Need help with php mysql database - maintenance?

[andy_b_1502]

Hi,

 

I wonder if you could help me try to find what i'm looking for, i have a problem with bogus users on my site.

 

I created a register page where the details are sent to the database, this is fine but someone is registering with the username: 1 and password: 1 multiple times.

I have about 50 of these now and i would like to know what to actually search for (how to word it) to find out how to stop this?

 

What would be the name of the script? i've looked for fake username script, multiple username/password prevention script, i'm just not getting it, sorry.

 

If any of you have any ideas i'd like to hear from you, many thanks in advance for that.

 

If you need anymore to go on please ask, once again thank you.

[hyster]

are they using the same email address? if so do a search to see if the email has been reg before. if it has reject the sign up.

if its a diffrent email but ur sure its the same person u can add there ip to the database and reject if multiple sign ups from that.

if u want to protect against bits then use a captcha system.

[QuickOldCar]

http://php.net/manual/en/filter.examples.validation.php

 

I guess you can call it checking/validation/filtering/sanitizing

 

If there is something you do not want to happen, should write a code to handle it.

Could be a type, certain values, no empty fields, if something is set, so on.

 

Simple example to stop them registering with a 1

if($username == 1 || $password == 1){
die("That's not allowed");
}

 

For emails you can have them email back for verification before becoming active.

[Muddy_Funster]

I would also like to suggest that you make sure that your input fields are properly escaped as well as sanitised before hitting the database.  It's likely that those 1 and 1 fields are being populated by someone trying to hack your user table with a brute force injection attack.  As well as that, I have to assume that you are storing the password as plain text (exactly what they type in the form is what is stored in the table).  This is bad if you are, if someone does successfully hack your user table all the information could be handed over to them on a silver platter.  You should look into encrypting passwords stored in the table if you are not doing so already.

[andy_b_1502]

Thank you all for quick replies.

 

I have searched "Validate Email Script" and for the purpose of getting this up and running decided to use it.

 

Here is my register script i had:

 

<?php
$to = "$_POST[email]";
$subject = "Welcome!";
$body = "Welcome to Removalspace.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST[username]' \n\n Password: '$_POST[upassword]' \n\n You can now use these to log-in at http://www.website.com. Thank you!";
$mailheader = "From:'mail@website.com'";
if (mail($to, $subject, $body, $mailheader))
?>
<?PHP

$user_name = "****";
$password = "****";
$database = "*********";
$server = "**********.com";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$SQL = "INSERT INTO users (username, upassword, email) 
VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);

$sql = mysql_query("SELECT * FROM users WHERE Email = $email");


header( 'Location: http://www.website.com/index.php' );  exit();
}
else {
print "Database NOT Found ";
mysql_close($db_handle);
}
?>

 

And heres the validate script i intend to use:

 

/**
*
*  PHP validate email
*  http://www.webtoolkit.info/
*
**/

function isValidEmail($email){
return eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email);
}

 

Do you reckon this will do the job and where does it litterally fit into my script? thank you all again, muddy. i will look into md5 just as soon as this is done, many thanks for your help.

[QuickOldCar]

Use preg_match versus eregi, eregi is a deprecated function.

 

http://php.net/manual/en/function.preg-match.php

[Muddy_Funster]

 

$sql = mysql_query("SELECT * FROM users WHERE Email = $email");

 

You should NEVER do this!  Do not SELECT * from your user table ESPECIALY if you don't encrypt any information.  If you get hacked you are not only giving out all the login info for a user, you are also giving out user email addresses.  If you are storing personal informaton about anyone then you have a duty of care to protect that information.  Also, I see you are not actualy escaping your $email variable before sending it to the dtatabase.  That's dangerous.

[QuickOldCar]

I have to go work now, but here is a simple example using the filter check and using preg_match.

