PHP Help

[Zenax]

<?Php

// including the db connection script
require_once("connect_db.php");

// declaring the variables
$username = $_POST['username'];
$password = $_POST['password'];
$passrept = $_POST['passrept'];

// stripping HTML tags from the info entered
$_POST['username'] = strip_tags($_POST['username']);
$_POST['password'] = strip_tags($_POST['password']);
$_POST['passrept'] = strip_tags($_POST['passrept']);

// Checking a username is not already taken

$SQL = "SELECT * FROM users WHERE users = $username";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result)or die(mysql_error());

if ($num_rows > 0) {
$errorMessage = "Username already taken";
}
else {
}

// encrypt the password into md5
$_POST['password'] = md5($_POST['password']);

// inserting the data into the db
$insert = mysql_query("INSERT INTO users VALUES ('". $_POST['username'] ."', '". $_POST['password'] ."') ")
    or die("Could not insert data because ".mysql_error());
    
echo ('Your account has been added!');



?>

Currently working on a PHP registration script for my CMS. I am needing to check if a username is taken, and the tutorials I have fount online seem to follow the route highlighted in bold.

Do help me out as that method does not work. Thanks for your help.

 

[Brandon]

Try this, you had the data outside the else {}, so it didn't matter.

<?Php

// including the db connection script
require_once("connect_db.php");

// declaring the variables
$username = $_POST['username'];
$password = $_POST['password'];
$passrept = $_POST['passrept'];

// stripping HTML tags from the info entered
$_POST['username'] = strip_tags($_POST['username']);
$_POST['password'] = strip_tags($_POST['password']);
$_POST['passrept'] = strip_tags($_POST['passrept']);

// Checking a username is not already taken

$SQL = "SELECT * FROM users WHERE users = $username";
$result = mysql_query($SQL);
$num_rows = mysql_num_rows($result)or die(mysql_error());

if ($num_rows > 0) {
$errorMessage = "Username already taken";
}
else {

// encrypt the password into md5
$_POST['password'] = md5($_POST['password']);

// inserting the data into the db
$insert = mysql_query("INSERT INTO users VALUES ('". $_POST['username'] ."', '". $_POST['password'] ."') ")
    or die("Could not insert data because ".mysql_error());
    
echo ('Your account has been added!');

}



?>

 

[Zenax]

Did i mention that this is my error message:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in ..[file path here removed for security].. on line 20
Unknown column 'test' in 'where clause'

 

[trev]

From that im guessing u can try this replace

$SQL = "SELECT * FROM users WHERE users = $username";

with

$SQL = "SELECT * FROM users WHERE users = '$username'";

 

[Zenax]

ok so that got rid of the error message. however now all I get is a blank page, and the "Your account has been added" doesnt show up when I add a new account.

Second, I don't get an error message now when i use a username that should be taken.

 

[trev]

<?php

// including the db connection script
require_once("connect_db.php");

// declaring the variables
$username = $_POST['username'];
$password = $_POST['password'];
$passrept = $_POST['passrept'];

// stripping HTML tags from the info entered
$_POST['username'] = strip_tags($_POST['username']);
$_POST['password'] = strip_tags($_POST['password']);
$_POST['passrept'] = strip_tags($_POST['passrept']);

// Checking a username is not already taken

$q = mysql_query("SELECT * FROM Users WHERE Username = '$username'") or die(mysql_error());
if(mysql_num_rows($q) > 0)
{

echo '<script>alert("The username you entered is already in use, please try again.");</script>';
echo '<script>history.back(1);</script>';
exit;

}
else {

// encrypt the password into md5
$_POST['password'] = md5($_POST['password']);

// inserting the data into the db
$insert = mysql_query("INSERT INTO users VALUES ('". $_POST['username'] ."', '". $_POST['password'] ."') ")
    or die("Could not insert data because ".mysql_error());
    
echo ('Your account has been added!');

}



?>

Try that its something from an old script i use.

 

[Zenax]

Unknown column 'user' in 'where clause'

this be annoying. script was working fine until i included this part of the script .... added for extra security!

 

[trev]

<?Php

// including the db connection script
require_once("connect_db.php");

// declaring the variables
$username = $_POST['username'];
$password = $_POST['password'];
$passrept = $_POST['passrept'];

// stripping HTML tags from the info entered
$_POST['username'] = strip_tags($_POST['username']);
$_POST['password'] = strip_tags($_POST['password']);
$_POST['passrept'] = strip_tags($_POST['passrept']);

// Checking a username is not already taken

$q = mysql_query("SELECT * FROM users WHERE users = '$username'") or die(mysql_error());
if(mysql_num_rows($q) > 0)
{

echo '<script>alert("The username you entered is already in use, please try again.");</script>';
echo '<script>history.back(1);</script>';
exit;

}
else {

// encrypt the password into md5
$_POST['password'] = md5($_POST['password']);

// inserting the data into the db
$insert = mysql_query("INSERT INTO users VALUES ('". $_POST['username'] ."', '". $_POST['password'] ."') ")
    or die("Could not insert data because ".mysql_error());
    
echo ('Your account has been added!');

}



?>

Little tweaking, you realy do need the username check though without it people will never know when they use the same username.

