Register/Login

[Bounty]

Hello everyone,i was trying to make a register/login pages on my own and well i got stuck..and my good friend google couldn't help me :S

 

So well i came to ask proffesionals

 

Okay here is it:

First thing i don't get is about email activation that i wanted to use on my register page...

I got do_reg.php file that looks like this:

<?php

include 'connection.php';

//grab data from form
$name = $_POST['username'];
$pass = $_POST['password'];
$pass_conf = $_POST['pass_conf'];
$email = $_POST['email'];
$ip = $_POST['ip'];

//if else
if($name == false || $pass == false || $pass_conf == false || $email == false){
echo "Please fill in all the required fields.";
};
if($pass != $pass_conf){ 
   echo "Blah..Passwords do not match."; 
}else{
//generate random code
$code = rand(11111111,99999999);
//send email
$subject = "Activate your account";
$headers = "From: [email protected]";
$body = "Hello $name,\n\nYou registered and need to activate your account. Click the link below or paste it into the URL bar of your browser\n\n http://localhot/login/activate.php?code=$code\n\nThanks!";
if (!mail($email,$subject,$body,$headers))
	echo "Error,what a shame!";
	else {
	$sql = mysql_query("INSERT INTO users (username,password,email,code,active,ip)
				VALUES('$name','$pass','$email','$code',0,'$ip')") or die(mysql_error());
	$result = mysql_query($sql);
	echo "Thank you for registering! But your account is not still active :'( Please check your email ($email) for activation code! ";
	}
};
?>

I went through thousands of erros and still couldn't make it work,i am using xampp localhost server for now and maybe that is the reason it wont work even if i tried to activate SMTP and that stuff in php.ini conf file (as my friend google told me)..

So this is one of the errors:

Warning: mail() [function.mail]: SMTP server response: 550 relaying denied in C:\xampp\htdocs\login\do_reg.php on line 25

Error,what a shame!

 

Now the next thing i couldn't understand is where is the error inside this script... (do_login.php)

<?php

include 'connection.php';

$session_username = $_SESSION['username'];

if($_POST['login']) 
{
	//get form data
	$username = $_POST['username'];
	$password = $_POST['password'];
	}
if(!$username||!$password)
		echo "Username and password missing!";
else {
	//login
	$login = mysql_query("SELECT * FROM users WHERE username='$username'");
	}
	if (mysql_query($login)==0)
		echo "No souch user!";
	else 
	{
	while ($login_row = mysql_fetch_assoc($login)) 
	{
	$password_db = $login_row['password'];
	$password = md5($password);

if ($password!=$password_db)
	echo "Incorect password!";
else 
{
//check if active
$active = $login_row['active'];
$email = $login_row['email'];

if ($active==0)
	echo "You haven't activated your account, please check your email ($email) for activation!";
else 
{
	$_SESSION['username']=$username; //assign session
	header("Location: index.php");//refresh
}
}
}
   }
?>

 

Thank you for your spent time and help..

[btherl]

Warning: mail() [function.mail]: SMTP server response: 550 relaying denied in C:\xampp\htdocs\login\do_reg.php on line 25

Error,what a shame!

 

This means you are either not using the right SMTP server, or you are not providing the right credentials to it.  Ask the administrator of the hosting site (or your ISP if hosting at home) what the right SMTP server is.

 

For the login script, do you get an error message?

[Bounty]

Well i'm using xampp localhost server shouldn't i be administrator?

I found a way to activate SMTP on google but it won't stop error :S

 

As for do_login.php i forgot to copy you the error..

Notice: Undefined variable: _SESSION in C:\xampp\htdocs\login\do_login.php on line 5

 

Warning: mysql_query() expects parameter 1 to be string, resource given in C:\xampp\htdocs\login\do_login.php on line 19

No souch user!

[doddsey_65]

dont know about the SMTP thing but as for the login page.

 

You are getting the undefined variable message because you havent included session_start() at the top of the page.

