ambo Posted May 25, 2016 Share Posted May 25, 2016 session_start(); if(isset($_SESSION['user'])!="") { header("Location: home.php"); } include_once 'dbconnect.php'; if(isset($_POST['btn-signup'])) { $uname = mysql_real_escape_string($_POST['uname']); $email = mysql_real_escape_string($_POST['email']); $upass = md5(mysql_real_escape_string($_POST['pass'])); $phone = mysql_real_escape_string($_POST['phone']); $fname = mysql_real_escape_string($_POST['fname']); $lname = md5(mysql_real_escape_string($_POST['lname'])); $uname = trim($uname); $email = trim($email); $upass = trim($upass); $phone = trim($phone); $fname = trim($fname); $lname = trim($lname); // email exist or not $query = "SELECT user_name FROM users WHERE user_name='$uname'"; $result = mysql_query($query); $count = mysql_num_rows($result); // if email not found then register if($count == 0){ if(mysql_query("INSERT INTO `users` (`user_id`, `user_name`, `user_email`, `user_pass`, `user_phone`, `user_fname`, `user_lname`, `user_level`) VALUES(NULL,'$uname','$email','$upass','$phone','$fname','$lname',1)")) { ?> <script>alert('successfully registered ');</script> <?php } else { ?> <script>alert('error while registering you...');</script> <?php } } else{ ?> <script>alert('Sorry Email ID already taken ...');</script> <?php } } ?> <!DOCTYPE html PUBLIC > <html xmlns=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Runkys</title> <?php include_once 'csslist.php'; ?> </head> <body> <?php include_once 'header.php'; ?> <div id="body"> <div id="login-form"> <form method="post"> <table align="center" width="30%" border="0"> <tr> <td><input type="email" name="email" placeholder="Your Email" required /></td> </tr> <tr> <td><input type="text" name="uname" placeholder="User Name" required /></td> </tr> <tr> <td><input type="password" name="pass" placeholder="Your Password" required /></td> </tr> <tr> <td><input type="text" name="phone" placeholder="Phone Number" required /></td> </tr> <tr> <td><input type="text" name="fname" placeholder="First Name" required /></td> </tr> <tr> <td><input type="text" name="lname" placeholder="Last Name" required /></td> </tr> <tr> <td><button type="submit" name="btn-signup">Sign Me Up</button></td> </tr> <tr> <td><a href="index.php">Sign In Here</a></td> </tr> </table> </form> </div> </div> </body> </html> I am new to this and cant figure out what I am missing I modeled it after another page that I have that works this is a learning curve for me please teach me what I did wrong its simple register script where it checks to see if the username is already in the db Quote Link to comment Share on other sites More sharing options...
benanamen Posted May 25, 2016 Share Posted May 25, 2016 (edited) This code is all kinds of wrong. You are using obsolete code that has been removed from PHP. Md5 was cracked like 20 years ago. You need to ditch this code and start over. Depending on the name of a button to be submitted will completely fail in certain circumstances. The whole process of checking for a user name first before entering a new one is wrong as well. Using tables for page formatting went out in the 90s. You need to use CSS. I am on my phone at the moment so I can't get into detail. Others will give you more information. Edited May 25, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 25, 2016 Share Posted May 25, 2016 (edited) here are three important things to do when learning php, developing php code, debugging php code, or asking for help with php code - 1) we are not sitting there with you. we don't know what you saw that leads you to believe that something didn't work. you mentioned an error while inserting to the table, but you didn't state or show what error you got and the actual error helps pin down where and what is causing the problem. did you get a php error, a mysql database error, or one of your alert messages and what exactly was the error message and what line of code does it refer to? 2) you need to set php's error_reporting to E_ALL and display_errors to ON, in the php,ini on your development system, to get php to report and display ALL the errors it detects. putting these two settings into your code won't help with syntax errors in your main file since your code never runs in this case. you should also turn off php's output_buffering in the php.ini. 3) your code needs to ALWAYS test for and handle errors that can occur with statements. When developing and debugging code, you would display the errors, when running code on a live server, you would log the errors. By testing for and handling errors, your code will tell you when, where, and give you information about why it is failing. if the error you are getting is your alert with - error while registering you..., having error handling in your code for the database query would tell you why the query failed. the type of error handling you can use is dependent on what sort of statements you are using. the best choice is to use exceptions to handle errors. the mysql_ statements you are using should be converted to statements from the PDO extension, which does support exceptions. in addition to updating the code and the problems already mentioned, here is a list of things it needs to do or do differently - 1) your login test needs to just test if the session variable isset(). isset() returns a Boolean value, to be directly used by program logic. there's no point in testing if the value isset() returned is not equal to an empty string, which is probably left over from before the code had an isset() statement it in. 2) the header() redirect needs an exit; statement after it to STOP the code from running. your current code still runs when the session variable is set. 3) your form processing code should set any error messages in a php array. you would output the error messages at the appropriate point in your html markup. the code currently outputs the alert messages before the start of your <!DOCTYPE tag. 4) your form processing code should validate each input to insure it is not empty and that it contains a value with an expected format. 