Jump to content

Improving My Registration Form

White_Lily

By White_Lily
in PHP Coding Help

 Share

Recommended Posts

White_Lily Regular Member

White_Lily

Posted
Posted (edited)

Hi, I have a registration and i wish to improve the security somewhat.

 

I want to be able to have an email sent to the user that has registered which will consist of his/her;

 

Name

Username

Password???

and some form of Security Code

 

I was wondering how I should go about doing the security code, since the code will be stored in the database.

When the user clicks on a link in the email they would be directed to a page where they enter their username and security code, and the processing script would then compare them, and either allow access or deny it.

 

I was thinking something like sha1, md5, etc... Any help with this would be greatly appreciated ^_^

Edited by White_Lily
Link to comment
https://forums.phpfreaks.com/topic/269670-improving-my-registration-form/
Share on other sites
gristoi Newbie

gristoi

Posted
Posted

my suggestion is:

  • user enters username / password and email address into form.
  • data gets saved into user table, along with an md5 hash of the username, email and a salt word
  • the user is emailed a link with the md5hash as a variable in the link
  • this redirects the user to the login page, with a couple of flags to show they are confirming,
  • when they hi t submit you check the md5 matches the one in the db and activate the account

gristoi Newbie

gristoi

Posted
Posted

sorry, im afraid i might not have explained properly. the email will contain a link with the hash in it|:

example:

thank you for registering with............

please click on the link below to confirm your registration:

 

http://somesitesomewhere.com/confirm.php?q=2df352fd23fd62fd72fd72fd72ff387d736251fdeez

 

where q is the md5 of their name and email address.

 

this hash will be unque to their account. you done md5 the email at all

White_Lily Regular Member

White_Lily

Posted
  • Author
Posted

Okay - I can't seem to be able to get the hang on the md5 hash as a code for the confirmation. So, I thought - how difficult would it be to have some code that generates a random (preferrably unique) number that is then inserted into the database and used as that person's personal confirmation code?

gristoi Newbie

gristoi

Posted
Posted 

$usersEmailAddress = test@test.com;
$usersPassword = '123456';
$salt = 'wibbleotter'; // this is secret to you.
$token = md5($usersEmailAddress.$usersPassword.$salt);
$query = "INSERT INTO User_table .... "; // insert your users details and the token.
$url = "http://mysite.com/confirm.php?q=$token";
// email the above to the user and when they cliick on it to log in
check with a query like this
$query = "SELECT id FROM User_table where username =$username AND password = $password AND token = $token";

 

hope that help explain it a bit better

Christian F. Member

Christian F.

Posted
Posted (edited)

Don't use the password in the hash, especially not when you use MD5; It's a BAD idea. Use unique_id (), as Jessica linked to (and you so correctly guessed would be better).

Also, don't send the password in the e-mail; E-mails are sent as plain text, and can quite easily be intercepted. Remembering the password is the user's responsibility, after all.

Edited by Christian F.
JohnTipperton Newbie

JohnTipperton

Posted
Posted
  On 10/19/2012 at 3:20 PM, White_Lily said:

Sorry John but that doesn't appear to help much.

 

I did however search google and found on php.net a function could "rand();" however I didn't see any way in which i could make it unique. Any ideas?

 

sorry about that try to use this one

 

<?php

 

printf("uniqid(): %s\r\n", uniqid());

 

?>

White_Lily Regular Member

White_Lily

Posted
  • Author
Posted

Okay lol. (Sorry for the code being long - I think they can be tidied up a bit but that will have to come later when there is some kind of function to the forum).

 

Registration Form:

 

<?php

if($_POST["submitReg"]){
$regName = $_POST["name"];
$regUsername = $_POST["username"];
$regPassword = $_POST["password"];
$regREpassword = $_POST["rePassword"];
$email = $_POST["email"];

if(empty($regName) && empty($regUsername) && empty($regPassword) && empty($regREpassword)){
$msg3 = "The form was submitted empty.";
}else{
if(empty($regName)){
$msg3 .= "The name field was empty.";
}else{
if(empty($email)){
$msg3 .= "The email field was empty.";
}else{
if(preg_match("^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$", $_POST["email"]) === 0){
$msg3 .= "Please enter a valid email.";
}else{
if(empty($regUsername)){
$msg3 .= "The username field was empty.";
}else{
if(empty($regPassword)){
$msg3 .= "The password field was empty.";
}else{
if(empty($regREpassword)){
$msg3 .= "The repeat password field was empty.";
}else{
if($regPassword != $regREpassword OR $regREpassword != $regPassword){
$msg3 .= "The password fields didn't match.";
}else{
$check = select("*", "members", "username = '$regUsername'");
$assoc = mysql_fetch_assoc($check);

if($regUsername == $assoc["username"]){
$msg3 .= "That username has been taken, pick another.";
}else{

$regPassword = sha1($regPassword);
$id = uniqid();

$register = insert("members", "name, email, username, password, user_level, id, ban", "'$regName', '$email', '$regUsername', '$regPassword', 1, '$id', 0");

if($register){

$newsTitle = "New member registered!";

$cont = $regUsername." has just joined Fusion Forums!<br>";
$cont.= "Check out his/her profile:<br><br>";
$cont.= "View Profile";

