andy_b_1502 Posted January 12, 2012 Share Posted January 12, 2012 Hi, I wonder if you could help me try to find what i'm looking for, i have a problem with bogus users on my site. I created a register page where the details are sent to the database, this is fine but someone is registering with the username: 1 and password: 1 multiple times. I have about 50 of these now and i would like to know what to actually search for (how to word it) to find out how to stop this? What would be the name of the script? i've looked for fake username script, multiple username/password prevention script, i'm just not getting it, sorry. If any of you have any ideas i'd like to hear from you, many thanks in advance for that. If you need anymore to go on please ask, once again thank you. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/ Share on other sites More sharing options...
hyster Posted January 12, 2012 Share Posted January 12, 2012 are they using the same email address? if so do a search to see if the email has been reg before. if it has reject the sign up. if its a diffrent email but ur sure its the same person u can add there ip to the database and reject if multiple sign ups from that. if u want to protect against bits then use a captcha system. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306908 Share on other sites More sharing options...
QuickOldCar Posted January 12, 2012 Share Posted January 12, 2012 http://php.net/manual/en/filter.examples.validation.php I guess you can call it checking/validation/filtering/sanitizing If there is something you do not want to happen, should write a code to handle it. Could be a type, certain values, no empty fields, if something is set, so on. Simple example to stop them registering with a 1 if($username == 1 || $password == 1){ die("That's not allowed"); } For emails you can have them email back for verification before becoming active. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306912 Share on other sites More sharing options...
Muddy_Funster Posted January 12, 2012 Share Posted January 12, 2012 I would also like to suggest that you make sure that your input fields are properly escaped as well as sanitised before hitting the database. It's likely that those 1 and 1 fields are being populated by someone trying to hack your user table with a brute force injection attack. As well as that, I have to assume that you are storing the password as plain text (exactly what they type in the form is what is stored in the table). This is bad if you are, if someone does successfully hack your user table all the information could be handed over to them on a silver platter. You should look into encrypting passwords stored in the table if you are not doing so already. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306918 Share on other sites More sharing options...
andy_b_1502 Posted January 12, 2012 Author Share Posted January 12, 2012 Thank you all for quick replies. I have searched "Validate Email Script" and for the purpose of getting this up and running decided to use it. Here is my register script i had: <?php $to = "$_POST[email]"; $subject = "Welcome!"; $body = "Welcome to Removalspace.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST[username]' \n\n Password: '$_POST[upassword]' \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'"; if (mail($to, $subject, $body, $mailheader)) ?> <?PHP $user_name = "****"; $password = "****"; $database = "*********"; $server = "**********.com"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle); if ($db_found) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); $sql = mysql_query("SELECT * FROM users WHERE Email = $email"); header( 'Location: http://www.website.com/index.php' ); exit(); } else { print "Database NOT Found "; mysql_close($db_handle); } ?> And heres the validate script i intend to use: /** * * PHP validate email * http://www.webtoolkit.info/ * **/ function isValidEmail($email){ return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email); } Do you reckon this will do the job and where does it litterally fit into my script? thank you all again, muddy. i will look into md5 just as soon as this is done, many thanks for your help. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306922 Share on other sites More sharing options...
QuickOldCar Posted January 12, 2012 Share Posted January 12, 2012 Use preg_match versus eregi, eregi is a deprecated function. http://php.net/manual/en/function.preg-match.php Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306924 Share on other sites More sharing options...
Muddy_Funster Posted January 12, 2012 Share Posted January 12, 2012 $sql = mysql_query("SELECT * FROM users WHERE Email = $email"); You should NEVER do this! Do not SELECT * from your user table ESPECIALY if you don't encrypt any information. If you get hacked you are not only giving out all the login info for a user, you are also giving out user email addresses. If you are storing personal informaton about anyone then you have a duty of care to protect that information. Also, I see you are not actualy escaping your $email variable before sending it to the dtatabase. That's dangerous. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306929 Share on other sites More sharing options...