 

[Chris Z]

Try making the post variables their own variables, such as:

$PassWord = md5($_POST['password']);

If you do this, then the insert would look like this:

$insert = mysql_query("INSERT INTO `users` (`username`, `password`) VALUES ('$UserName', '$PassWord');

 

[samurai1993]

I saw that the script repeat the same code many times, you can split some code into a single line
And I recomend to use Salt Text with the md5 hash
You can put the salt text into your config file, for example

$salt  =  "putyoursalttexthere" ;

[COLOR=#000000][COLOR=#FF8000]// declaring the variables 
[/COLOR][COLOR=#0000BB]$username [/COLOR][COLOR=#007700]= [/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]strip_tags([/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]$_POST[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'username'[/COLOR][COLOR=#007700]]); 
[/COLOR][COLOR=#0000BB]$password [/COLOR][COLOR=#007700]= [/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]strip_tags([/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]md5[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]$salt . $_POST[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'password'[/COLOR][COLOR=#007700]]))[/COLOR][/COLOR][COLOR=#000000][COLOR=#007700]; 
[/COLOR][COLOR=#0000BB]$passrept [/COLOR][COLOR=#007700]= [/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]strip_tags([/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]md5[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]$salt . $_POST[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'[/COLOR][/COLOR][COLOR=#000000][COLOR=#0000BB]passrept[/COLOR][/COLOR][COLOR=#000000][COLOR=#DD0000]'[/COLOR][COLOR=#007700]]))[/COLOR][/COLOR][COLOR=#000000][COLOR=#007700]; [/COLOR][/COLOR]

 

[Zenax]

so basically condense down the code.

SaltText??? Explain please?

P.S Just updated with the code from trev in his last post and it works fine. I shall perform the rest of the security updates and checks 2morrow.

p.s.s keep this thread open incase I have any more problems etc??

 

[trev]

glad to hear i can remember some php code im guessing ur quite new to php let me know if you need any help.

 

[Zenax]

and yeah i am quite new to PHP but I am learning fast. like before I started writing the registration script I didnt know about half the things, but now I understand the script from head to toe, and feel confident about adding in extra things.

Obiously I will have websites open helping me along but it is all written by me.

 

[samurai1993]

I don't know the exact name, but when I was searching a simple php tutorial, I saw the term in a page
Well, basically salt text is a text that you mix with the password provided by the user at the moment of encript the password in the registration script, and in the login script too

 

[trev]

Nice one thats exactly how i learnt php from writting scripts after reading tutorials.

 

[deadimp]

NOTE: I had typed this before I realized it worked for you. But anyways.

Your table name and column name are the same... That's probably what's making the conflict. Also, try surrounding your field/table-names in quotes ``, so they can't interfere with MySQL keywords. I use the table name `user`, with `name` and `pass`.

My style of the code: (you'll want to remove the random comments)

<?php
// including the db connection script
require_once("connect_db.php");
// declaring the variables
 //You can shorten the names (you don't have to, though). These abbreviations can't really be mistaken for anything else.
 //Also, like samurai1993 said, you can simplify your code a little more
 //In your original code, you assign the POST data to variables, but don't use them. Use them!
$user=$_POST['user'];
$pass=$_POST['pass'];
$pass2=$_POST['pass2']; //You could use arrays here, naming the inputs 'pass[0]' and 'pass[1]' (or just pass[] for both), and then use $_POST['pass'][0 or 1]

//Compare passwords
if ($pass!=$pass2) {
 //Handle error
}
$pass=$salt ^ md5($pass); //Encrypt the password, as samurai1993 said
 //But... I don't know what the value of $salt could be - I don't know whether or not it can be  string.
//Encrypting handles the MySQL injection attack security... I think...

//Instead of stripping HTML tags, just validate the user name, using regex or whatever you want, and if it isn't valid, return an error. Only allow characters such as A-Z,a-z,0-9,., etc. That way, you don't have to escape the user name either.
//... validation code

// Checking a username is not already taken
$q="select * from `user` where `name`='$name'";
$res=mysql_query($q); //Warning! From past experience, I've found that any string literals passed directly mysql_query() (actually using quotes "") are not parsed, so '$name' will be used instead of "$name", the value of the variable.
if(mysql_num_rows($res)) {
 die("Roar!");
}
else {
 // inserting the data into the db
 $q="insert into `user` values ('$name', '$pass')"; //$name shouldn't make the  query open to attack, and $pass is already encrypted.
 $res=mysql_query($q) or die("Could not insert data because ".mysql_error());
 echo "Your account has been added!'";
}
?>

On the overall design, I don't think I'd make the script die if there was a MySQL error. You should change it up some so the script doesn't stop dead in the water if there is one.

Just some suggestions.

 

[Zenax]

Go here to see the script in action:

http://zenax.x10hosting.com/ZenCMS/register/

you can test to see if it added your username by visiting the link supplied on the login success page!

 

[deadimp]

Seems to work pretty well.
Tried doing some sort of MySQL injection attack (well, just something that wouldn't make the query parse), and it didn't work. So that's good.
[Might want to add some line breaks on the user list]

 

[Zenax]

Yeah I was trying to figure that out.

I use this to get the results:

// For Example we shall use the $a

$a = mysql_query('SELECT a FROM b');
while ($a1 = mysql_fetch_array($a, MYSQL_ASSOC))

print $a1{'a'};

I cant figure out how to make the results break. There is obviously different ways of getting the results but that is the one I used!

 

[deadimp]

Uhh... I don't even get how that last line does not incur a parse error - I've never used that kind of syntax.
All you have to do to add a line break is just add that string, "<br>", to your output.

<?php
echo "$a1[0]<br>";
//or
echo $a1[0]."<br>"; //etc
?>