$newsCont = $cont;

$newMem = insert("news", "news_title, news_content, username", "'$newsTitle', '$newsCont', '$regUsername'");

if($newMem){ 
$to = $email;
$subject = "Fusion Forums - Account Confirmation";
$message = "Hello! You have recently registered to Fusion Forum's.<br><br>";
$message.= "This is a confirmation email, below you will find your account details along with a Unique ID.<br><br>";
$message.= "In order to activate your account you must first enter the ID into the text field that follows the link at the end of this email. Your details are as follows:<br><br>";
$message.= "<table>";
$message.= "<tr>";
$message.= "<td><strong>Name:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$regName."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Email:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$email."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Username:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$regUsername."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Unique ID:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$id."</td>";
$message.= "<tr>";
$message.= "</table><br><br>";
$message.= "Please follow this link in order to activate your account (opens in your default browser):<br>";
$message.= "<a href='http://www.janedealsart.co.uk/activate.php?id=".$id."'>Activate Account</a>";
$from = "noreply@janedealsart.co.uk";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers.= "From: ".$from;
mail($to, $subject, $message, $headers);
$done = "You have successfully registered to Fusion Fourm's.<br>";
$done.= "We have sent you an email with a confirmation code on it,";
$done.= " when you go to confirm your account you will need this code in order to be able to access the forum's.";

$msg2 .= $done; 

}else{
$msg3 .= "Sorry, we could not register your account details, if this persists contact the webmaster. ";
}
}else{
$msg3 .= "Sorry, we could not register your account details, if this persists contact the webmaster. ";
}
}
}
}
}
}
}
}
}
}
}

if($msg2){
echo '<div class="success">Success: '.$msg2.'</div>';
}else{
if($msg3){
echo '<div class="error">Error: '.$msg3.'</div>';
}

echo '<form action="" method="POST">';
echo '<label>Full Name:</label>';
echo '<input type="text" class="field" name="name" />';
echo '<div class="clear"></div>';
echo '<label>Email:</label>';
echo '<input type="text" class="field" name="email" />';
echo '<div class="clear"></div>';
echo '<label>Username:</label>';
echo '<input type="text" class="field" name="username" />';
echo '<div class="clear"></div>';
echo '<label>Password:</label>';
echo '<input type="password" class="field" name="password" />';
echo '<div class="clear"></div>';
echo '<label>Again:</label>';
echo '<input type="password" class="field" name="rePassword" />';
echo '<div class="clear"></div>';
echo '<input type="submit" class="button" name="submitReg" value="Register" />';
echo '<div class="clear"></div>';
echo '</form>';

}

?>

 

The Login Form:

 

<?php

//Variables holding the post values.
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted.
if($submit){

//Checks if the form was empty or not.
if(empty($username) && empty($password)){
$msg = "The form was submitted empty.";
}else{

//Checks to make sure a username was entered.
if(empty($username)){
$msg .= "Please enter a username.";
}else{

//Checks to make sure a password was entered.
if(empty($password)){
$msg .= "Please enter a password.";
}else{
$query = mysql_query("SELECT * FROM members WHERE username = '$username'");//Queries the database.
$num = mysql_num_rows($query);//Collects the rows (if any).
$row = mysql_fetch_assoc($query);//A variable to grab rows with.

//If there are members this checks the entered username against those in the database.
if($row["username"] != $username){
$msg .= "The username does not match any registered members.";
}else{

//Turn the normal password into a sha1() encrypted password.
$password = sha1($password);

//If there are members this checks the entered password against those in the database.
if($row["password"] != $password){
$msg .= "The password does not match any registered members.";
}else{
if($row["id"] != "Confirmed"){
$msg .= "You cannot log in yet, please confirm your account.<br>";
$msg .= "Upon registration you were sent an email with a confirmation code, if you didnt recieve it, click below:<br><br>";
$msg .= "<a href='/resend.php'>Re-send Confirmation Email</a>";
}else{
if($row["ban"] == 1){
$msg .= "Your account has been banned for 24 hours, come back later.";
}else{
if($row["ban"] == 2){
$msg .= "Your account has been banned for 14 days, come back later.";
}else{
if($row["ban"] == 3){
$msg .= "Your account has been banned permanantly.<br>";
$msg .= "If you think this is wrong, you can submit an appeal for the admins and webmaster to decide whether to unban you or not.<br><br>";
$msg .= "<a href='appeal.php'>Submit an Appeal</a>";
}else{
if($row["ban"] == 0){
//If everything succeeds then the sessions will start.
session_start();
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;

//Re-directs the user to the home page.
header("Location: profile.php");
}
}
}
}
}
}
}
}
}
}

//Echos errors, should there be any.
echo '<div class="error">Error: '.$msg.'</div>';

}

?>

MDCode Member

MDCode

Posted
Posted
  On 10/23/2012 at 2:33 PM, White_Lily said: 

<?php

if($_POST["submitReg"]){
$regName = $_POST["name"];
$regUsername = $_POST["username"];
$regPassword = $_POST["password"];
$regREpassword = $_POST["rePassword"];
$email = $_POST["email"];

?>

 

Make sure you filter that, the way you seem to be inputting is vulnerable to sql injection

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.