QuickOldCar Posted January 12, 2012 Share Posted January 12, 2012 I have to go work now, but here is a simple example using the filter check and using preg_match. The function returns a 0 or a 1, false/true <?php $post_email = "[email protected]"; //$post_email = "1"; function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } if(isValidEmail($post_email) == 0){ die("email is no good"); } else { echo "good email $post_email"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306932 Share on other sites More sharing options...
andy_b_1502 Posted January 12, 2012 Author Share Posted January 12, 2012 Thanks for you help but i'm surely doing something wrong after just testing what you've learnt me using:: <?PHP $user_name = "***"; $password = "***"; $database = "***"; $server = "***.com"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle); $post_email = "[email protected]";//$post_email = "1";function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);}if(isValidEmail($post_email) == 0){die("email is no good");} else {echo "good email $post_email";} if ($db_found) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); $sql = mysql_query("SELECT email FROM users WHERE Email = $email"); header( 'Location: http://www.***.com/index.php' ); exit(); } else { print "Database NOT Found "; mysql_close($db_handle)"; } ?> It just goes to the thank you registered page, ive just used an email address with 2 symbols and it went through @@ Please help as these DOS attacks are messing up my database. Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1306943 Share on other sites More sharing options...
QuickOldCar Posted January 13, 2012 Share Posted January 13, 2012 Yeah, that was an example of how to use the function, not an exact paste it in and would work. Need to use your POST email info and use that with the function, placing your mysql and mail functions within it..only if it passes with a 1. I just got home, I threw this together as best from what I think might work. <?php function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } $to = $_POST['email']; $subject = "Welcome!"; $body = "Welcome to Removalspace.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST['username']' \n\n Password: '$_POST['upassword']' \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'"; if(isValidEmail($_POST['email']) == 0){ die("email is no good"); } else { if (mail($to, $subject, $body, $mailheader)){ $user_name = "****"; $password = "****"; $database = "*********"; $server = "**********.com"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle); //escaped variables before database insert $username = mysql_real_escape_string($_POST['username']); $upassword = mysql_real_escape_string($_POST['upassword']);//this should be encrypted and not a regular password $email = mysql_real_escape_string($_POST['email']); if ($db_found) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); $sql = mysql_query("SELECT * FROM users WHERE Email = $email"); header( 'Location: http://www.website.com/index.php' ); exit(); } else { print "Database NOT Found "; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1307137 Share on other sites More sharing options...
andy_b_1502 Posted January 14, 2012 Author Share Posted January 14, 2012 Thanks Quickoldcar, i suppose i'd better open a new post really but do i implement md5 into my code like this: $upassword = mysql_real_escape_string($_POST['upassword']), $encrypt_password=md5($password); And that would send the passwords to my database encrypted? Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1307605 Share on other sites More sharing options...
QuickOldCar Posted January 14, 2012 Share Posted January 14, 2012 I always like to trim and lower the POST password as well. $upassword = md5(strtolower(trim($_POST['upassword']))); Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1307703 Share on other sites More sharing options...
blacknight Posted January 15, 2012 Share Posted January 15, 2012 setting your username and email as keys on your user table will stop multiple samenames signing up too Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1307734 Share on other sites More sharing options...
andy_b_1502 Posted January 16, 2012 Author Share Posted January 16, 2012 How do i do that blacknight? just select primary key for each in PHP myadmin? because it's not letting me do this at present?? i'd like to be as "attack proof" as possible, i've been attacked multiple times this way since posting my first question. grrrr! Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308342 Share on other sites More sharing options...
andy_b_1502 Posted January 16, 2012 Author Share Posted January 16, 2012 Quickoldcar: i have made the changes you have helped with, unfortunatley i'm not having much luck with it. I tested it out by using the username: 1 and password: 1 with email: 1. It let me register? It should at that point give an error message and not register me shouldn't it? Here's what it's looking like now: <?php function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } $to = $_POST['email']; $subject = "Welcome!"; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST['username']' \n\n Password: '$_POST['upassword']' \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'";if(isValidEmail($_POST['email']) == 0){die("email is no good");} else { if (mail($to, $subject, $body, $mailheader)){$user_name = "***"; $password = "***";$database = "***"; $server = "***"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle);//escaped variables before database insert $username = mysql_real_escape_string($_POST['username']); $upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password $email = mysql_real_escape_string($_POST['email']);if ($db_found) {$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); $sql = mysql_query("SELECT * FROM users WHERE Email = $email");header( 'Location: http://www.***.com);exit();} else {print "Database NOT Found ";}} ?> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308348 Share on other sites More sharing options...