 

The function returns a 0 or a 1, false/true

<?php
$post_email = "somename@mail.com";
//$post_email = "1";

function isValidEmail($email){
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);
}

if(isValidEmail($post_email) == 0){
die("email is no good");
} else {
echo "good email $post_email";
}
?>

[andy_b_1502]

Thanks for you help but i'm surely doing something wrong after just testing what you've learnt me using::

 

<?PHP

$user_name = "***";
$password = "***";
$database = "***";
$server = "***.com";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

$post_email = "somename@mail.com";//$post_email = "1";function isValidEmail($email){	return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);}if(isValidEmail($post_email) == 0){die("email is no good");} else {echo "good email $post_email";}

if ($db_found) {

$SQL = "INSERT INTO users (username, upassword, email) 
VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);

$sql = mysql_query("SELECT email FROM users WHERE Email = $email");


header( 'Location: http://www.***.com/index.php' );  exit();
}
else {
print "Database NOT Found ";
mysql_close($db_handle)";
}
?>

 

It just goes to the thank you registered page, ive just used an email address with 2 symbols and it went through @@

 

Please help as these DOS attacks are messing up my database. Thank you.

[QuickOldCar]

Yeah, that was an example of how to use the function, not an exact paste it in and would work.

 

Need to use your POST email info and use that with the function, placing your mysql and mail functions within it..only if it passes with a 1.

 

I just got home, I threw this together as best from what I think might work.

 

<?php

function isValidEmail($email){
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);
}
$to = $_POST['email'];
$subject = "Welcome!";
$body = "Welcome to Removalspace.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST['username']' \n\n Password: '$_POST['upassword']' \n\n You can now use these to log-in at http://www.website.com. Thank you!";
$mailheader = "From:'mail@website.com'";

if(isValidEmail($_POST['email']) == 0){
die("email is no good");
} else {

if (mail($to, $subject, $body, $mailheader)){

$user_name = "****";
$password = "****";
$database = "*********";
$server = "**********.com";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

//escaped variables before database insert
$username = mysql_real_escape_string($_POST['username']);
$upassword = mysql_real_escape_string($_POST['upassword']);//this should be encrypted and not a regular password
$email = mysql_real_escape_string($_POST['email']);

if ($db_found) {

$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);

$sql = mysql_query("SELECT * FROM users WHERE Email = $email");


header( 'Location: http://www.website.com/index.php' );
exit();
} else {
print "Database NOT Found ";
}

}
?>

[andy_b_1502]

Thanks Quickoldcar, i suppose i'd better open a new post really but do i implement md5 into my code like this:

 

$upassword = mysql_real_escape_string($_POST['upassword']), $encrypt_password=md5($password);

 

And that would send the passwords to my database encrypted?

[QuickOldCar]

I always like to trim and lower the POST password as well.

 

$upassword = md5(strtolower(trim($_POST['upassword'])));

 

 

[blacknight]

setting your username and email as keys on your user table will stop multiple samenames signing up too

[andy_b_1502]

How do i do that blacknight? just select primary key for each in PHP myadmin? because it's not letting me do this at present??

 

i'd like to be as "attack proof" as possible, i've been attacked multiple times this way since posting my first question. grrrr!

[andy_b_1502]

Quickoldcar: i have made the changes you have helped with, unfortunatley i'm not having much luck with it. I tested it out by using the username: 1 and password: 1 with email: 1.

 

It let me register?

 

It should at that point give an error message and not register me shouldn't it?

 

Here's what it's looking like now:

 

<?php

function isValidEmail($email){ 
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", 
$email); } 
$to = $_POST['email']; 
$subject = "Welcome!"; 
$body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: '$_POST['username']' \n\n Password: '$_POST['upassword']' \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
$mailheader = "From:'mail@website.com'";if(isValidEmail($_POST['email']) == 0){die("email is no good");} else {  if (mail($to, $subject, $body, $mailheader)){$user_name = "***";
$password = "***";$database = "***";
$server = "***";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, 
$db_handle);//escaped variables before database insert
$username = mysql_real_escape_string($_POST['username']);
$upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password
$email = mysql_real_escape_string($_POST['email']);if ($db_found) {$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);
$sql = mysql_query("SELECT * FROM users WHERE Email = $email");header( 'Location: http://www.***.com);exit();} else {print "Database NOT Found ";}}

?>

 

[PaulRyan]

This is how I would do it, although I would personally add a LOT more validation checks in there.

 

Such as checking the username, password and e-mail are filled.

As well as the e-mail address and username have not already been taken.

