Jump to content

Recommended Posts

Hello i wonder how to use sticky forms for password with MD5? If you don't know what sticky forms is i will explain.

 

Explain.

You have a page and your user will register on it. Then the user write wrong in username the username already exists and everything he have wrote stays.

 

I got this problem when i don't use MD5 for passwords it stays but when i use it don't stay there. And there is one more problem I don't get the error messages from $pass1 and $pass2 what would be You forgot to fill the first password field and You forgot to fill the second password field.

 

Would be great if you have a answer for me.

 

 

 

<?php
include 'db.php';


if(isset($_POST['regbutton'])) {

$regfname = "";
$reglname = "";
$regage = "";
$regpass1 = "";
$regpass2 = "";
$regender = "";
$regemail1 = "";
$regemail2 = "";
$regcheckbox = "";
$regpage = "";
$regaccess = "1";
$regdate = date("Y/m/d");

function protect($string){
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = addslashes($string);
return $string;
}

function protectx($stringx){
$stringx = mysql_real_escape_string($stringx);
$stringx = strip_tags($stringx);
$stringx = addslashes($stringx);
$stringx = md5($stringx);
return $stringx;
}

$regfname = protect($_POST['regfname']);
$reglname = protect ($_POST['reglname']);
$regnickname = protect ($_POST['regnickname']);
$regage = protect ($_POST['regage']);
$pass1 = protectx ($_POST['pass1']);
$pass2 = protectx ($_POST['pass2']);
$regender = protect ($_POST['regender']);
$regemail1 = protect ($_POST['regemail1']);
$regemail2 = protect($_POST['regemail2']);
$regpage = protect ($_POST['regpage']);
$regcheckbox = ($_POST['regcheckbox']);
$regip = $_SERVER['REMOTE_ADDR'];

$errors = array();

if($pass1 != $pass2) {

$errors[] = "Passwords don't match.";

}

if($regemail1 != $regemail2) {

$errors[] = "E-Mails don't match";

}

if ($regnickname){
$sql = "SELECT * FROM `accounts` WHERE `nickname`='".$regnickname."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$errors[] = "Nickname already exist.";
}
}

if ($regemail1){
$sql = "SELECT * FROM `accounts` WHERE `email`='".$regemail1."'";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res) > 0){
$errors[] = "E-Mail already exist.";
}
}

if ($regemail1) {
$checkregemail1 = "/^[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]+)*)+\\.[a-z]{2,}$/i";
if(!preg_match($checkregemail1, $regemail1)){
$errors[] = "The E-Mail need to be name@example.com";
}
}

if (!$regcheckbox) {
$errors[] = "You forgot to mark the checkbox";
}

if (!$regfname) {
$errors[] = "You forgot to fill the Firstname field.";
}

if (!$reglname) {
$errors[] = "You forgot to fill the Lastname field.";
}

if (!$regnickname) {
$errors[] = "You forgot to fill the Nickname field.";
}

if (!$regage) {
$errors[] = "You forgot to fill the Age field.";
}

if (!$pass1) {
$errors[] = "You forgot to fill the first password field.";
}

if (!$pass2) {
$errors[] = "You forgot to fill the second password field";
}

if (!$regemail1) {
$errors[] = "You forgot to fill the first E-Mail field.";
}

if (!$regemail2) {
$errors[] = "You forgot to fill the second E-Mail field";
}

if ($regage < 18){
$error[] = "You forgot to fill the Age field";
}


if(count($errors) > 0){
foreach($errors AS $error)
echo $error . "<br>\n";
} else {
mysql_query("INSERT INTO accounts (firstname, lastname, nickname, age, password, gender, email, access, ip, page, date)
values ('$regfname', '$reglname', '$regnickname', '$regage', '$pass1', '$regender', '$regemail1', '$regaccess', '$regip', '$regpage', '$regdate')");
echo "Congratulations the user ";
echo $regnickname ;
echo " has been created and you can ";
echo '<a href="?p=login">login here.</a>';
}
}

echo '
<html><body>
<center><h3>Register</h3>
<form method="post" action="?p=register">
Firstname
<br><input type="text" maxlength="20" name="regfname" value="' . $regfname . '">

<br><br>Lastname
<br><input type="text" maxlength="20" name="reglname" value="' . $reglname . '">

<br><br>Nickname (Max 30 characters)
<br><input type="text" maxlength="30" name="regnickname" value="' . $regnickname . '">

<br><br>How old are you?
<br><input type="text" maxlength="3" name="regage" value="' . $regage . '">

<br><br>Password (Max 15 characters)
<br><input type="password" maxlength="15" name="pass1">

<br><br>Password again (Max 15 characters)
<br><input type="password" maxlength="15" name="pass2">

<br><br>Man or Woman?<br>
<select name="regender" value="' . $regender . '"> <option>Man</option><option>Woman</option></select>

<br><br>Email
<br><input type="text" name="regemail1" value="' . $regemail1 . '">

<br><br>Email again
<br><input type="text" name="regemail2" value="' . $regemail2 . '">

<br><br>Do you got a homepage? Maybe facebook?<br>
<input type="text" name="regpage" value="' . $regpage . '"><br><br>

I have read the <a href="?p=rules">RULES </a>and I agree them.
<input type="checkbox" name="regcheckbox" ' . (isset($_POST['regcheckbox']) ? 'checked="checked"':'') .'><br><br>

<input type="submit" name="regbutton" value="Register">
</form>
</center>
</html></body>';
?>
 
Edited by KevinM1
Code tags

The solution is very, very simple.

