bylletski Posted March 17, 2013 Share Posted March 17, 2013 (edited) Hello i wonder how to use sticky forms for password with MD5? If you don't know what sticky forms is i will explain. Explain. You have a page and your user will register on it. Then the user write wrong in username the username already exists and everything he have wrote stays. I got this problem when i don't use MD5 for passwords it stays but when i use it don't stay there. And there is one more problem I don't get the error messages from $pass1 and $pass2 what would be You forgot to fill the first password field and You forgot to fill the second password field. Would be great if you have a answer for me. <?php include 'db.php'; if(isset($_POST['regbutton'])) { $regfname = ""; $reglname = ""; $regage = ""; $regpass1 = ""; $regpass2 = ""; $regender = ""; $regemail1 = ""; $regemail2 = ""; $regcheckbox = ""; $regpage = ""; $regaccess = "1"; $regdate = date("Y/m/d"); function protect($string){ $string = mysql_real_escape_string($string); $string = strip_tags($string); $string = addslashes($string); return $string; } function protectx($stringx){ $stringx = mysql_real_escape_string($stringx); $stringx = strip_tags($stringx); $stringx = addslashes($stringx); $stringx = md5($stringx); return $stringx; } $regfname = protect($_POST['regfname']); $reglname = protect ($_POST['reglname']); $regnickname = protect ($_POST['regnickname']); $regage = protect ($_POST['regage']); $pass1 = protectx ($_POST['pass1']); $pass2 = protectx ($_POST['pass2']); $regender = protect ($_POST['regender']); $regemail1 = protect ($_POST['regemail1']); $regemail2 = protect($_POST['regemail2']); $regpage = protect ($_POST['regpage']); $regcheckbox = ($_POST['regcheckbox']); $regip = $_SERVER['REMOTE_ADDR']; $errors = array(); if($pass1 != $pass2) { $errors[] = "Passwords don't match."; } if($regemail1 != $regemail2) { $errors[] = "E-Mails don't match"; } if ($regnickname){ $sql = "SELECT * FROM `accounts` WHERE `nickname`='".$regnickname."'"; $res = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($res) > 0){ $errors[] = "Nickname already exist."; } } if ($regemail1){ $sql = "SELECT * FROM `accounts` WHERE `email`='".$regemail1."'"; $res = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($res) > 0){ $errors[] = "E-Mail already exist."; } } if ($regemail1) { $checkregemail1 = "/^[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,}$/i"; if(!preg_match($checkregemail1, $regemail1)){ $errors[] = "The E-Mail need to be name@example.com"; } } if (!$regcheckbox) { $errors[] = "You forgot to mark the checkbox"; } if (!$regfname) { $errors[] = "You forgot to fill the Firstname field."; } if (!$reglname) { $errors[] = "You forgot to fill the Lastname field."; } if (!$regnickname) { $errors[] = "You forgot to fill the Nickname field."; } if (!$regage) { $errors[] = "You forgot to fill the Age field."; } if (!$pass1) { $errors[] = "You forgot to fill the first password field."; } if (!$pass2) { $errors[] = "You forgot to fill the second password field"; } if (!$regemail1) { $errors[] = "You forgot to fill the first E-Mail field."; } if (!$regemail2) { $errors[] = "You forgot to fill the second E-Mail field"; } if ($regage < 18){ $error[] = "You forgot to fill the Age field"; } if(count($errors) > 0){ foreach($errors AS $error) echo $error . "<br>\n"; } else { mysql_query("INSERT INTO accounts (firstname, lastname, nickname, age, password, gender, email, access, ip, page, date) values ('$regfname', '$reglname', '$regnickname', '$regage', '$pass1', '$regender', '$regemail1', '$regaccess', '$regip', '$regpage', '$regdate')"); echo "Congratulations the user "; echo $regnickname ; echo " has been created and you can "; echo '<a href="?p=login">login here.</a>'; } } echo ' <html><body> <center><h3>Register</h3> <form method="post" action="?p=register"> Firstname <br><input type="text" maxlength="20" name="regfname" value="' . $regfname . '"> <br><br>Lastname <br><input type="text" maxlength="20" name="reglname" value="' . $reglname . '"> <br><br>Nickname (Max 30 characters) <br><input type="text" maxlength="30" name="regnickname" value="' . $regnickname . '"> <br><br>How old are you? <br><input type="text" maxlength="3" name="regage" value="' . $regage . '"> <br><br>Password (Max 15 characters) <br><input type="password" maxlength="15" name="pass1"> <br><br>Password again (Max 15 characters) <br><input type="password" maxlength="15" name="pass2"> <br><br>Man or Woman?<br> <select name="regender" value="' . $regender . '"> <option>Man</option><option>Woman</option></select> <br><br>Email <br><input type="text" name="regemail1" value="' . $regemail1 . '"> <br><br>Email again <br><input type="text" name="regemail2" value="' . $regemail2 . '"> <br><br>Do you got a homepage? Maybe facebook?<br> <input type="text" name="regpage" value="' . $regpage . '"><br><br> I have read the <a href="?p=rules">RULES </a>and I agree them. <input type="checkbox" name="regcheckbox" ' . (isset($_POST['regcheckbox']) ? 'checked="checked"':'') .'><br><br> <input type="submit" name="regbutton" value="Register"> </form> </center> </html></body>'; ?> Edited March 17, 2013 by KevinM1 Code tags Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/ Share on other sites More sharing options...
Psycho Posted March 17, 2013 Share Posted March 17, 2013 (edited) The solution is very, very simple. DO NOT MAKE PASSWORDS STICKY! There is not one legitimate site, application, whatever that makes passwords sticky when there are errors. EDIT: All those functions you are running in the function protectx() are unnecessary and actually reduce security. You ONLY need to create a hash of the password. You do not need/want to be removing slashes, mysql_real_escape_string(), etc. etc. Edited March 17, 2013 by Psycho Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419201 Share on other sites More sharing options...