 

<?PHP

  //### MySQL connection details
  $user_name = "***";
  $password  = "***";
  $database  = "***";
  $server    = "***";

  //### Connect to mysql database
  $db_handle = mysql_connect($server, $user_name, $password);
  $db_found  = mysql_select_db($database, $db_handle);

  //### Details we're entering into the database
  $email     = mysql_real_escape_string(trim($_POST['email']));
  $username  = mysql_real_escape_string(trim($_POST['username']));
  $upassword = md5(strtolower(trim($_POST['upassword'])));

  //### E-mail variables
  $subject = 'Welcome!';
  $body    = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: {$_POST['username']} \n\n Password: {$_POST['upassword']} \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
  $headers = "From:'mail@website.com'";

  //### Send the e-mail
  $mailSent = mail($email, $subject, $body, $headers);

  //### check to see if a valid email has been entered
  if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
    $message = 'You have entered an invalid e-mail address';
  } else if(!$mailSent) {
    $message = 'Unable to send the e-mail to the user.';
  } else {

    //### Make our query for inserting a new user
    $query = "INSERT INTO `users` (`username`,`password`,`email`) VALUE ('{$username}' ,'{$upassword}', '{$email}')";

    //### Perform the query
    $addUser = mysql_query($query);

    //### Make sure the query was performed and the user was added
    if(mysql_affected_rows()) {
      header('Location: http://www.***.com');
      exit;
    } else {
      $message = 'Unable to insert the new user.';
    }

  }

  //### Echo the message if any
  if(isSet($message)) {
    echo $message;
  }

?>

 

Regards, PaulRyan.

[QuickOldCar]

You can try what paulryan suggested, but I tried this out and seemed to work, I fixed some errors with it, and added a form to test it.

 

<?php
if(isset($_POST['email']) && $_POST['email'] != ""){
$email = $_POST['email'];
} else {
$email = "";
}

if(isset($_POST['upassword']) && $_POST['upassword'] != ""){
$upassword = $_POST['upassword'];
} else {
$upassword = "";
}
?>

<form action="" method="post">
Name: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/>
Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/>
<input type="submit" value="Submit" />
</form> 



<?php
function isValidEmail($email){
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);
}

if($email != "" || $upassword != ""){

if(isValidEmail($email) == False){
die("$email is no good");
} else {
$to = $_POST['email']; 
$subject = "Welcome!"; 
$body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
$mailheader = "From:'mail@website.com'";

  if (mail($to, $subject, $body, $mailheader)){
$user_name = "***";
$password = "***";$database = "***";
$server = "***";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert
$username = mysql_real_escape_string($_POST['username']);
$upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password
$email = mysql_real_escape_string($_POST['email']);
if ($db_found) {
$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);
$sql = mysql_query("SELECT * FROM users WHERE Email = $email");
header('Location: http://www.***.com');
exit();
} else {
print "Database NOT Found ";
}
}
}

} else {
echo "Please insert an email and password";
}
?>

[andy_b_1502]

Thanks PaulRyan for your suggestion. Im going with quickoldcar's way, it works as far as the password is being sent to PHPmyadmin in md5 but it let's me register the same username, password and email more than once. Even with the check, what could be causing this to let me save them in the database now?

 

I appreciate all the help so far guys!

 

ps.

 

just like to add; it does however work great with the checking for valid email addresses as tested. many thanks.

[QuickOldCar]

You have to query the user name first and see if it exists first, then if does not exist, do the mysql insert.

[QuickOldCar]

I played around and added what I think you need.

 

For the redirect I have a message with a refresh delay, they lead to register.php(this script name), or if success login.php, or an index.php with a login.

 

Hope this helps you.

<?php
if(isset($_POST['username']) && $_POST['username'] != ""){
$username = $_POST['username'];
} else {
$username = "";
}

if(isset($_POST['email']) && $_POST['email'] != ""){
$email = $_POST['email'];
} else {
$email = "";
}

if(isset($_POST['upassword']) && $_POST['upassword'] != ""){
$upassword = $_POST['upassword'];
} else {
$upassword = "";
}


function isValidEmail($email){
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);
}

if($username != "" || $email != "" || $upassword != ""){

if(isValidEmail($email) == False){
header("refresh:5;url=register.php");
echo "Try again and use a valid email.";
} else {
$to = $_POST['email']; 
$subject = "Welcome!"; 
$body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
$mailheader = "From:'mail@website.com'";

