Jump to content

Recommended Posts


The following code is what my team uses on our site to allow members to sign up for an account. The person that wrote it is no longer with us. One of the I'm having is im getting people with usernames like ""; show tables; --". I would like to disallow every character except a-z, numbers, _ , and -. Is this possible? The second problem I'm having is that users are no longer able to sign up... they get the error:

 

Warning: mysqli_connect() [function.mysqli-connect]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home4/teamct/public_html/join/join-request.php on line 49
It failed.

The other problem that existed while the registration still worked is that if the username already existed they get:

 

Fatal error: Call to undefined function mysqli_exit() in /home4/teamct/public_html/join/join-request.php on line 63

If I delete line 63 then the page refreshes without informing the user that anything went wrong.  I would like it to say something like "Sorry that username already exists.

 

 

 

I have attached the entire join-request file (with usernames/passwords changed for security)

 

Any help would be appreciated, let me know if you need anything else.

 

 

UPDATE: The registration randomly works again O_o

join-request.php

Edited by elijahkan14
Link to comment
https://forums.phpfreaks.com/topic/286203-help-with-registration-form/
Share on other sites

 

 

One of the I'm having is im getting people with usernames like ""; show tables; --".

Seems  like someone is trying to find an vulnerability in you code to perform SQL Injection.  mysqli_real_escape_string is what is helping to prevent such attacks. A better aproach would be to use mysqli prepared statements

 

 

 

I would like to disallow every character except a-z, numbers, _ , and -. Is this possible?

Currently you are allowing any input for the username, including nothing at all. This is because you are not validating the username. if you want to only allow letters, numbers, underscores and hyphens then use the following regex

if(preg_match('~[^\w-]+~i', $username))
{
   echo 'You have invalid characters in your username. Please only use letters, numbers, underscores or hypens';
}

 

 

The second problem I'm having is that users are no longer able to sign up... they get the error:

 

 

Warning: mysqli_connect() [function.mysqli-connect]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home4/teamct/public_html/join/join-request.php on line 49

It failed.

 

Not sure on linux sockets. But the first thing I think of is to make sure that MySQL is running, and your mysql credentials are correct.

 

 

he other problem that existed while the registration still worked is that if the username already existed they get:

 

Fatal error: Call to undefined function mysqli_exit() in /home4/teamct/public_html/join/join-request.php on line 63

That is because there isn't a mysqli_exit() function. Maybe you meant to use mysqli_close

 

 

 

I would like it to say something like "Sorry that username already exists.

You are saving the error message to the $_SESSION and then redirecting to site.com/join/. You will have to echo $_SESSION['ERROR1'] to display the error on that page.

Edited by Ch0cu3r
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.