PaulRyan Posted January 16, 2012 Share Posted January 16, 2012 This is how I would do it, although I would personally add a LOT more validation checks in there. Such as checking the username, password and e-mail are filled. As well as the e-mail address and username have not already been taken. <?PHP //### MySQL connection details $user_name = "***"; $password = "***"; $database = "***"; $server = "***"; //### Connect to mysql database $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle); //### Details we're entering into the database $email = mysql_real_escape_string(trim($_POST['email'])); $username = mysql_real_escape_string(trim($_POST['username'])); $upassword = md5(strtolower(trim($_POST['upassword']))); //### E-mail variables $subject = 'Welcome!'; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: {$_POST['username']} \n\n Password: {$_POST['upassword']} \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $headers = "From:'[email protected]'"; //### Send the e-mail $mailSent = mail($email, $subject, $body, $headers); //### check to see if a valid email has been entered if(!filter_var($email,FILTER_VALIDATE_EMAIL)) { $message = 'You have entered an invalid e-mail address'; } else if(!$mailSent) { $message = 'Unable to send the e-mail to the user.'; } else { //### Make our query for inserting a new user $query = "INSERT INTO `users` (`username`,`password`,`email`) VALUE ('{$username}' ,'{$upassword}', '{$email}')"; //### Perform the query $addUser = mysql_query($query); //### Make sure the query was performed and the user was added if(mysql_affected_rows()) { header('Location: http://www.***.com'); exit; } else { $message = 'Unable to insert the new user.'; } } //### Echo the message if any if(isSet($message)) { echo $message; } ?> Regards, PaulRyan. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308359 Share on other sites More sharing options...
QuickOldCar Posted January 16, 2012 Share Posted January 16, 2012 You can try what paulryan suggested, but I tried this out and seemed to work, I fixed some errors with it, and added a form to test it. <?php if(isset($_POST['email']) && $_POST['email'] != ""){ $email = $_POST['email']; } else { $email = ""; } if(isset($_POST['upassword']) && $_POST['upassword'] != ""){ $upassword = $_POST['upassword']; } else { $upassword = ""; } ?> <form action="" method="post"> Name: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/> Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/> <input type="submit" value="Submit" /> </form> <?php function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } if($email != "" || $upassword != ""){ if(isValidEmail($email) == False){ die("$email is no good"); } else { $to = $_POST['email']; $subject = "Welcome!"; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'"; if (mail($to, $subject, $body, $mailheader)){ $user_name = "***"; $password = "***";$database = "***"; $server = "***"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert $username = mysql_real_escape_string($_POST['username']); $upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password $email = mysql_real_escape_string($_POST['email']); if ($db_found) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); $sql = mysql_query("SELECT * FROM users WHERE Email = $email"); header('Location: http://www.***.com'); exit(); } else { print "Database NOT Found "; } } } } else { echo "Please insert an email and password"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308365 Share on other sites More sharing options...
andy_b_1502 Posted January 16, 2012 Author Share Posted January 16, 2012 Thanks PaulRyan for your suggestion. Im going with quickoldcar's way, it works as far as the password is being sent to PHPmyadmin in md5 but it let's me register the same username, password and email more than once. Even with the check, what could be causing this to let me save them in the database now? I appreciate all the help so far guys! ps. just like to add; it does however work great with the checking for valid email addresses as tested. many thanks. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308376 Share on other sites More sharing options...
QuickOldCar Posted January 16, 2012 Share Posted January 16, 2012 You have to query the user name first and see if it exists first, then if does not exist, do the mysql insert. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308382 Share on other sites More sharing options...
