Jump to content


PHP Form

  • Please log in to reply
2 replies to this topic

#1 steelmanronald06

  • Staff Alumni
  • Advanced Member
  • 2,004 posts
  • LocationOk

Posted 26 September 2006 - 05:42 PM

I know this is alot of code, but please bare with me:

	echo "<h1>Join LAMPGeekz!</h1>";
		<form name="form1" method="post" action="register.php">
		First Name: <input type="text" name="first_name" id="<? echo $first_name; ?>" /><br />
		Last Name: <input type="text" name="last_name" id="<? echo $last_name; ?>" /><br />
		Email: <input type="text" name="email_address" id="<? echo $email_address; ?>" /><br />
		Username: <input type="text" name="username" id="<? echo $username; ?>" /><br />
		Password: <input type="text" name="password" id="<? echo $password; ?>" /><br />
		Confirm Password: <input type="text" name="confirm" id="<? echo $confirm; ?>" /><br />
   		<input type="submit" value="Join Now!" />
		<input type="hidden" name="cmd" value="uregister" />
	//Show bottom layout
	//Break the case

 //Case that registers the user
 case "uregister":
	// Define post fields into simple variables
	$first_name = $_POST['first_name'];
	$last_name = $_POST['last_name'];
	$email_address = $_POST['email_address'];
	$username = $_POST['username'];
	$password = $_POST['password'];
	$confirm = $_POST['confirm'];
	/* Let's strip some slashes in case the user entered
	any escaped characters. */
	$first_name = stripslashes($first_name);
	$last_name = stripslashes($last_name);
	$email_address = stripslashes($email_address);
	$username = stripslashes($username);
	$password = stripslashes($password);
	$confirm = stripslashes($confirm);
	// Destroy submitted HTML tags
	$first_name = htmlentities($first_name);
	$last_name = htmlentities($last_name);
	$email_address = htmlentities($email_address);
	$username = htmlentities($username);
	$password = htmlentities($password);
	$confirm = htmlentities($confirm);
	// Error check the submitted form
	if((!$first_name) || (!$last_name) || (!$email_address) || (!$username) || (!$password) || (!$confirm)){
		echo "You did not complete the entire application.";
			echo "You did not submit your First Name!<br />";
	    if(!last_name) {
			echo "You did not submit your Last Name!<br />";
		if(!$email_address) {
			echo "You did not submit your Email Address!<br />";
		if(!$username) {
			echo "You did not submit a Username!";
		if(!password) {
			echo "You did not submit a Password!";
		if(!confirm) {
			echo "You did not confirm your Password!";
		//Show the bottom layout
		//Reload to the form
		header("Location: /users/register.php");
		//Exit the script
	//Ensure that the passwords match
	if($password != $confirm) {
		echo "Your passwords did not match!";
		//Show the bottom layout
		//Exit the script
	//Ensure This Email And Username Have Not Been Used
	$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
	$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
	//Assign The SQL Results To Simple Variables
	$email_check = mysql_num_rows($sql_email_check);
 	$username_check = mysql_num_rows($sql_username_check);
 	//See if the variables contain any result from the sql query
 	if(($email_check > 0) || ($username_check > 0)) {
		echo "The following error occured:<br />";
		//See which of the two, if not both, is already in use
		if($email_check > 0) {
			echo "The email address, $email_address , is already in our database!<br />";
		if($username_check > 0) {
			echo "The username, $username , is already in our database!<br />";
		echo "Please fix the above errors!";
		//Show bottom layout
		//Reload to the form
		header("Location:  /users/register.php");
		//Exit the script
	//All error checks passed - Create The Account
	//md5 their password
	$db_password = md5($password);
	//Insert Information Into The Database
	$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, user_level, signup_date, ban)
		VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '1', now(), '0')") or die (mysql_error());
	//We want to create them a profile!
	$sql2 = mysql_query("INSERT INTO users_profile (username) VALUES('$username')") or die (mysql_error());
	//Quick Error Test On The Query
	if((!$sql) || (!$sql2)) {
		echo "There has been an unexpected error. Please contact the administrator!";
		//Send Email To Admin
		//Setup Mail Variables
		$mail_date = date('l dS \of F Y h:i:s A');
     	$email_url = $_SERVER['PHP_SELF'];
     	$email_ip = $_SERVER['REMOTE_ADDR'];
     	$to = 'netgeekz@gmail.com';
     	$subject2 = "[LAMPGeekz] Unexpected Error!";
     	$email = "The following page, $email_url , was accessed.
     	IP: $email_ip  
     	Date: $mail_date
     	An error occured where they were not able to successfully execute the page!

