Jump to content

Recommended Posts

Hey i have a small site where my friends login and can register. it all works fine has been for ages but i have just had a few people make usernames using the "&" symbol, for somereason i cant actvate the account delete it or anything i have to go in to php myadmin and change there username to something without the "&" in it.


so i have 2 questions..

1) why does it become "locked" when "&" is in it?

2) what do i need to add to the code below to check for it before it makes it past the registration proccess?


here is the code which handles the registration form.

[code]<?
?>
<? require_once ("signupconfig.php"); ?>
<HTML>
<HEAD>
<TITLE>vSignup 2.5</TITLE>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</HEAD>

<BODY bgcolor="#FFFFFF" text="#000000">
<?
include ("auth.php");
$connection = mysql_connect($dbhost, $dbusername, $dbpassword);
$db = mysql_select_db($dbname);

    // EDIT THIS IF YOU MODIFIED THE SIGNUP PAGE OR
    // IF YOU ARE USING YOUR OWN SIGNUP FORM
    // We  use the addslashes() function on some variables to prevent SQL Injection
    $username = addslashes($_POST['username']);
    $password = $_POST['password'];
    $fname = $_POST['fname'];
    $lname = $_POST['lname'];
    $email = addslashes($_POST['email']);
    $country = $_POST['country'];
    $zipcode = $_POST['zipcode'];

// SIGNUP SETTINGS
$qSetup = mysql_query("SELECT * FROM signupsetup");
$SetupRow = mysql_fetch_array($qSetup);
$ValidEmailDomains = $SetupRow['validemail'];
$profile = $SetupRow['profile'];
$defaultgroup = $SetupRow['defaultgroup'];
$defaultlevel = $SetupRow['defaultlevel'];
$AutoApprove = $SetupRow['autoapprove'];
$AutoSend = $SetupRow['autosend'];
$AutoSendAdmin = $SetupRow['autosendadmin'];

// EMAILER SETTINGS
$qEmailer = mysql_query("SELECT * FROM emailer WHERE profile='$profile'");
$EmailerRow = mysql_fetch_array($qEmailer);
$EmailerName = $EmailerRow["name"];
$EmailerFrom = $EmailerRow["email"];
$EmailerSubject = $EmailerRow["subject"];
$EmailerMessage = $EmailerRow["emailmessage"];

// SIGNUP FORM PROCESSING
$EmailQuery = mysql_query("SELECT * FROM signup WHERE email='$email'");
$email = strtolower($email);
$EmailExist = mysql_num_rows($EmailQuery); // Returns 0 if not yet existing
$username = strtolower($username);
$UsernameQuery = mysql_query ("SELECT * FROM signup WHERE uname='$username'");
$UsernameExist = mysql_num_rows($UsernameQuery);

if (trim($ValidEmailDomains)=="")
{
$EmailArray = "";
}
else
{
$EmailArray = split (" ", $ValidEmailDomains);
}

// Generate confirmation key for settings which require one
$confirmkey =  md5(uniqid(rand()));

// CHECK FOR RESERVED USERNAMES
if (trim($username)=='sa' || trim($username)=='admin' || trim($username)=='test')
{
$UsernameExist = 1;
}

// CHECK FOR REQUIRED FIELDS
if (empty($username))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field cannot be left blank!</b></font></p>";
exit;
}
if (empty($password))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Password field cannot be left blank!</b></font></p>";
exit;
}
if (empty($fname))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>First Name field cannot be left blank!</b></font></p>";
exit;
}
if (empty($lname))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Last Name field cannot be left blank!</b></font></p>";
exit;
}
if (empty($email))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email field cannot be left blank!</b></font></p>";
exit;
}
if (empty($country))
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Tell me where i know you from!!</b></font></p>";
exit;
}
// Validate Email Address String
  $good = ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.
              '@'.
              '[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.
              '[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$',
              $email);
if (!$good)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email field has invalid characters!</b></font></p>";
exit;
}



// Validate Email Address String - FOR VALID EMAIL DOMAINS
$found=false;
if ($EmailArray!="")
{
for ($ct=0;$ct<=sizeof($EmailArray)-1;$ct++)
{
if (eregi($EmailArray[$ct], $email))
{
$ct=sizeof($EmailArray);
$found=true;
}
else
{
$found=false;
}
}
}
else
{
$found = true;
}
if (!$found)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email address does not belong to the list of allowable email domains!</b></font></p>";
exit;
}

// Make sure username does not yet exist in the db
if ($UsernameExist>0)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username already exists in the database!</b></font></p>";
exit;
}

// Make sure email address does not yet exist in the db
if ($EmailExist>0)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Email address already exists in the database!</b></font></p>";
exit;
}

// *********************************************************
// CHANGE THIS IF YOU WANT TO ADD FIELDS TO YOUR SIGNUP FORM
// *********************************************************
// Add new member to table signup
$addmember = mysql_query("INSERT INTO signup VALUES ('','$username','$fname','$lname','$email','$country','$zipcode',NOW(),'$confirmkey')");

