Jump to content

Improving My Registration Form


White_Lily

Recommended Posts

Hi, I have a registration and i wish to improve the security somewhat.

 

I want to be able to have an email sent to the user that has registered which will consist of his/her;

 

Name

Username

Password???

and some form of Security Code

 

I was wondering how I should go about doing the security code, since the code will be stored in the database.

When the user clicks on a link in the email they would be directed to a page where they enter their username and security code, and the processing script would then compare them, and either allow access or deny it.

 

I was thinking something like sha1, md5, etc... Any help with this would be greatly appreciated ^_^

Link to comment
https://forums.phpfreaks.com/topic/269670-improving-my-registration-form/
Share on other sites

my suggestion is:

  • user enters username / password and email address into form.
  • data gets saved into user table, along with an md5 hash of the username, email and a salt word
  • the user is emailed a link with the md5hash as a variable in the link
  • this redirects the user to the login page, with a couple of flags to show they are confirming,
  • when they hi t submit you check the md5 matches the one in the db and activate the account

sorry, im afraid i might not have explained properly. the email will contain a link with the hash in it|:

example:

thank you for registering with............

please click on the link below to confirm your registration:

 

http://somesitesomewhere.com/confirm.php?q=2df352fd23fd62fd72fd72fd72ff387d736251fdeez

 

where q is the md5 of their name and email address.

 

this hash will be unque to their account. you done md5 the email at all

Okay - I can't seem to be able to get the hang on the md5 hash as a code for the confirmation. So, I thought - how difficult would it be to have some code that generates a random (preferrably unique) number that is then inserted into the database and used as that person's personal confirmation code?

$usersEmailAddress = [email protected];
$usersPassword = '123456';
$salt = 'wibbleotter'; // this is secret to you.
$token = md5($usersEmailAddress.$usersPassword.$salt);
$query = "INSERT INTO User_table .... "; // insert your users details and the token.
$url = "http://mysite.com/confirm.php?q=$token";
// email the above to the user and when they cliick on it to log in
check with a query like this
$query = "SELECT id FROM User_table where username =$username AND password = $password AND token = $token";

 

hope that help explain it a bit better

Don't use the password in the hash, especially not when you use MD5; It's a BAD idea. Use unique_id (), as Jessica linked to (and you so correctly guessed would be better).

Also, don't send the password in the e-mail; E-mails are sent as plain text, and can quite easily be intercepted. Remembering the password is the user's responsibility, after all.

Sorry John but that doesn't appear to help much.

 

I did however search google and found on php.net a function could "rand();" however I didn't see any way in which i could make it unique. Any ideas?

 

sorry about that try to use this one

 

<?php

 

printf("uniqid(): %s\r\n", uniqid());

 

?>

Okay lol. (Sorry for the code being long - I think they can be tidied up a bit but that will have to come later when there is some kind of function to the forum).

 

Registration Form:

 


<?php

if($_POST["submitReg"]){
$regName = $_POST["name"];
$regUsername = $_POST["username"];
$regPassword = $_POST["password"];
$regREpassword = $_POST["rePassword"];
$email = $_POST["email"];

if(empty($regName) && empty($regUsername) && empty($regPassword) && empty($regREpassword)){
$msg3 = "The form was submitted empty.";
}else{
if(empty($regName)){
$msg3 .= "The name field was empty.";
}else{
if(empty($email)){
$msg3 .= "The email field was empty.";
}else{
if(preg_match("^[a-zA-Z0-9_.-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+$", $_POST["email"]) === 0){
$msg3 .= "Please enter a valid email.";
}else{
if(empty($regUsername)){
$msg3 .= "The username field was empty.";
}else{
if(empty($regPassword)){
$msg3 .= "The password field was empty.";
}else{
if(empty($regREpassword)){
$msg3 .= "The repeat password field was empty.";
}else{
if($regPassword != $regREpassword OR $regREpassword != $regPassword){
$msg3 .= "The password fields didn't match.";
}else{
$check = select("*", "members", "username = '$regUsername'");
$assoc = mysql_fetch_assoc($check);

if($regUsername == $assoc["username"]){
$msg3 .= "That username has been taken, pick another.";
}else{

$regPassword = sha1($regPassword);
$id = uniqid();

$register = insert("members", "name, email, username, password, user_level, id, ban", "'$regName', '$email', '$regUsername', '$regPassword', 1, '$id', 0");

if($register){

$newsTitle = "New member registered!";

$cont = $regUsername." has just joined Fusion Forums!<br>";
$cont.= "Check out his/her profile:<br><br>";
$cont.= "View Profile";

$newsCont = $cont;

