Jump to content

Login/Registration Code Issue


ou8jonesy
Go to solution Solved by ou8jonesy,

Recommended Posts

I have this working code except I can't redirect to a thank you page when a new user registers.  When they login it works without issue.  I just don't know where or what to put for the registration part.

 

Here is my Code.  Any help would be much appreciated.

 

<?php  
include_once('config.php');  
  
// Reset errors and success messages  
$errors = array();  
$success = array();  
  
// Login attempt  
if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){  
    $loginEmail = trim($_POST['email']);  
    $loginPassword  = trim($_POST['password']);  
      
    if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $loginEmail))  
        $errors['loginEmail'] = 'Your email address is invalid.';  
      
    if(strlen($loginPassword) < 6 || strlen($loginPassword) > 12)  
        $errors['loginPassword'] = 'Your password must be between 6-12 characters.';  
      
    if(!$errors){  
        $query  = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1';  
        $result = mysql_query($query);  
        if(mysql_num_rows($result) == 1){  
            $user = mysql_fetch_assoc($result);  
            $query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1';  
            mysql_query($query);  
            header('Location: index.php');  
            exit;  
        }else{  
            $errors['login'] = 'No user was found with the details provided.';  
        }  
    }  
}  
  
// Register attempt  
if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){  
    $registerEmail = trim($_POST['email']);  
    $registerPassword = trim($_POST['password']);  
    $registerConfirmPassword    = trim($_POST['confirmPassword']);  
      
    if (!eregi("^[^@]{1,64}@[^@]{1,255}$", $registerEmail))   
        $errors['registerEmail'] = 'Your email address is invalid.';  
      
    if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)     
        $errors['registerPassword'] = 'Your password must be between 6-12 characters.';  
      
    if($registerPassword != $registerConfirmPassword)  
        $errors['registerConfirmPassword'] = 'Your passwords did not match.';  
      
    // Check to see if we have a user registered with this email address already  
    $query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1';  
    $result = mysql_query($query);  
    if(mysql_num_rows($result) == 1)   
        $errors['registerEmail'] = 'This email address already exists.';  
      
    if(!$errors){  
        $query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '",  
                                                                        password = MD5("' . mysql_real_escape_string($registerPassword) . '"),  
                                                                        date_registered = "' . date('Y-m-d H:i:s') . '"';  
          
        if(mysql_query($query)){  
            $success[header('Location: index.php')]; 
        }else{  
            $errors['register'] = 'There was a problem registering you. Please check your details and try again.';  
        }  
    }  
      
}  
?>  
 
//login code
 <form class="box400" name="loginForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">  
        <h2>Login</h2>  
        <?php if($errors['login']) print '<div class="invalid">' . $errors['login'] . '</div>'; ?>  
          
        <label for="email">Email Address</label>  
        <input type="text" name="email" value="<?php echo htmlspecialchars($loginEmail); ?>" />  
        <?php if($errors['loginEmail']) print '<div class="invalid">' . $errors['loginEmail'] . '</div>'; ?>  
          
        <label for="password">Password <span class="info">6-12 chars</span></label>  
        <input type="password" name="password" value="" />  
        <?php if($errors['loginPassword']) print '<div class="invalid">' . $errors['loginPassword'] . '</div>'; ?>  
          
        <label for="loginSubmit"> </label>  
        <input type="hidden" name="loginSubmit" id="loginSubmit" value="true" />  
        <input type="submit" value="Login" /> 
          </form>   
 
//registration code
<form class="box400" name="registerForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">  
        <h2>Register</h2>  
        <?php if($success['register']) print '<div class="valid">' . $success['register'] . '</div>'; ?>  
        <?php if($errors['register']) print '<div class="invalid">' . $errors['register'] . '</div>'; ?>  
          
        <label for="email">Email Address</label>  
        <input type="text" name="email" value="<?php echo htmlspecialchars($registerEmail); ?>" />  
        <?php if($errors['registerEmail']) print '<div class="invalid">' . $errors['registerEmail'] . '</div>'; ?>  
          