  if (mail($to, $subject, $body, $mailheader)){
$user_name = "***";
$password = "***";$database = "***";
$server = "***";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert
$username = mysql_real_escape_string($_POST['username']);
$upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password
$email = mysql_real_escape_string($_POST['email']);
if ($db_found) {
$query = mysql_query("SELECT username FROM users WHERE username='".$username."'");
$check = mysql_num_rows($query_add);

if($check <= 0) {
$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);
//$sql = mysql_query("SELECT * FROM users WHERE Email = $email");//this query is never used to display any results
header( "refresh:5;url=login.php" );//or index.php with a login
echo "You are now registered, redirecting to login in about 5 secs. If not, click <a href='login.php'>here</a>.";
exit();
} else {
echo "User name is taken, try a different one. <br />";
}

} else {
print "Database NOT Found ";
}
}
}

} else {
echo "Please insert a user name, email and password";
}
?>

<br />
<form action="" method="post">
Name: <input type="text" name="username" value="<?php echo $username;?>" placeholder="Your user name"/>
Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/>
Email: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/>
<input type="submit" value="Submit" />
</form>

[QuickOldCar]

Sorry I had an error in the naming of my query.

 

You can prob move the mail function lower under the if($check) as well, work out your end bracket and message.

<?php
if(isset($_POST['username']) && $_POST['username'] != ""){
$username = $_POST['username'];
} else {
$username = "";
}

if(isset($_POST['email']) && $_POST['email'] != ""){
$email = $_POST['email'];
} else {
$email = "";
}

if(isset($_POST['upassword']) && $_POST['upassword'] != ""){
$upassword = $_POST['upassword'];
} else {
$upassword = "";
}


function isValidEmail($email){
return preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $email);
}

if($username != "" || $email != "" || $upassword != ""){

if(isValidEmail($email) == False){
header("refresh:5;url=register.php");
echo "Try again and use a valid email.";
} else {
$to = $_POST['email']; 
$subject = "Welcome!"; 
$body = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
$mailheader = "From:'mail@website.com'";

  if (mail($to, $subject, $body, $mailheader)){
$user_name = "***";
$password = "***";$database = "***";
$server = "***";
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database,$db_handle);//escaped variables before database insert
$username = mysql_real_escape_string($_POST['username']);
$upassword = md5(strtolower(trim($_POST['upassword'])));//this should be encrypted and not a regular password
$email = mysql_real_escape_string($_POST['email']);
if ($db_found) {
$query = mysql_query("SELECT username FROM users WHERE username='".$username."'");
$check = mysql_num_rows($query);

if($check <= 0) {
$SQL = "INSERT INTO users (username, upassword, email) VALUES ('" .$username. "', '" .$upassword. "', '" .$email. "')";
$result = mysql_query($SQL);
//$sql = mysql_query("SELECT * FROM users WHERE Email = $email");//this query is never used to display any results
header( "refresh:5;url=login.php" );//or index.php with a login
echo "You are now registered, redirecting to login in about 5 secs. If not, click <a href='login.php'>here</a>.";
exit();
} else {
echo "User name is taken, try a different one. <br />";
}

} else {
print "Database NOT Found ";
}
}
}

} else {
echo "Please insert a user name, email and password";
}
?>

<br />
<form action="" method="post">
Name: <input type="text" name="username" value="<?php echo $username;?>" placeholder="Your user name"/>
Password: <input type="text" name="upassword" value="<?php echo $upassword;?>" placeholder="Your password"/>
Email: <input type="text" name="email" value="<?php echo $email;?>" placeholder="Your email"/>
<input type="submit" value="Submit" />
</form>

[PaulRyan]

QuickOldCar has the right idea, but the wrong execution (I think so anyways) my method is alot cleaner.

 

Firstly, you shouldn't really rely on REGEX for emails, use PHP's built in FILTERS for it.

 

Don't display passwords in plain text within the form.

When displaying posted data, you must santize it before out putting it to prevent XSS.

 

Do not strtolower() password, make them case sensitive...

What happens if I knew your password was "ilovepoopinabasket", if you lower it, I just have to type that in, if you have capitals all over the place like "ILoVePoOpInAbAsKeT" that is 1000% harder to guess and type correctly, not to mention websites should block logins after so many failed attempts.