     	This is an automated email! DO NOT REPLY!";
     	$from = "noreply@netgeekz.net";

		//Apply the headers
     	$headers1 = "MIME-Version: 1.0\r\n";
     	$headers1 .= "Content-type: text/html; charset=iso-8859-1\r\n";
     	$headers1 .= "To: ".$to."\r\n";
     	$headers1 .= "From: ".$from."\r\n";
     	$headers1 .= "Reply-To: ".$from."\r\n";
     	//Send The Mail
     	mail($to, $subject2, $email, $headers);
     	//Show bottom layout
     	//Exit the script
		//Get their userid
		$userid = mysql_insert_id();
		//Mail the user
		//Set up some variables
		$subject = "Membership";
		$message = "Dear $first_name $last_name,
		Thank you for registering at our website, http://lampgeekz.netgeekz.net !
		You are two steps away from logging in and accessing our exclusive members area.
		To activate your membership, please click here: http://lampgeekz.netgeekz.net/users/register.php?cmd=activate&id=$username&code=$db_password
		Once you activate your memebership, you will be able to login with the following information:
		Username: $username
		Password: $password
		The Webmaster
		This is an automated response, please do not reply!";
		//Send the email
		mail($email_address, $subject, $message, "From: Webmaster<noreply@netgeekz.net>\nX-Mailer: PHP/" . phpversion());
		echo "Your login information and confirmation link has been sent to the email address you provided. If you do not recieve this email within 24 hours, please contact the webmaster!";
	//Show the bottom layout
	//Break the case

 //Start case activate	
 case "activate":
	//Set the variables from the url
	$username = $_REQUEST['id'];
	$code = $_REQUEST['code'];
	//Update their information to activated
	$sql = mysql_query("UPDATE users SET activated='1' WHERE username='$username' AND password='$code'") or die (mysql_error());
	//Set their Private Message Inbox to activated
	$sql2 = mysql_query("UPDATE users_pm_allow SET activated='1' WHERE username='$username'");
	//Ensure Their Account Was Activated
	$sql_doublecheck = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$code' AND activated='1'");
	$doublecheck = mysql_num_rows($sql_doublecheck);
	if($doublecheck == 0){
		echo "<strong><font color=red>Your account could not be activated!</font></strong>";
		//Include the bottom layout
		//Exit the script
	} elseif ($doublecheck > 0) {
		echo "<strong>Your account has been activated!</strong> You may now login!<br />";
		//Include the bottom layout
		//Exit the script
	//Break the case

//Closes The Switch


someone is using this form on my site to send out emails to different people about their products.  Is there ANY way that this can be stopped?

#2 Daniel0

  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 26 September 2006 - 06:19 PM

You could make a security options that says that users are allowed to send x mails within x hours.

#3 alpine

  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 26 September 2006 - 06:26 PM

is it multiple emails (hijacking) that is the problem ??

this is a very simplified function to snap up hijacking, run EVERY variable posted on this before mail()

function SpamCheck($string)
$forbidden = "/(%0A|%0D|\\n+|\\r+)(content-type:|mime-version:|cc:|bcc:)/i";
if(preg_match($forbidden, $string))
  return true;


I'm sure someone else may have some thoughts aswell, however this works for me as a security barrier - in addition i have spam-reporting sendt to myself when hijack-attempt is detected. If you do, just make sure you filter all variables before you deside to email yourself a notice, else the spam-notice to your self will actually end up sending spam-emails afterall... get my point?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users