Registration Submit shows code

W

wtvelocity

New Member
Messages
9
Reaction score
0
Points
0
I'm trying to program a PHP registration script, but when I click submit, it ends up DISPLAYING register.php instead of processing it.

Register.htm
Code: 
<?php include('vdaemon.php'); ?>
<HTML>
<BODY>
<form name="login" method="post" action="register.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="282" align="center">
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Name:</span></td>
                        <td width="156"><input type="text" name="name" maxlength="100"></td>
                    </tr>
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Email:</span></td>
                        <td width="156"><input type="text" name="email" maxlength="100"></td>
                    </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Username:</span></td>
                    <td width="156"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Password:</span></td>
                    <td width="156"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="116">&nbsp;</td>
                        <td width="156">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999">&nbsp;</td>
    </tr>
</table>
</form>
</BODY>
</HTML>

Register.php
Code: 
$dbhost = "localhost";
$dbname = "wilddog_members";
$dbuser = "wilddog";
$dbpass = "(password)";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());


$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = $_POST['password'];



$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);


$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include 'register.html';
    exit();
}


$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";

$yoursite = ‘ConquestOfAges.elementfx.com’;
$webmaster = ‘Christian Darwin’;
$youremail = ‘admin@conquestofages.exofire.com’;

$subject = "You have successfully registered at $yoursite...";
$message = "Dear $name, you are now registered at our web site.  
    To login, simply go to our web page and enter in the following details in the login form:
    Username: $username
    Password: $password
    
    Please print this information out and store it for future reference.
    
    Thanks,
    $webmaster";
    
mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());
    
echo "Your information has been mailed to your email address.";
?>

Thanks for your time! :)
 
Last edited:
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
Well, I now know your DB password by viewing that code.
 
W

wtvelocity

New Member
Messages
9
Reaction score
0
Points
0
Thanks, but now I got this error:


Parse error: syntax error, unexpected '=' in /home/wilddog/public_html/register.php on line 46

I don't see it X(
 
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
PHP: 
$yoursite = ‘ConquestOfAges.elementfx.com’;
$webmaster = ‘Christian Darwin’;
$youremail = ‘admin@conquestofages.exofire.com’;

You used funky quotes. ' or " only.
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
wtvelocity said:
Register.php
PHP: 
$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = $_POST['password'];
...
$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
...
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
Click to expand...
This is vulnerable to SQL injection. You can escape the input values to prevent this, but the more modern and simpler approach is to use prepared statements (note: only parameters in prepared statements are invulnerable to SQL injection). Read "Writing MySQL Scripts with PHP and PDO" for more information on using the PDO driver (which has better support for prepared statements than mysqli).

Displaying the output of mysql_error() to users discloses too much information; it's both a security risk and doesn't offer users anything useful.
 
You must log in or register to reply here.
Top