KevinM1 Posted March 17, 2013 Share Posted March 17, 2013 (edited) A couple of things not necessarily related to your problem: 1. If you're going to post code, put that code within code tags, or simply press the <> button on the forum's text editor. 2. MD5 should never, ever be used to hash passwords. You want to use something slow like bcrypt. Or, better yet, use phpass. Read more at: http://www.openwall.com/articles/PHP-Users-Passwords Edited March 17, 2013 by KevinM1 Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419202 Share on other sites More sharing options...
bylletski Posted March 17, 2013 Author Share Posted March 17, 2013 So you mean is wrong to use MD5 passwords? You want me to use hasch insteed? Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419205 Share on other sites More sharing options...
KevinM1 Posted March 17, 2013 Share Posted March 17, 2013 So you mean is wrong to use MD5 passwords? You want me to use hasch insteed? MD5 is a hash. Just look at the link I provided earlier. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419206 Share on other sites More sharing options...
bylletski Posted March 17, 2013 Author Share Posted March 17, 2013 I didn't get any answer from my post in first section on this thread. Is there any possible too use sticky forms for MD5 passwords? And i wonder the same of the gender thing too. <select name="regender" ' . (isset($_POST['regender']) ? 'selected="selected"':'') .'><option>Man</option><option>Woman</option></select> I tried that but didn't work. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419211 Share on other sites More sharing options...
Psycho Posted March 18, 2013 Share Posted March 18, 2013 You should NOT try and make passwords sticky. As for making a select list sticky, you need to set the OPTION as selected. I prefer to use a list or array for creating my select lists to make this simple. $genders = array('Man', 'Woman'); echo "<select name='regender'>\n"; foreach($genders as $gender) { $selected = (isset($_POST['regender']) && $_POST['regender']==$gender) ? ' selected="selected"' : ''; echo "<option{$selected}>{$gender}</option>\n"; } echo "</select>\n"; Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419219 Share on other sites More sharing options...
bylletski Posted March 18, 2013 Author Share Posted March 18, 2013 You should NOT try and make passwords sticky. As for making a select list sticky, you need to set the OPTION as selected. I prefer to use a list or array for creating my select lists to make this simple. $genders = array('Man', 'Woman'); echo "<select name='regender'>\n"; foreach($genders as $gender) { $selected = (isset($_POST['regender']) && $_POST['regender']==$gender) ? ' selected="selected"' : ''; echo "<option{$selected}>{$gender}</option>\n"; } echo "</select>\n"; Okey i give a shit about the sticky for the passwords but i can't still get the messages from if (!$pass1) { $errors[] = "You forgot to fill the first password field."; } if (!$pass2) { $errors[] = "You forgot to fill the second password field"; } Because i use MD5 and the gender thing didn't work please help me now. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419308 Share on other sites More sharing options...
PaulRyan Posted March 18, 2013 Share Posted March 18, 2013 The reason the errors for $pass1 and $pass2 aren't working, is because you are returning an MD5 hash from your protectx function. You need add a check within the function to see if the incoming password is empty, if it is, return false instead of returning an MD5 hash of an empty string. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419315 Share on other sites More sharing options...
Psycho Posted March 18, 2013 Share Posted March 18, 2013 The reason the errors for $pass1 and $pass2 aren't working, is because you are returning an MD5 hash from your protectx function. You need add a check within the function to see if the incoming password is empty, if it is, return false instead of returning an MD5 hash of an empty string. I would suggest doing all your validations first - then hash the password just before you insert/compare it to the database. IMHO, it is always best to leave data in its "original" state and only transform/modify it at the point where it needs to be done. So, for data being submitted to be inserted into the database, I would not use mysql_real_escape_string() until just before it is used in a query. One example of why this makes sense is if there is a length check for the input. mysql_real_escape_string() (or any other escaping method) will introduce additional characters that would potentially create invalid length checks. The only general exception I have to this rule is with using trim(). I consider it a best practice to trim() all user input before doing any validation/escaping of data - except where there is a legitimate reason to maintain the leading/trailing white-space characters. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419328 Share on other sites More sharing options...
bylletski Posted March 18, 2013 Author Share Posted March 18, 2013 I would suggest doing all your validations first - then hash the password just before you insert/compare it to the database. IMHO, it is always best to leave data in its "original" state and only transform/modify it at the point where it needs to be done. So, for data being submitted to be inserted into the database, I would not use mysql_real_escape_string() until just before it is used in a query. One example of why this makes sense is if there is a length check for the input. mysql_real_escape_string() (or any other escaping method) will introduce additional characters that would potentially create invalid length checks. The only general exception I have to this rule is with using trim(). I consider it a best practice to trim() all user input before doing any validation/escaping of data - except where there is a legitimate reason to maintain the leading/trailing white-space characters. You want me to use mysql_real_escape_string in the query code? Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419361 Share on other sites More sharing options...
Jessica Posted March 18, 2013 Share Posted March 18, 2013 Is that what he said? Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419365 Share on other sites More sharing options...
bylletski Posted March 18, 2013 Author Share Posted March 18, 2013 My english is not so good. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419371 Share on other sites More sharing options...
Jessica Posted March 18, 2013 Share Posted March 18, 2013 He said to use it just before the query. If you want to create a really long string in PHP with all the calls to escape_string within it, you can. If you want to do them immediately before the query, you can. But do it when you are ready to actually use the query, not before then. Quote Link to comment https://forums.phpfreaks.com/topic/275788-how-to-use-sticky-forms-for-md5-passwords/#findComment-1419380 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.