Jump to content

Archived

This topic is now archived and is closed to further replies.

steelmanronald06

PHP Form

Recommended Posts

I know this is alot of code, but please bare with me:

[code]
<?php
switch($_REQUEST['cmd'])
{
default:
echo "<h1>Join LAMPGeekz!</h1>";

?>
<form name="form1" method="post" action="register.php">
First Name: <input type="text" name="first_name" id="<? echo $first_name; ?>" /><br />
Last Name: <input type="text" name="last_name" id="<? echo $last_name; ?>" /><br />
Email: <input type="text" name="email_address" id="<? echo $email_address; ?>" /><br />
Username: <input type="text" name="username" id="<? echo $username; ?>" /><br />
Password: <input type="text" name="password" id="<? echo $password; ?>" /><br />
Confirm Password: <input type="text" name="confirm" id="<? echo $confirm; ?>" /><br />
  <input type="submit" value="Join Now!" />
<input type="hidden" name="cmd" value="uregister" />
</td>
  </form>
<?php
//Show bottom layout
require_once('../includes/bot.php');

//Break the case
break;

//Case that registers the user
case "uregister":

// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$username = $_POST['username'];
$password = $_POST['password'];
$confirm = $_POST['confirm'];

/* Let's strip some slashes in case the user entered
any escaped characters. */
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$username = stripslashes($username);
$password = stripslashes($password);
$confirm = stripslashes($confirm);

// Destroy submitted HTML tags
$first_name = htmlentities($first_name);
$last_name = htmlentities($last_name);
$email_address = htmlentities($email_address);
$username = htmlentities($username);
$password = htmlentities($password);
$confirm = htmlentities($confirm);

// Error check the submitted form
if((!$first_name) || (!$last_name) || (!$email_address) || (!$username) || (!$password) || (!$confirm)){
   
echo "You did not complete the entire application.";
if(!$first_name){
echo "You did not submit your First Name!<br />";
    }
    if(!last_name) {
echo "You did not submit your Last Name!<br />";
}
if(!$email_address) {
echo "You did not submit your Email Address!<br />";
}
if(!$username) {
echo "You did not submit a Username!";
}
if(!password) {
echo "You did not submit a Password!";
}
if(!confirm) {
echo "You did not confirm your Password!";
}

//Show the bottom layout
require_once('../includes/bot.php');

//Reload to the form
header("Location: /users/register.php");

//Exit the script
exit();
}

//Ensure that the passwords match
if($password != $confirm) {
echo "Your passwords did not match!";

//Show the bottom layout
require_once('../includes/bot.php');

//Exit the script
exit();
}

//Ensure This Email And Username Have Not Been Used
$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");

//Assign The SQL Results To Simple Variables
$email_check = mysql_num_rows($sql_email_check);
$username_check = mysql_num_rows($sql_username_check);

//See if the variables contain any result from the sql query
if(($email_check > 0) || ($username_check > 0)) {

echo "The following error occured:<br />";

//See which of the two, if not both, is already in use
if($email_check > 0) {

echo "The email address, $email_address , is already in our database!<br />";

unset($email_address);
}
if($username_check > 0) {

echo "The username, $username , is already in our database!<br />";

}
echo "Please fix the above errors!";

//Show bottom layout
require_once('../includes/bot.php');

//Reload to the form
header("Location:  /users/register.php");

//Exit the script
exit();

}

//All error checks passed - Create The Account

//md5 their password
$db_password = md5($password);

//Insert Information Into The Database
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, user_level, signup_date, ban)
VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '1', now(), '0')") or die (mysql_error());

//We want to create them a profile!
$sql2 = mysql_query("INSERT INTO users_profile (username) VALUES('$username')") or die (mysql_error());

//Quick Error Test On The Query
if((!$sql) || (!$sql2)) {

echo "There has been an unexpected error. Please contact the administrator!";

//Send Email To Admin
//Setup Mail Variables
$mail_date = date('l dS \of F Y h:i:s A');
    $email_url = $_SERVER['PHP_SELF'];
    $email_ip = $_SERVER['REMOTE_ADDR'];
    $to = 'netgeekz@gmail.com';
    $subject2 = "[LAMPGeekz] Unexpected Error!";
    $email = "The following page, $email_url , was accessed.
    IP: $email_ip 
    Date: $mail_date
   
    An error occured where they were not able to successfully execute the page!