QuickOldCar Posted January 17, 2012 Share Posted January 17, 2012 I played around and added what I think you need. For the redirect I have a message with a refresh delay, they lead to register.php(this script name), or if success login.php, or an index.php with a login. Hope this helps you. <?php if(isset($_POST['username']) && $_POST['username'] != ""){ $username = $_POST['username']; } else { $username = ""; } if(isset($_POST['email']) && $_POST['email'] != ""){ $email = $_POST['email']; } else { $email = ""; } if(isset($_POST['upassword']) && $_POST['upassword'] != ""){ $upassword = $_POST['upassword']; } else { $upassword = ""; } function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } if($username != "" || $email != "" || $upassword != ""){ if(isValidEmail($email) == False){ header("refresh:5;url=register.php"); echo "Try again and use a valid email."; } else { $to = $_POST['email']; $subject = "Welcome!"; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'"; if (mail($to, $subject, $body, $mailheader)){ $user_name = "***"; $password = "***";$database = "***"; $server = "***"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert $username = mysql_real_escape_string($_POST['username']); $upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password $email = mysql_real_escape_string($_POST['email']); if ($db_found) { $query = mysql_query("SELECT username FROM users WHERE username='".$username."'"); $check = mysql_num_rows($query_add); if($check <= 0) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); //$sql = mysql_query("SELECT * FROM users WHERE Email = $email");//this query is never used to display any results header( "refresh:5;url=login.php" );//or index.php with a login echo "You are now registered, redirecting to login in about 5 secs. If not, click <a href='login.php'>here</a>."; exit(); } else { echo "User name is taken, try a different one. <br />"; } } else { print "Database NOT Found "; } } } } else { echo "Please insert a user name, email and password"; } ?> <br /> <form action="" method="post"> Name: <input type="text" name="username" value="<?php echo $username;?>" placeholder="Your user name"/> Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/> Email: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/> <input type="submit" value="Submit" /> </form> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308393 Share on other sites More sharing options...
QuickOldCar Posted January 17, 2012 Share Posted January 17, 2012 Sorry I had an error in the naming of my query. You can prob move the mail function lower under the if($check) as well, work out your end bracket and message. <?php if(isset($_POST['username']) && $_POST['username'] != ""){ $username = $_POST['username']; } else { $username = ""; } if(isset($_POST['email']) && $_POST['email'] != ""){ $email = $_POST['email']; } else { $email = ""; } if(isset($_POST['upassword']) && $_POST['upassword'] != ""){ $upassword = $_POST['upassword']; } else { $upassword = ""; } function isValidEmail($email){ return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email); } if($username != "" || $email != "" || $upassword != ""){ if(isValidEmail($email) == False){ header("refresh:5;url=register.php"); echo "Try again and use a valid email."; } else { $to = $_POST['email']; $subject = "Welcome!"; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $mailheader = "From:'[email protected]'"; if (mail($to, $subject, $body, $mailheader)){ $user_name = "***"; $password = "***";$database = "***"; $server = "***"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert $username = mysql_real_escape_string($_POST['username']); $upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password $email = mysql_real_escape_string($_POST['email']); if ($db_found) { $query = mysql_query("SELECT username FROM users WHERE username='".$username."'"); $check = mysql_num_rows($query); if($check <= 0) { $SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')"; $result = mysql_query($SQL); //$sql = mysql_query("SELECT * FROM users WHERE Email = $email");//this query is never used to display any results header( "refresh:5;url=login.php" );//or index.php with a login echo "You are now registered, redirecting to login in about 5 secs. If not, click <a href='login.php'>here</a>."; exit(); } else { echo "User name is taken, try a different one. <br />"; } } else { print "Database NOT Found "; } } } } else { echo "Please insert a user name, email and password"; } ?> <br /> <form action="" method="post"> Name: <input type="text" name="username" value="<?php echo $username;?>" placeholder="Your user name"/> Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/> Email: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/> <input type="submit" value="Submit" /> </form> Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308456 Share on other sites More sharing options...
