Register Form

Tiny Problem

Page 1 of 1

10 Replies - 17013 Views - Last Post: 04 October 2008 - 05:20 AM Rate Topic: -----

#1 Limitation  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 19
  • Joined: 27-September 08

Register Form

Posted 01 October 2008 - 10:34 AM

Hey again people. Well I just made a Registeration Form and it works. But got a very tiny problem, if anyone could help me out would be good. :P

Also is this form free from SQL Injection or anyother exploit? Plus please plot out mistakes if I have done some.
So the tiny problem is that after I click register a blank page appears instead of what should be (Thank you for registering, you may now log in) . Also theres no record in the database, which shows that anyone has registered, their details etc... The codes below shows the codes I used for the registeration form and to create the database and tables in MySQL.
You can try it yourself and check.

Thanks in advance :D


Code used to create database and tables.
mysql_select_db("game", $con);
$sql = "CREATE TABLE Users 
(
usersID int NOT NULL AUTO_INCREMENT,
PRIMARY KEY(usersID),
Username varchar(32) NOT NULL,
Password varchar(64) NOT NULL ,
Email varchar(64) NOT NULL ,
Ip varchar(32) NOT NULL ,
Gender ENUM('Male','Female') NOT NULL,
Date varchar(32) NOT NULL
)";



Registeration Code
<?php

$con = mysql_connect("localhost","root","secret");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
  
function protect($value){
$value = mysql_real_escape_string(value);
$value = stripslashes($value);
$value = strip_tags($value);
}

$action = $_GET['act'];
protect($action);


if(!$action){
echo "<table border=0 cellspacing=3 cellpadding=3>\n
	<form name=register method=post action=\"register.php?act=register\">\n
	<tr><td>Username:</td><td><input type=text name=username maxlength=32>\n</td><tr>\n
	<tr><td>Password:</td><td><input type=password name=password maxlength=64>\n</td></tr>\n
	<tr><td>Confirm:</td><td><input type=password name=passconf maxlength=64>\n</td></tr>\n
	<tr><td>Email:</td><td><input type=text name=email>\n</td></tr>\n
	<tr><td>Confirm:</td><td><input type=text name=econf>\n</td></tr>\n
	<tr><td>Gender</td><td><select name=gender>
		<option value=gender>Male</option>\n
		<option value=gender>Female</option>\n
	<tr><td>Your Name</td><td><input type=text name=name maxlength=32>\n
	<tr><td colspan=2 align=right><input type=submit value=\"Register\">\n";
			}

if($action=="register"){
$username = $_POST['username'];
$password = $_POST['password'];
$passconf = $_POST['passconf'];
$email = $_POST['email'];
$day = $_POST['gender'];
$name = $_POST['name'];
protect($username);
protect($passwrod);
protect($passconf);
protect($email);
protect($gender);
protect($name);

		if (isset($username) && isset($password) && isset($passconf) && isset($email) && isset($gender) && isset($name)){
			if(strlen($username) < 3 || strlen($username) > 32){
			echo "Username is either too short or too long\n";
			}else {
				if(strlen($password) < 3 || strlen($password) > 64){
				echo "Password is either too short ot too long\n";
				}else {
					if(strlen($email) < 3 || strlen($email) > 64){
					echo "Email is either too short ot too long\n";
					}else {
						if(strlen($name) < 2 || strlen($name) > 64){
						echo "Your name is either too short or too long\n";
						}else {
							if($password != $passconf){
							echo "Your password do not match\n";
							}else {
								if($email != $echoconf){
								echo "Your emails do not match\n";
								}else {
									$checkemail = "/*[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]-)+\\.(a-z)(2;)$/";
									if(!preg_match($checkemail,$email)){
									echo "The email you entered is incorrect";
									}else {
										$sql = "SELECT = FROM 'users' WHERE 'username' ='$username'";
										$res = mysql_query($sql) or die(mysql_error());
										if(mysql_num_rows($res) > 0){
										echo "This username already exists";
										}else {
											$sql = "SELECT = FROM 'users' WHERE 'email' ='$email'";
											$res = mysql_query($sql) or die(mysql_error());
											if(mysql_num_rows($res) > 0){
											echo "The email you supplied is already in use";
											}else {
												$sql = "SELECT = FROM 'users' WHERE 'ip' ='$_SERVER[REMOTE_ADDR]'";
												$res = mysql_query($sql) or die(mysql_error());
												if(mysql_num_rows($res) > 0){
												echo "The IP is already in use";
												}else {
													$password = mds($password);
													$date = date('f j, Y @ g:i:s a');
													$sql = "INSTER INTO 'users' ('username','password','email','ip','name,'gender','date') VALUES('$username','$password,'$email','$_SERVER[REMOTE_ADDR]',' $gender,' $date);";
													$res = mysql_query($sql) or die(mysql_error());
													echo "Thank you for registering, you may now log in\n";
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}
		}
	