 

The second message is due to this:

 

if (mysql_query($login)==0)

 

try using:

 

if (mysql_num_rows($login)==0)

[Bounty]

Okay second error solved but i don't get what do i have to add to fix first one? :/

[doddsey_65]

i dont know about the first one, to test my validation i add the files to a live server

[Bounty]

Edited do_reg.php and uploaded to test byethost

Still keeps ignoring mail function and jumps to error :"Error,what a shame!" :/

<?php

include 'connection.php';

//grab data from form
$name = $_POST['username'];
$pass = $_POST['password'];
$pass_conf = $_POST['pass_conf'];
$email = $_POST['email'];
$ip = $_POST['ip'];

//if else
if($name == false || $pass == false || $pass_conf == false || $email == false){
echo "Please fill in all the required fields.";
};
if($pass != $pass_conf){ 
   echo "Blah..Passwords do not match."; 
}else{
//generate random code
$code = rand(11111111,99999999);
//send email
$subject = "Activate your account";
$headers = "From: [email protected]";
$body = "Hello $name,\n\nYou registered and need to activate your account. Click the link below or paste it into the URL bar of your browser\n\n http://localhot/login/activate.php?code=$code\n\nThanks!";
if (mail($email,$subject,$body,$headers)) {
	$sql = mysql_query("INSERT INTO users (username,password,email,code,active,ip)
				VALUES('$name','$pass','$email','$code',0,'$ip')") or die(mysql_error());
	$result = mysql_query($sql);
	echo "Thank you for registering! But your account is not still active :'( Please check your email ($email) for activation code! ";
	} else {
	echo "Error,what a shame!";
	}
};
?>

[btherl]

Since you're hosting at home, ask your ISP for the SMTP server settings.  The relevant configuration variables are listed here: http://au2.php.net/manual/en/mail.configuration.php , and you'll need to enter the settings your ISP gave you.

 

I'm not sure if it can use SMTP servers with authentication though .. if you need that you may need to use the Pear Mail package.  But usually an ISP will allow unauthenticated SMTP from their customer ip addresses.

[Bounty]

As i said i copied all files from localhost server to byethost (free hosting) that should do the trick...but it doesn't :S

[btherl]

Since you're using a hosting provider, the first step is to ask them why mail() isn't working.

[Bounty]

Okay i got some info about byethost hosting that are not very cheerful,SMTP can be configured just if you are premium user witch obviously I am not...i'm quiting of that part of the script until i get my premium host and domain...

Anyhow...i commented out all scripts that has anything to do with mail function and system works...

Although i still have some questions...

 

My do_login.php script now looks like this:

<?php

include 'connection.php';
//	$session_username = $_SESSION['username'];
if($_POST['login']) 
{
	//get form data
	$username = $_POST['username'];
	$password = $_POST['password'];
	}
if(!$username||!$password)
		echo "Username and password missing!";
else {
	//login
	$login = mysql_query("SELECT * FROM users WHERE username='$username'");
	}
	if (mysql_num_rows($login)==0)
		echo "No such user!";
	else 
	{
	while ($login_row = mysql_fetch_assoc($login)) 
	{
	$password_db = $login_row['password'];
//$password = md5($password);
if ($password!=$password_db)
	echo "Incorect password!";
else 
{
//check if active
$active = $login_row['active'];
$email = $login_row['email'];

if ($active==0)
	echo "You haven't activated your account, please check your email ($email) for activation!";
else 
{
	$_SESSION['username']=$username; //assign session
//	header("Location: index.php");//refresh
	echo "DONE!";
}
}
}
   }
?>

It didn't worked before because this line:

	$password = md5($password);
if ($password!=$password_db)
	echo "Incorect password!";

Real password and md5 coded password didn't match obviously (thats why i commented that line too)..but why?

Shouldn't md5 coding be for security reasons? If so how could i add it to my script,but the match must be true?...

And should i add md5 coding to register page as well?

[btherl]

Yes, you need to add md5() to your register script.  Otherwise your login script is comparing an md5'd password ($password) to a plain text password ($password_db).

 

The idea is that if someone accesses your database, it will be more difficult for them to recover the password.  If you're serious about this you really should use a salt, otherwise rainbow tables can be used to reverse the md5 for some simple passwords.

[Bounty]

Sorry but i don't rly understand...salt? rainbow tables?

How should i compare plain text password to an md5 one,instead of this:

$password = md5($password);
if ($password!=$password_db)
	echo "Incorect password!";

it failed every time..?

[Bounty]

Anyone?

[btherl]

If your db password is plain text, there's no need to use md5 at all:

 

# $password = md5($password); # Skip this
if ($password != $password_db)

 

Salts and rainbow tables are a topic on their own, I won't try to explain them here.  If you want to find out more about them, you can look for "password salt" in google.  The basic idea is that if you use salts, hackers cannot use a precomputed table of md5 passwords to look up the original password.  Such a table is called a "rainbow table", so you can also look up that in google.

[Bounty]

Okay thank you for your time ill search for salt password...Topic solved