 

DO NOT MAKE PASSWORDS STICKY! There is not one legitimate site, application, whatever that makes passwords sticky when there are errors.

 

 

EDIT: All those functions you are running in the function protectx() are unnecessary and actually reduce security. You ONLY need to create a hash of the password. You do not need/want to be removing slashes, mysql_real_escape_string(), etc. etc.

Edited by Psycho

A couple of things not necessarily related to your problem:

 

1. If you're going to post code, put that code within code tags, or simply press the <> button on the forum's text editor.

2. MD5 should never, ever be used to hash passwords.  You want to use something slow like bcrypt.  Or, better yet, use phpass.  Read more at: http://www.openwall.com/articles/PHP-Users-Passwords

Edited by KevinM1

I didn't get any answer from my post in first section on this thread. Is there any possible too use sticky forms for MD5 passwords? And i wonder the same of the gender thing too.

 

<select name="regender" ' . (isset($_POST['regender']) ? 'selected="selected"':'') .'>
<option>Man</option><option>Woman</option></select> I tried that but didn't work.

You should NOT try and make passwords sticky.

 

As for making a select list sticky, you need to set the OPTION as selected. I prefer to use a list or array for creating my select lists to make this simple.

$genders = array('Man', 'Woman');

echo "<select name='regender'>\n";
foreach($genders as $gender)
{
    $selected = (isset($_POST['regender']) && $_POST['regender']==$gender) ? ' selected="selected"' : '';
    echo "<option{$selected}>{$gender}</option>\n";
}
echo "</select>\n";

You should NOT try and make passwords sticky.

 

As for making a select list sticky, you need to set the OPTION as selected. I prefer to use a list or array for creating my select lists to make this simple.

$genders = array('Man', 'Woman');

echo "<select name='regender'>\n";
foreach($genders as $gender)
{
    $selected = (isset($_POST['regender']) && $_POST['regender']==$gender) ? ' selected="selected"' : '';
    echo "<option{$selected}>{$gender}</option>\n";
}
echo "</select>\n";

 

Okey i give a shit about the sticky for the passwords but i can't still get the messages from

 

if (!$pass1) {

$errors[] = "You forgot to fill the first password field.";

}

 

if (!$pass2) {

$errors[] = "You forgot to fill the second password field";

}

 

Because i use MD5 and the gender thing didn't work please help me now.

The reason the errors for $pass1 and $pass2 aren't working, is because you are returning an MD5 hash from your protectx function.

 

You need add a check within the function to see if the incoming password is empty, if it is, return false instead of returning an MD5 hash of an empty string.

The reason the errors for $pass1 and $pass2 aren't working, is because you are returning an MD5 hash from your protectx function.

 

You need add a check within the function to see if the incoming password is empty, if it is, return false instead of returning an MD5 hash of an empty string.

 

I would suggest doing all your validations first - then hash the password just before you insert/compare it to the database.

 

IMHO, it is always best to leave data in its "original" state and only transform/modify it at the point where it needs to be done. So, for data being submitted to be inserted into the database, I would not use mysql_real_escape_string() until just before it is used in a query. One example of why this makes sense is if there is a length check for the input. mysql_real_escape_string() (or any other escaping method) will introduce additional characters that would potentially create invalid length checks. The only general exception I have to this rule is with using trim(). I consider it a best practice to trim() all user input before doing any validation/escaping of data - except where there is a legitimate reason to maintain the leading/trailing white-space characters.

I would suggest doing all your validations first - then hash the password just before you insert/compare it to the database.

 

IMHO, it is always best to leave data in its "original" state and only transform/modify it at the point where it needs to be done. So, for data being submitted to be inserted into the database, I would not use mysql_real_escape_string() until just before it is used in a query. One example of why this makes sense is if there is a length check for the input. mysql_real_escape_string() (or any other escaping method) will introduce additional characters that would potentially create invalid length checks. The only general exception I have to this rule is with using trim(). I consider it a best practice to trim() all user input before doing any validation/escaping of data - except where there is a legitimate reason to maintain the leading/trailing white-space characters.

You want me to use mysql_real_escape_string in the query code?

He said to use it just before the query. If you want to create a really long string in PHP with all the calls to escape_string within it, you can. If you want to do them immediately before the query, you can. But do it when you are ready to actually use the query, not before then.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.