5) you should repopulate the form fields with previously entered values, so that if there is a validation error, the user doesn't have to reenter the data over and over. 6) while you are changing the code to use the PDO extension, use a prepared query to supply data values to the sql statement. this will eliminate the need to escape string data. 7) the best choice for password hashing is to use php's password_hash() and password_verify() functions. there are code examples in the php.net documentation. Edited May 25, 2016 by mac_gyver Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 25, 2016 Share Posted May 25, 2016 (edited) I assume you didn't really mean to hash the last name $lname = md5(mysql_real_escape_string($_POST['lname'])); Md5 was cracked like 20 years ago. Just to be clear: MD5 was only "cracked" with respect to collisions. For example, one use for a hash is to provide a hash for a file so that file can be made available for download from multiple independent sites. by performing a hash on the downloaded file and comparing against the hash from the originator you can be assured that the file you downloaded has not been tampered with. The weakness discovered could allow a malicious user to generate another file in such a way as to generate the same hash. No "crack" exists that makes MD5 more susceptible to preimages - i.e. determining the original value from the hash (although it should not be used for passwords for other reasons - see below). The flaw that does exist with MD5 is that it is fast. Therefore, a malicious user can use a brute force approach to run millions/billions of combinations to try and find "a value" that generates the same hash. There is no 100% certainty that the value found that produces the same hash is the exact same source value, but when dealing whith passwords, it doesn't matter. 1) The logic typically is just looking for a source that ultimately creates the same hash, so it doesn't matter if it is really the same password or not. 2) When dealing with passwords, the min-max lengths and the available character set make the universe of possible values a finite number. It would not be impossible to run every possible combination of values (even for different salts) in a reasonable amount of time. Any hashing method can be brute forced - which is why you want to use a method that is slow; so the time required to go through all possible values would take an extraordinary amount of time. That is why users should use complex passwords. If an attacker has a DB full of hashed passwords, they could simply do a brute force using a dictionary attack of common words to find matches. Edited May 25, 2016 by Psycho 1 Quote Link to comment Share on other sites More sharing options...
benanamen Posted May 25, 2016 Share Posted May 25, 2016 (edited) I personally already understood the clarification you posted. I was making a dramatic point to the op to not use it without getting technical. The hows and the whys are neither here nor there. It just shouldn't be used. Good explanation for those that want to know why though. Edited May 25, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 25, 2016 Share Posted May 25, 2016 (edited) It just shouldn't be used. It should not be used for password hashing or for verifying data integrity - with respect to potentialy malicious data. MD5 still has legitimate uses and the fact that it is fast is actually a benefit. I have used it many times for various applications: - Checking for duplicate files or if the contents of files have changed - When creating a service that receives data that has complex actions to be performed, I might store an MD5 has on the original data. Then on subsequent receipts check to see if the same data has been received previously (based on the hash). If so, take no action. Otherwise process the data as needed. - Used as a key or token generator It's all about using the right tool for the job. It just so happens that MD5 is no longer the right tool for some jobs. But, it is still regularly mentioned for password hashing in tutorials and forums. So, just saying "don't use it" is the easier approach to help stop that behavior. Edited May 25, 2016 by Psycho Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted May 25, 2016 Share Posted May 25, 2016 (edited) MD5 isn't the right tool for anything except legacy applications where it's the only tool. There are so many design issues in MD5 that the whole algorithm is just plain obsolete. It's also awfully slow when (mis)used for non-cryptographic purposes. If you want a non-cryptographic hash, use a modern algorithm like MurmurHash or FarmHash which was actually designed for that purpose. If you want a simple checksum, use CRC-32. If you want a cryptographic hash, use SHA-2 or SHA-3. If you want to generate keys, use a cryptographically secure random number generator or a key derivation function. MD5 isn't good in any of those areas, because it was never meant to be. It's supposed to be a cryptographic hash function, but it failed to meet this design goal. Edited May 25, 2016 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.