    This is an automated email! DO NOT REPLY!";
    $from = "noreply@netgeekz.net";

//Apply the headers
    $headers1 = "MIME-Version: 1.0\r\n";
    $headers1 .= "Content-type: text/html; charset=iso-8859-1\r\n";
    $headers1 .= "To: ".$to."\r\n";
    $headers1 .= "From: ".$from."\r\n";
    $headers1 .= "Reply-To: ".$from."\r\n";
   
    //Send The Mail
    mail($to, $subject2, $email, $headers);
   
    //Show bottom layout
    require_once('../includes/bot.php');
   
    //Exit the script
    exit();

}else{

//Get their userid
$userid = mysql_insert_id();

//Mail the user
//Set up some variables
$subject = "Membership";
$message = "Dear $first_name $last_name,
Thank you for registering at our website, http://lampgeekz.netgeekz.net !

You are two steps away from logging in and accessing our exclusive members area.

To activate your membership, please click here: http://lampgeekz.netgeekz.net/users/register.php?cmd=activate&id=$username&code=$db_password

Once you activate your memebership, you will be able to login with the following information:
Username: $username
Password: $password

Thanks!
The Webmaster

This is an automated response, please do not reply!";

//Send the email
mail($email_address, $subject, $message, "From: Webmaster<noreply@netgeekz.net>\nX-Mailer: PHP/" . phpversion());

echo "Your login information and confirmation link has been sent to the email address you provided. If you do not recieve this email within 24 hours, please contact the webmaster!";


}

//Show the bottom layout
require_once('../includes/bot.php');

//Break the case
break;

//Start case activate
case "activate":

//Set the variables from the url
$username = $_REQUEST['id'];
$code = $_REQUEST['code'];

//Update their information to activated
$sql = mysql_query("UPDATE users SET activated='1' WHERE username='$username' AND password='$code'") or die (mysql_error());

//Set their Private Message Inbox to activated
$sql2 = mysql_query("UPDATE users_pm_allow SET activated='1' WHERE username='$username'");

//Ensure Their Account Was Activated
$sql_doublecheck = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$code' AND activated='1'");
$doublecheck = mysql_num_rows($sql_doublecheck);

if($doublecheck == 0){
echo "<strong><font color=red>Your account could not be activated!</font></strong>";

//Include the bottom layout
require_once('../includes/bot.php');

//Exit the script
exit();
} elseif ($doublecheck > 0) {
echo "<strong>Your account has been activated!</strong> You may now login!<br />";

//Include the bottom layout
require_once('../includes/bot.php');

//Exit the script
exit();
}

//Break the case
break;

//Closes The Switch
}

?>
[/code]

someone is using this form on my site to send out emails to different people about their products.  Is there ANY way that this can be stopped?

Share this post


Link to post
Share on other sites
You could make a security options that says that users are allowed to send x mails within x hours.

Share this post


Link to post
Share on other sites
is it multiple emails (hijacking) that is the problem ??

this is a very simplified function to snap up hijacking, run [u]EVERY[/u] variable posted on this before mail()
[code]
<?php

function SpamCheck($string)
{
$forbidden = "/(%0A|%0D|\\n+|\\r+)(content-type:|mime-version:|cc:|bcc:)/i";
if(preg_match($forbidden, $string))
{
die("sorry");
}
else
{
  return true;
}
}

?>
[/code]

I'm sure someone else may have some thoughts aswell, however this works for me as a security barrier - in addition i have spam-reporting sendt to myself when hijack-attempt is detected. If you do, just make sure you filter all variables before you deside to email yourself a notice, else the spam-notice to your self will actually end up sending spam-emails afterall... get my point?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.