PaulRyan Posted January 17, 2012 Share Posted January 17, 2012 QuickOldCar has the right idea, but the wrong execution (I think so anyways) my method is alot cleaner. Firstly, you shouldn't really rely on REGEX for emails, use PHP's built in FILTERS for it. Don't display passwords in plain text within the form. When displaying posted data, you must santize it before out putting it to prevent XSS. Do not strtolower() password, make them case sensitive... What happens if I knew your password was "ilovepoopinabasket", if you lower it, I just have to type that in, if you have capitals all over the place like "ILoVePoOpInAbAsKeT" that is 1000% harder to guess and type correctly, not to mention websites should block logins after so many failed attempts. All validation should be done at once, before any other code is processed. This is a full blown similar example of how I would do it, it's untested but it will get you on the right track. <?PHP //### If the page is requested by POST, a form was submitted if($_SERVER['REQUEST_METHOD'] == 'POST') { //### MySQL connection details $username = "***"; $password = "***"; $database = "***"; $hostname = "***"; //### Connect to the database $db_handle = mysql_connect($hostname, $user_name, $password); //### Check if we connected to MySQL if(!$db_handle) { echo 'Unable to connect to MySQL, check your connection details.'; exit; } //### Select the database we want to use $db_found = mysql_select_db($database,$db_handle); //### Make sure the database is selected if(!$db_found) { echo 'MySQL connected, but the database was not found.'; exit; } //### Assign and sanitize incoming form data $username = mysql_real_escape_string(trim($_POST['username'])); $password = mysql_real_escape_string(trim($_POST['password'])); $email = trim($_POST['username']); //### Form data validation if(!$username) { $error = 'Please enter your desired username.'; } else if(!$password) { $error = 'Please enter a password.'; } else if(!$email) { $error = 'Please enter your e-mail address.'; } else if(!filter_var($email,FILTER_VALIDATE_EMAIL)) { $error = 'You have entered an invalid e-mail address'; } else { //### Now check if the username has been used $checkUsername = mysql_query("SELECT `username` FROM `users` WHERE `username` = '{$username}'"); //### If the username exists, tell the user to choose another if(mysql_num_rows($checkUsername)) { $error = 'The username entered is already taken, please enter another.'; } else { //### Now check if the e-mail address has been used $checkEmail = mysql_query("SELECT `email` FROM `users` WHERE `email` = '{$email}'"); //### If the e-mail address exists, tell the user to choose another if(mysql_num_rows($checkEmail)) { $error = 'The e-mail address entered is already taken, please enter another.'; } else { //### E-mail variables $subject = "Welcome!"; $body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; $headers = "From:'[email protected]'"; //### Send the e-mail $mailSent = mail($email, $subject, $body, $headers); //### If the e-mail didn't sent, inform the user if(!$mailSent) { $error = 'We we\'re unable to send the e-mail, please try again.'; } else { //### Hash the user password for database entry $hashedPassword = md5($password); //### Query to add the new user $addUser = mysql_query("INSERT INTO `users` (`username`,`upassword`,`email`) VALUES ('{$username}','{$hashedPassword}','{$email}'"); //### If the new user was not added, inform the user if(!mysql_affect_rows()) { $error = 'We we\'re unable to save your account, please try again.'; } else { //### Account was added, redirect to login or whatever you want to do here } // End of affected rows check } // End of email sending check } // End of e-mail address check } // End of username check } // End of validation check } // End if POST check ?> <form action="" method="post"> <?PHP //### If the form has an error, display it. if(isSet($error)) { echo $error.' <br>'; } ?> Name: <input type="text" name="username" value="<?PHP if(isSet($_POST['username'])) { htmlentities(trim($_POST['username']), ENT_QUOTES); } ?>" placeholder="Your user name"/> Password: <input type="password" name="upassword" value="" placeholder="Your password"/> Email: <input type="text" name="email" value="<?PHP if(isSet($_POST['email'])) { htmlentities(trim($_POST['email']), ENT_QUOTES); } ?>" placeholder="Your email"/> <input type="submit" value="Submit" /> </form> Regards, PaulRyan. Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308595 Share on other sites More sharing options...
andy_b_1502 Posted January 18, 2012 Author Share Posted January 18, 2012 Thanks paul, i like the cleanliness, so what you've added is a little more security with the case sensitivity? i've been looking at salt does this further secure the passwords with md5? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/254887-need-help-with-php-mysql-database-maintenance/#findComment-1308751 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.