?>								


Is This A Good Question/Topic? 1

Replies To: Register Form

#2 Hary  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 427
  • Joined: 23-September 08

Re: Register Form

Posted 01 October 2008 - 11:49 AM

I'd prefer to a list of bad things detected, with a elseif, instead of this large nested tree, but that's taste.

And do you mean to SELECT * FROM instead of SELECT = FROM?
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6039
  • View blog
  • Posts: 23,436
  • Joined: 23-August 08

Re: Register Form

Posted 01 October 2008 - 12:10 PM

Very sad that you're saving the password in the database in cleartext :(
Was This Post Helpful? 0
  • +
  • -

#4 Limitation  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 19
  • Joined: 27-September 08

Re: Register Form

Posted 01 October 2008 - 03:18 PM

Ill sort those out lol.
Btw what I need to know is a way that it would store registered users data in the database as soon as anyone has registered.
Anyone please ? :D
Was This Post Helpful? 0
  • +
  • -

#5 Hary  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 427
  • Joined: 23-September 08

Re: Register Form

Posted 02 October 2008 - 04:30 AM

That is what this is suppossed to do, and does so if all errors are gone?
Was This Post Helpful? 0
  • +
  • -

#6 Limitation  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 19
  • Joined: 27-September 08

Re: Register Form

Posted 03 October 2008 - 02:51 AM

Help :blink:
Was This Post Helpful? 0
  • +
  • -

#7 Hary  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 427
  • Joined: 23-September 08

Re: Register Form

Posted 03 October 2008 - 03:34 AM

Have you changed the SQL code? What does it do?
Was This Post Helpful? 0
  • +
  • -

#8 pemcconnell  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 54
  • View blog
  • Posts: 472
  • Joined: 05-August 08

Re: Register Form

Posted 03 October 2008 - 05:42 AM

that protect() function seems dead-on. Should be pretty injection-proof.
but it wasn't doing anything as it stood (protect($variable) instead of $variable = protect($variable). Another thing I noticed was that this function didn't 'return' anything), also the $password was spelt wrong in one of the protect()'s, and $action = $_GET['act']; should be $action = $_REQUEST['act']; Final thing I noticed was the SELECT = FROM - pretty sure = is not a wildcard, so changed it to *.

I've fixed the code and added some actions to the else {} to help you debug

<?php

$con = mysql_connect("localhost","root","secret");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
  
function protect($value){
$value = mysql_real_escape_string(value);
$value = stripslashes($value);
$value = strip_tags($value);
return $value;
}

$action = $_REQUEST['act'];
protect($action);


if(!$action){
echo "<table border=0 cellspacing=3 cellpadding=3>\n
	<form name=register method=post action=\"register.php?act=register\">\n
	<tr><td>Username:</td><td><input type=text name=username maxlength=32>\n</td><tr>\n
	<tr><td>Password:</td><td><input type=password name=password maxlength=64>\n</td></tr>\n
	<tr><td>Confirm:</td><td><input type=password name=passconf maxlength=64>\n</td></tr>\n
	<tr><td>Email:</td><td><input type=text name=email>\n</td></tr>\n
	<tr><td>Confirm:</td><td><input type=text name=econf>\n</td></tr>\n
	<tr><td>Gender</td><td><select name=gender>
		<option value=gender>Male</option>\n
		<option value=gender>Female</option>\n
	<tr><td>Your Name</td><td><input type=text name=name maxlength=32>\n
	<tr><td colspan=2 align=right><input type=submit value=\"Register\">\n";
			}else{
			echo 'Action = '.$action.'.<br />';
			}