$newMem = insert("news", "news_title, news_content, username", "'$newsTitle', '$newsCont', '$regUsername'");

if($newMem){ 
$to = $email;
$subject = "Fusion Forums - Account Confirmation";
$message = "Hello! You have recently registered to Fusion Forum's.<br><br>";
$message.= "This is a confirmation email, below you will find your account details along with a Unique ID.<br><br>";
$message.= "In order to activate your account you must first enter the ID into the text field that follows the link at the end of this email. Your details are as follows:<br><br>";
$message.= "<table>";
$message.= "<tr>";
$message.= "<td><strong>Name:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$regName."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Email:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$email."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Username:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$regUsername."</td>";
$message.= "<tr>";
$message.= "<tr>";
$message.= "<td><strong>Unique ID:</strong></td>";
$message.= "<td></td>";
$message.= "<td>".$id."</td>";
$message.= "<tr>";
$message.= "</table><br><br>";
$message.= "Please follow this link in order to activate your account (opens in your default browser):<br>";
$message.= "<a href='http://www.janedealsart.co.uk/activate.php?id=".$id."'>Activate Account</a>";
$from = "[email protected]";
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers.= "From: ".$from;
mail($to, $subject, $message, $headers);
$done = "You have successfully registered to Fusion Fourm's.<br>";
$done.= "We have sent you an email with a confirmation code on it,";
$done.= " when you go to confirm your account you will need this code in order to be able to access the forum's.";

$msg2 .= $done; 

}else{
$msg3 .= "Sorry, we could not register your account details, if this persists contact the webmaster. ";
}
}else{
$msg3 .= "Sorry, we could not register your account details, if this persists contact the webmaster. ";
}
}
}
}
}
}
}
}
}
}
}

if($msg2){
echo '<div class="success">Success: '.$msg2.'</div>';
}else{
if($msg3){
echo '<div class="error">Error: '.$msg3.'</div>';
}

echo '<form action="" method="POST">';
echo '<label>Full Name:</label>';
echo '<input type="text" class="field" name="name" />';
echo '<div class="clear"></div>';
echo '<label>Email:</label>';
echo '<input type="text" class="field" name="email" />';
echo '<div class="clear"></div>';
echo '<label>Username:</label>';
echo '<input type="text" class="field" name="username" />';
echo '<div class="clear"></div>';
echo '<label>Password:</label>';
echo '<input type="password" class="field" name="password" />';
echo '<div class="clear"></div>';
echo '<label>Again:</label>';
echo '<input type="password" class="field" name="rePassword" />';
echo '<div class="clear"></div>';
echo '<input type="submit" class="button" name="submitReg" value="Register" />';
echo '<div class="clear"></div>';
echo '</form>';

}

?>

 

The Login Form:

 


<?php

//Variables holding the post values.
$submit = $_POST["submit"];
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);

//Runs this if the form was submitted.
if($submit){

//Checks if the form was empty or not.
if(empty($username) && empty($password)){
$msg = "The form was submitted empty.";
}else{

//Checks to make sure a username was entered.
if(empty($username)){
$msg .= "Please enter a username.";
}else{

//Checks to make sure a password was entered.
if(empty($password)){
$msg .= "Please enter a password.";
}else{
$query = mysql_query("SELECT * FROM members WHERE username = '$username'");//Queries the database.
$num = mysql_num_rows($query);//Collects the rows (if any).
$row = mysql_fetch_assoc($query);//A variable to grab rows with.

//If there are members this checks the entered username against those in the database.
if($row["username"] != $username){
$msg .= "The username does not match any registered members.";
}else{

//Turn the normal password into a sha1() encrypted password.
$password = sha1($password);

//If there are members this checks the entered password against those in the database.
if($row["password"] != $password){
$msg .= "The password does not match any registered members.";
}else{
if($row["id"] != "Confirmed"){
$msg .= "You cannot log in yet, please confirm your account.<br>";
$msg .= "Upon registration you were sent an email with a confirmation code, if you didnt recieve it, click below:<br><br>";
$msg .= "<a href='/resend.php'>Re-send Confirmation Email</a>";
}else{
if($row["ban"] == 1){
$msg .= "Your account has been banned for 24 hours, come back later.";
}else{
if($row["ban"] == 2){
$msg .= "Your account has been banned for 14 days, come back later.";
}else{
if($row["ban"] == 3){
$msg .= "Your account has been banned permanantly.<br>";
$msg .= "If you think this is wrong, you can submit an appeal for the admins and webmaster to decide whether to unban you or not.<br><br>";
$msg .= "<a href='appeal.php'>Submit an Appeal</a>";
}else{
if($row["ban"] == 0){
//If everything succeeds then the sessions will start.
session_start();
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;

//Re-directs the user to the home page.
header("Location: profile.php");
}
}
}
}
}
}
}
}
}
}

//Echos errors, should there be any.
echo '<div class="error">Error: '.$msg.'</div>';

}

?>


<?php

if($_POST["submitReg"]){
$regName = $_POST["name"];
$regUsername = $_POST["username"];
$regPassword = $_POST["password"];
$regREpassword = $_POST["rePassword"];
$email = $_POST["email"];

?>

 

Make sure you filter that, the way you seem to be inputting is vulnerable to sql injection

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.