 

All validation should be done at once, before any other code is processed.

 

This is a full blown similar example of how I would do it, it's untested but it will get you on the right track.

 

<?PHP

  //### If the page is requested by POST, a form was submitted 
  if($_SERVER['REQUEST_METHOD'] == 'POST') {

    //### MySQL connection details
    $username = "***";
    $password = "***";
    $database = "***";
    $hostname = "***";

    //### Connect to the database
    $db_handle = mysql_connect($hostname, $user_name, $password);

    //### Check if we connected to MySQL
    if(!$db_handle) {
      echo 'Unable to connect to MySQL, check your connection details.'; exit;
    }

    //### Select the database we want to use
    $db_found = mysql_select_db($database,$db_handle);

    //### Make sure the database is selected
    if(!$db_found) {
      echo 'MySQL connected, but the database was not found.'; exit;
    }

    //### Assign and sanitize incoming form data
    $username = mysql_real_escape_string(trim($_POST['username']));
    $password = mysql_real_escape_string(trim($_POST['password']));
    $email    = trim($_POST['username']);

    //### Form data validation
    if(!$username) {
      $error = 'Please enter your desired username.';
    } else if(!$password) {
      $error = 'Please enter a password.';
    } else if(!$email) {
      $error = 'Please enter your e-mail address.';
    } else if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
      $error = 'You have entered an invalid e-mail address';
    } else {

      //### Now check if the username has been used
      $checkUsername = mysql_query("SELECT `username` FROM `users` WHERE `username` = '{$username}'");

      //### If the username exists, tell the user to choose another
      if(mysql_num_rows($checkUsername)) {
        $error = 'The username entered is already taken, please enter another.';
      } else {

        //### Now check if the e-mail address has been used
        $checkEmail = mysql_query("SELECT `email` FROM `users` WHERE `email` = '{$email}'");

        //### If the e-mail address exists, tell the user to choose another
        if(mysql_num_rows($checkEmail)) {
          $error = 'The e-mail address entered is already taken, please enter another.';
        } else {

          //### E-mail variables
          $subject = "Welcome!"; 
          $body    = "Welcome to website.co.uk,\n\nYour are now registered with website.com. Here are your details: \n\n Username: " .$_POST['username']. " \n\n Password: " .$_POST['upassword']. " \n\n You can now use these to log-in at http://www.website.com. Thank you!"; 
          $headers = "From:'mail@website.com'";

          //### Send the e-mail
          $mailSent = mail($email, $subject, $body, $headers);

          //### If the e-mail didn't sent, inform the user
          if(!$mailSent) {
            $error = 'We we\'re unable to send the e-mail, please try again.';
          } else {

            //### Hash the user password for database entry
            $hashedPassword = md5($password);

            //### Query to add the new user
            $addUser = mysql_query("INSERT INTO `users` (`username`,`upassword`,`email`) VALUES ('{$username}','{$hashedPassword}','{$email}'");

            //### If the new user was not added, inform the user
            if(!mysql_affect_rows()) {
              $error = 'We we\'re unable to save your account, please try again.';
            } else {


              //### Account was added, redirect to login or whatever you want to do here


            } // End of affected rows check

          } // End of email sending check

        } // End of e-mail address check

      } // End of username check

    } // End of validation check

  } // End if POST check
?>

<form action="" method="post">
<?PHP
  //### If the form has an error, display it.
  if(isSet($error)) {
    echo $error.' <br>';
  }
?>
Name: <input type="text" name="username" value="<?PHP if(isSet($_POST['username'])) { htmlentities(trim($_POST['username']), ENT_QUOTES); } ?>" placeholder="Your user name"/>
Password: <input type="password" name="upassword" value="" placeholder="Your password"/>
Email: <input type="text" name="email" value="<?PHP if(isSet($_POST['email'])) { htmlentities(trim($_POST['email']), ENT_QUOTES); } ?>" placeholder="Your email"/>
<input type="submit" value="Submit" />
</form>

 

Regards, PaulRyan.

[andy_b_1502]

Thanks paul,

 

i like the cleanliness, so what you've added is a little more security with the case sensitivity? i've been looking at salt does this further secure the passwords with md5?

 

Thanks