last_name = stripslashes($last_name);
	$email_address = stripslashes($email_address);
	$username = stripslashes($username);
	$password = stripslashes($password);
	$confirm = stripslashes($confirm);
	
	// Destroy submitted HTML tags
	$first_name = htmlentities($first_name);
	$last_name = htmlentities($last_name);
	$email_address = htmlentities($email_address);
	$username = htmlentities($username);
	$password = htmlentities($password);
	$confirm = htmlentities($confirm);
	
	// Error check the submitted form
	if((!$first_name) || (!$last_name) || (!$email_address) || (!$username) || (!$password) || (!$confirm)){
	    
		echo "You did not complete the entire application.";
		if(!$first_name){
			echo "You did not submit your First Name!<br />";
	    }
	    if(!last_name) {
			echo "You did not submit your Last Name!<br />";
		}
		if(!$email_address) {
			echo "You did not submit your Email Address!<br />";
		}
		if(!$username) {
			echo "You did not submit a Username!";
		}
		if(!password) {
			echo "You did not submit a Password!";
		}
		if(!confirm) {
			echo "You did not confirm your Password!";
		}
		
		//Show the bottom layout
		require_once('../includes/bot.php');
		
		//Reload to the form
		header("Location: /users/register.php");
		
		//Exit the script
		exit();
	}
	
	//Ensure that the passwords match
	if($password != $confirm) {
		echo "Your passwords did not match!";
		
		//Show the bottom layout
		require_once('../includes/bot.php');
		
		//Exit the script
		exit();
	}
	
	//Ensure This Email And Username Have Not Been Used
	$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
	$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
	
	//Assign The SQL Results To Simple Variables
	$email_check = mysql_num_rows($sql_email_check);
 	$username_check = mysql_num_rows($sql_username_check);
 	
 	//See if the variables contain any result from the sql query
 	if(($email_check > 0) || ($username_check > 0)) {
		
		echo "The following error occured:<br />";
		
		//See which of the two, if not both, is already in use
		if($email_check > 0) {
			
			echo "The email address, $email_address , is already in our database!<br />";
			
			unset($email_address);
		}
		if($username_check > 0) {
			
			echo "The username, $username , is already in our database!<br />";
			
		}
		echo "Please fix the above errors!";
		
		//Show bottom layout
		require_once('../includes/bot.php');
		
		//Reload to the form
		header("Location:  /users/register.php");
		
		//Exit the script
		exit();
		
	}
	
	//All error checks passed - Create The Account
	
	//md5 their password
	$db_password = md5($password);
	
	//Insert Information Into The Database
	$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, user_level, signup_date, ban)
		VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '1', now(), '0')") or die (mysql_error());
		
	//We want to create them a profile!
	$sql2 = mysql_query("INSERT INTO users_profile (username) VALUES('$username')") or die (mysql_error());
	
	//Quick Error Test On The Query
	if((!$sql) || (!$sql2)) {
		
		echo "There has been an unexpected error. Please contact the administrator!";
		
		//Send Email To Admin
		//Setup Mail Variables
		$mail_date = date('l dS \of F Y h:i:s A');
     	$email_url = $_SERVER['PHP_SELF'];
     	$email_ip = $_SERVER['REMOTE_ADDR'];
     	$to = 'netgeekz@gmail.com';
     	$subject2 = "[LAMPGeekz] Unexpected Error!";
     	$email = "The following page, $email_url , was accessed.
     	IP: $email_ip  
     	Date: $mail_date
     	
     	An error occured where they were not able to successfully execute the page!

     	This is an automated email! DO NOT REPLY!";
     	$from = "noreply@netgeekz.net";

		//Apply the headers
     	$headers1 = "MIME-Version: 1.0\r\n";
     	$headers1 .= "Content-type: text/html; charset=iso-8859-1\r\n";
     	$headers1 .= "To: ".$to."\r\n";
     	$headers1 .= "From: ".$from."\r\n";
     	$headers1 .= "Reply-To: ".$from."\r\n";
     	
     	//Send The Mail
     	mail($to, $subject2, $email, $headers);
     	
     	//Show bottom layout
     	require_once('../includes/bot.php');
     	
     	//Exit the script
     	exit();
		
	}else{
		
		//Get their userid
		$userid = mysql_insert_id();
		
		//Mail the user
		//Set up some variables
		$subject = "Membership";
		$message = "Dear $first_name $last_name,
		Thank you for registering at our website, http://lampgeekz.netgeekz.net !
	
		You are two steps away from logging in and accessing our exclusive members area.
	
		To activate your membership, please click here: http://lampgeekz.netgeekz.net/users/register.php?cmd=activate&id=$username&code=$db_password
	
		Once you activate your memebership, you will be able to login with the following information:
		Username: $username
		Password: $password
	
		Thanks!
		The Webmaster
	
		This is an automated response, please do not reply!";
		
		//Send the email
		mail($email_address, $subject, $message, "From: Webmaster<noreply@netgeekz.net>\nX-Mailer: PHP/" . phpversion());
		
		echo "Your login information and confirmation link has been sent to the email address you provided. If you do not recieve this email within 24 hours, please contact the webmaster!";
		
		
	}
	
	//Show the bottom layout
	require_once('../includes/bot.php');
	
	//Break the case
	break;

 //Start case activate	
 case "activate":
 
	//Set the variables from the url
	$username = $_REQUEST['id'];
	$code = $_REQUEST['code'];
	
	//Update their information to activated
	$sql = mysql_query("UPDATE users SET activated='1' WHERE username='$username' AND password='$code'") or die (mysql_error());
	
	//Set their Private Message Inbox to activated
	$sql2 = mysql_query("UPDATE users_pm_allow SET activated='1' WHERE username='$username'");
	
	//Ensure Their Account Was Activated
	$sql_doublecheck = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$code' AND activated='1'");
	$doublecheck = mysql_num_rows($sql_doublecheck);
	
	if($doublecheck == 0){
		echo "<strong><font color=red>Your account could not be activated!</font></strong>";
		
		//Include the bottom layout
		require_once('../includes/bot.php');
		
		//Exit the script
		exit();
	} elseif ($doublecheck > 0) {
		echo "<strong>Your account has been activated!</strong> You may now login!<br />";
		
		//Include the bottom layout
		require_once('../includes/bot.php');
		
		//Exit the script
		exit();
	}
	
	//Break the case
	break;

//Closes The Switch
}

?>

someone is using this form on my site to send out emails to different people about their products.  Is there ANY way that this can be stopped?

#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 26 September 2006 - 06:19 PM

You could make a security options that says that users are allowed to send x mails within x hours.

#3 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 26 September 2006 - 06:26 PM

is it multiple emails (hijacking) that is the problem ??

this is a very simplified function to snap up hijacking, run EVERY variable posted on this before mail()
<?php

function SpamCheck($string)
{
$forbidden = "/(%0A|%0D|\\n+|\\r+)(content-type:|mime-version:|cc:|bcc:)/i";
if(preg_match($forbidden, $string))
{
 die("sorry");
}
else
{
  return true;
}
}

?>

I'm sure someone else may have some thoughts aswell, however this works for me as a security barrier - in addition i have spam-reporting sendt to myself when hijack-attempt is detected. If you do, just make sure you filter all variables before you deside to email yourself a notice, else the spam-notice to your self will actually end up sending spam-emails afterall... get my point?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users