        <label for="password">Password</label>  
        <input type="password" name="password" value="" />  
        <?php if($errors['registerPassword']) print '<div class="invalid">' . $errors['registerPassword'] . '</div>'; ?>  
          
        <label for="confirmPassword">Confirm Password</label>  
        <input type="password" name="confirmPassword" value="" />  
        <?php if($errors['registerConfirmPassword']) print '<div class="invalid">' . $errors['registerConfirmPassword'] . '</div>'; ?>  
          
        <label for="registerSubmit"> </label>  
        <input type="hidden" name="registerSubmit" id="registerSubmit" value="true" />  
        <input type="submit" value="Register" />  
    </form>

 

Link to comment
Share on other sites

Thanks trq for the quick reply.  My question on top of that then is the ('Location: index.php') is where my users are pointed after they login.  If I replace it then when logging in they would be pointed to the wrong page - correct?

Link to comment
Share on other sites

Replace:

 

$success[header('Location: index.php')]; 
with:

 

header('Location: thankyou.php');
Then create the thankyou.php page.

 

Thanks trq for the quick reply.  My question on top of that then is the ('Location: index.php') is where my users are pointed after they login.  If I replace it then when logging in they would be pointed to the wrong page - correct?

Link to comment
Share on other sites

I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse.

 

I don't even know where to start:

  • The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions.
  • The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time.
  • MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes.
  • You have SQL injection vulnerabilities via the password parameter.
  • You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF']
  • The e-mail check is ... weird. Should “0@0” really be accepted?
  • The check if the e-mail address is already registered doesn't work for simultaneous requests.

I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you.

 

But this definitely needs an update. PHP today is very different from the PHP of the 90s.

 

 

 

 

Link to comment
Share on other sites

I wouldn't waste my time trying to debug this. The code is at least 10 years behind and full of much worse issues. You're riding a dead horse.

 

I don't even know where to start:

  • The mysql_* functions are obsolete since more than a decade and will be removed in one of the next PHP versions.
  • The ereg* functions are even older. They were replaced with the preg_* functions somewhere around the year 2000, I think. That's a damn long time.
  • MD5? I guess it was acceptable back in the 90s, but current hardware can break this is a matter of minutes.
  • You have SQL injection vulnerabilities via the password parameter.
  • You have cross-site scripting vulnerabilities via $_SERVER['PHP_SELF']
  • The e-mail check is ... weird. Should “0@0” really be accepted?
  • The check if the e-mail address is already registered doesn't work for simultaneous requests.

I understand that this might be legacy code. Or maybe you've just used some really, really bad tutorials or books. So I'm not blaming you.

 

But this definitely needs an update. PHP today is very different from the PHP of the 90s.

Damn that sucks.  Yes it was a Tutorial.  Plus it's live and working.  How do I start fresh without messing up my sql database? Or better yet where do I start?

Link to comment
Share on other sites

You should take the form offline. It took me 2 minutes to find your website, and you've just invited all script kiddies to give it a try.

 

Start by learning to use the PDO interface. This is the “new” database interface for PHP. It also supports parameterized queries as a solution to the dreaded SQL injection problem.

 

It's also crucial that you understand the basics of web security, in particular how to prevent cross-site scripting and how to store passwords. Escape everything, including variables like $_SERVER['PHP_SELF'].

 

This will already be a huge step forward.

Link to comment
Share on other sites

  • Solution

You should take the form offline. It took me 2 minutes to find your website, and you've just invited all script kiddies to give it a try.

 

Start by learning to use the PDO interface. This is the “new” database interface for PHP. It also supports parameterized queries as a solution to the dreaded SQL injection problem.

 

It's also crucial that you understand the basics of web security, in particular how to prevent cross-site scripting and how to store passwords. Escape everything, including variables like $_SERVER['PHP_SELF'].

 

This will already be a huge step forward.

Thanks Jacques1

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.