// If SUCCESSFUL, add to vAuthenticate tables too
if ($addmember)
{
// Is the member auto-approved or not?
if ($AutoApprove==1)
{
$MemberStatus = "active";
}
else
{
$MemberStatus = "inactive";
}

$AddToAuth = new auth();
$add = $AddToAuth->add_user($username,$password,$defaultgroup,$defaultlevel,$MemberStatus,'', 0);
}

// Do we automatically send email notification to member or not?
if ($AutoSend == 1)
{
// if successful in adding to vAuthenticate, send confirmation email
if ($add==1)
{
// Replace all occurrences of the keys
// AVAILABLE KEYS: [[UNAME]], [[LNAME]], [[FNAME]], [[PASSWD]], [[EMAIL]], [[CONFIRM]]
$EmailerMessage = str_replace("[[UNAME]]", $username, $EmailerMessage);
$EmailerMessage = str_replace("[[PASSWD]]", $password, $EmailerMessage);
$EmailerMessage = str_replace("[[FNAME]]", $fname, $EmailerMessage);
$EmailerMessage = str_replace("[[LNAME]]", $lname, $EmailerMessage);
$EmailerMessage = str_replace("[[EMAIL]]", $email, $EmailerMessage);
$EmailerMessage = str_replace("[[CONFIRM]]", $confirm . '?confirmkey=' . $confirmkey, $EmailerMessage);

$sent = @mail($email, $EmailerSubject, $EmailerMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom");
// $sent = @mail($email, $EmailerSubject, $EmailerMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom\nContent-Type: text/html; charset=iso-8859-15");
}
}
// echo $EmailerMessage; // DEBUGGER

// Do we automatically send notification message to the admin's email address (see signupconfig.php)?
if ($AutoSendAdmin == 1)
{
if ($add==1)
{
$AdminSubject = "New Membership Application!";
$AdminMessage = "This is to inform you that " . $fname . " with the username " . $username . " has applied for membership to our site. ypu  know them from -------------- " .$country. "******************  you can reply to " . $email . " click here to activate " . $$confirm . " "  . $confirmkey . "    [[CONFIRM]]";
$sent = @mail($adminemail, $AdminSubject, $AdminMessage, "From:$EmailerName<$EmailerFrom>\nReply-to:$EmailerFrom");
}
}
?>

<P><FONT size="3" face="Verdana, Arial, Helvetica, sans-serif" color="#FF0000"><B>Thank
  you for signing up!</B></FONT></P>

<P>
  <?
if ($AutoSend == 1)
{
print "<p><font size=\"2\" face=\"Verdana, Arial, Helvetica, sans-serif\">";
print "A confirmation email was sent to the email address you specified. <br>";
print "Please confirm your membership as soon as you receive the email.";
  print "</font></p>";
}
else
{
print "<p><font size=\"2\" face=\"Verdana, Arial, Helvetica, sans-serif\">";
print "Please click <a href=\"$RelLogin\">here</a> to go back to the login area";
  print "</font></p>";
}
?>
</P>
<P>Click <STRONG><A href="login.php">here</A></STRONG> to login </P>
<P>Or you can piss off!!</P>
<FORM method="get" action="http://www.google.com/custom">
  <TABLE bgcolor="#FFFFFF" cellspacing="0" cellpadding="0" border="0">
    <TR>
      <TD><A href="http://www.google.com/custom/"><IMG src="http://www.google.com/logos/Logo_40wht.gif" border="0" alt="Google" align="absmiddle"></A></TD>
      <TD><INPUT type="text" name="q" size="25" maxlength="255" value="">
          <INPUT type="submit" name="btnG" value="Google Search">
          <INPUT type="hidden" name="cof" value="L:/public_html/FLASH/logo.swf;AH:center;GL:2;BGC:#000000;BIMG:www.tyspics.com;T:#FF0000;GALT:#CCFF33;GIMP:#FF00FF;GFNT:#339900;LC:#FF00CC;ALC:#CC6600;VLC:#00FF00;">
      </TD>
    </TR>
  </TABLE>
</FORM>
<P>&nbsp; </P>
</BODY>
</HTML>
[/code]


i tried to add this code but it kept saying i had invalid characters in it no matter what i put in

[code] // Validate username Address String
  $good = ereg('&+/',

               $username);
if (!$good)
{
print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field has invalid characters!</b></font></p>";
exit;
}[/code]


thanksin advance for any help..


[tt]cheers[/tt]
Try this code:

[code=php:0]if (!preg_match("/[a-z0-9]/i", $username){
  print "<p><font size=\"3\" face=\"Verdana, Arial\" color=\"#FF0000\"><b>Username field has invalid characters!</b></font></p>";
  exit;
}[/code]

This should allow only numbers and letters, if you want a few additional characters, like underscore(_) period(.) or hyphen(-) then this needs to be altered slightly.

Regards
Huggie
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.