if($action=="register"){
$username = $_POST['username'];
$password = $_POST['password'];
$passconf = $_POST['passconf'];
$email = $_POST['email'];
$day = $_POST['gender'];
$name = $_POST['name'];
$username = protect($username);
$password = protect($password); // was spelt passwrod
$passconf = protect($passconf);
$email = protect($email);
$gender = protect($gender);
$name = protect($name);

		if (isset($username) && isset($password) && isset($passconf) && isset($email) && isset($gender) && isset($name)){
			if(strlen($username) < 3 || strlen($username) > 32){
			echo "Username is either too short or too long\n";
			}else {
				if(strlen($password) < 3 || strlen($password) > 64){
				echo "Password is either too short ot too long\n";
				}else {
					if(strlen($email) < 3 || strlen($email) > 64){
					echo "Email is either too short ot too long\n";
					}else {
						if(strlen($name) < 2 || strlen($name) > 64){
						echo "Your name is either too short or too long\n";
						}else {
							if($password != $passconf){
							echo "Your password do not match\n";
							}else {
								if($email != $echoconf){
								echo "Your emails do not match\n";
								}else {
									$checkemail = "/*[a-z0-9]+([_\\.-][a-z0-9]+)*@([a-z0-9]+([\.-][a-z0-9]-)+\\.(a-z)(2;)$/";
									if(!preg_match($checkemail,$email)){
									echo "The email you entered is incorrect";
									}else {
										$sql = "SELECT * FROM 'users' WHERE 'username' ='$username'";
										$res = mysql_query($sql) or die(mysql_error());
										if(mysql_num_rows($res) > 0){
										echo "This username already exists";
										}else {
											$sql = "SELECT * FROM 'users' WHERE 'email' ='$email'";
											$res = mysql_query($sql) or die(mysql_error());
											if(mysql_num_rows($res) > 0){
											echo "The email you supplied is already in use";
											}else {
												$sql = "SELECT * FROM 'users' WHERE 'ip' ='$_SERVER[REMOTE_ADDR]'";
												$res = mysql_query($sql) or die(mysql_error());
												if(mysql_num_rows($res) > 0){
												echo "The IP is already in use";
												}else {
													$password = mds($password);
													$date = date('f j, Y @ g:i:s a');
													$sql = "INSTER INTO 'users' ('username','password','email','ip','name,'gender','date') VALUES('$username','$password,'$email','$_SERVER[REMOTE_ADDR]',' $gender,' $date);";
													$res = mysql_query($sql) or die(mysql_error());
													echo "Thank you for registering, you may now log in\n";
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}
		}else{
			echo 'Action wasnt register';
		}
	
?>



So basically this form will allow a user to register, validate the content, then insert the users data into the database with a "Thankyou for registering..." message

This post has been edited by pemcconnell: 03 October 2008 - 05:58 AM

Was This Post Helpful? 0
  • +
  • -

#9 Limitation  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 19
  • Joined: 27-September 08

Re: Register Form

Posted 03 October 2008 - 10:47 AM

Action = register.
Your emails do not match



Still dont work :/


Damn im stressed out :angry:
Was This Post Helpful? 0
  • +
  • -

#10 Limitation  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 19
  • Joined: 27-September 08

Re: Register Form

Posted 03 October 2008 - 10:52 AM

After I update some stuff it gives me this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'username' ='value'' at line 1


Ermm well what you lot think, is the SQL table codes correct ? Is it linked to the register.php?
Im damn confused. :blink:
Was This Post Helpful? 0
  • +
  • -

#11 Hary  Icon User is offline

  • D.I.C Regular

Reputation: 44
  • View blog
  • Posts: 427
  • Joined: 23-September 08

Re: Register Form

Posted 04 October 2008 - 05:20 AM

use "WHERE username='value'"
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1