LCKB
Safe registration script - Printable Version

+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Website Scripting & Security (https://lckb.dev/forum/forumdisplay.php?fid=197)
+---- Forum: Website Releases (https://lckb.dev/forum/forumdisplay.php?fid=135)
+----- Forum: Ep1 Websites (https://lckb.dev/forum/forumdisplay.php?fid=185)
+----- Thread: Safe registration script (/showthread.php?tid=788)

Pages: 1 2 3

- Wizatek - 05-02-2012


Hi.

 

I seen a lot of PHP scripts that access the database in a unsafe way, giving hackers way to much information or maybe even access to your database.

To prevent this from happening i wrote this script to make the user registration a lot more secure.

 

<?php

// Settings to change
$conf['db']['server'] = '';
$conf['db']['dbase'] = '';
$conf['db']['user'] = '';
$conf['db']['pass'] = '';

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf['use_encryption'] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf['db']['dsn'] = sprintf("mysql:host=%s;dbname=%s", $conf['db']['server'], $conf['db']['dbase']);

try
{
$db = new PDO($conf['db']['dsn'], $conf['db']['user'], $conf['db']['pass']);
}
catch(PDOException $e)
{
die('Error connecting to the databaseRegistration is not possible at this moment.');
}

if( isset( $_POST['submit'] ) )
{

if( strlen( $_POST['username'] ) < 3 || strlen( $_POST['username'] ) > 15 )
echo 'Pick a username between 3 and 15 characters long';

elseif( !ctype_alnum( $_POST['username'] ) )
echo 'Please use only alfanumeric characters as username ( a-Z 0-9 )';

elseif( strlen( $_POST['pass1'] ) < 3 || strlen( $_POST['pass1'] ) > 15 )
echo 'Pick a password between 3 and 15 characters long';

elseif( strcmp( $_POST['pass1'] , $_POST['pass2'] ) != 0 )
echo 'Please use 2x exactley the same passwords';

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(':userid', $_POST['username'], PDO:TongueARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo 'Username already takenPlease choose another name';

else
{

( $conf['use_encryption'] ? $pass = md5( $_POST['pass1'] ) : $pass = $_POST['pass1'] )

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(':userid', $_POST['username'], PDO:TongueARAM_STR);
$dbh->bindParam(':passwd', $pass , PDO:TongueARAM_STR);

$dbh->execute();

echo 'Your account is created.';

}

}
}

else
echo
'
<form method="post">
<table>
<tr>
<td>Username</td>
<td><input type="text" name="username" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass1" /></td>
</tr>
<tr>
<td>Password (again)</td>
<td><input type="password" name="pass2" /></td>
</tr>
<tr>
<td> colspan="2"><input type="submit" name="submit" value="Register" /></td>
</tr>
</table>
</form>
';

?>



- vavan - 05-06-2012

ty, it would be cool if you did not only register but also login (like CP)



- Blackfire - 05-13-2012


I get an error here.

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");



- Baikim - 05-18-2012


I get an error here. $dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

 

Same on me.



- slowz2seecret - 05-20-2012

me 2 xd



- Blackfire - 05-20-2012

Any fix for that yet?



- vavan - 05-20-2012


Hi.

 

I seen a lot of PHP scripts that access the database in a unsafe way, giving hackers way to much information or maybe even access to your database.

To prevent this from happening i wrote this script to make the user registration a lot more secure.

 

<?php

// Settings to change
$conf['db']['server'] = '';
$conf['db']['dbase'] = '';
$conf['db']['user'] = '';
$conf['db']['pass'] = '';

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf['use_encryption'] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf['db']['dsn'] = sprintf("mysql:host=%s;dbname=%s", $conf['db']['server'], $conf['db']['dbase']);

try
{
$db = new PDO($conf['db']['dsn'], $conf['db']['user'], $conf['db']['pass']);
}
catch(PDOException $e)
{
die('Error connecting to the databaseRegistration is not possible at this moment.');
}

if( isset( $_POST['submit'] ) )
{

if( strlen( $_POST['username'] ) < 3 || strlen( $_POST['username'] ) > 15 )
echo 'Pick a username between 3 and 15 characters long';

elseif( !ctype_alnum( $_POST['username'] ) )
echo 'Please use only alfanumeric characters as username ( a-Z 0-9 )';

elseif( strlen( $_POST['pass1'] ) < 3 || strlen( $_POST['pass1'] ) > 15 )
echo 'Pick a password between 3 and 15 characters long';

elseif( strcmp( $_POST['pass1'] , $_POST['pass2'] ) != 0 )
echo 'Please use 2x exactley the same passwords';

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(':userid', $_POST['username'], PDO:TongueARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo 'Username already takenPlease choose another name';

else
{

( $conf['use_encryption'] ? $pass = md5( $_POST['pass1'] ) : $pass = $_POST['pass1'] )

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(':userid', $_POST['username'], PDO:TongueARAM_STR);
$dbh->bindParam(':passwd', $pass , PDO:TongueARAM_STR);

$dbh->execute();

echo 'Your account is created.';

}

}
}

else
echo
'
<form method="post">
<table>
<tr>
<td>Username</td>
<td><input type="text" name="username" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass1" /></td>
</tr>
<tr>
<td>Password (again)</td>
<td><input type="password" name="pass2" /></td>
</tr>
<tr>
<td> colspan="2"><input type="submit" name="submit" value="Register" /></td>
</tr>
</table>
</form>
';

?>



- Ascadia-Network - 05-20-2012

Why you didnt use mysql_real_ESCAPE_string ?



- Wizatek - 05-20-2012


Replace: (line 66)

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] )

To:

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

 

And...

This (line 100)

colspan="2">

to

 

Full code:

 

Ok, im busted for not testing it after i wrote it haha

 

 

 

Why you didnt use mysql_real_ESCAPE_string ?
 

I use PDO to communicate with the database and not the mysql_* functions of PHP.

PDO does all the escaping itself making mysql injection completely impossible.



- slowz2seecret - 05-20-2012


Replace: (line 66)

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] )

To:

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

 

And...

This (line 100)

colspan="2">

to

 

Full code:

<?php

// Settings to change
$conf[db][server] = ;
$conf[db][dbase] = ;
$conf[db][user] = ;
$conf[db][pass] = ;

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf[use_encryption] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf[db][dsn] = sprintf("mysql:host=%s;dbname=%s", $conf[db][server], $conf[db][dbase]);

try
{
$db = new PDO($conf[db][dsn], $conf[db][user], $conf[db][pass]);
}
catch(PDOException $e)
{
die(Error connecting to the database
Registration is not possible at this moment.);
}

if( isset( $_POST[submit] ) )
{

if( strlen( $_POST[username] ) < 3 || strlen( $_POST[username] ) > 15 )
echo Pick a username between 3 and 15 characters long;

elseif( !ctype_alnum( $_POST[username] ) )
echo Please use only alfanumeric characters as username ( a-Z 0-9 );

elseif( strlen( $_POST[pass1] ) < 3 || strlen( $_POST[pass1] ) > 15 )
echo Pick a password between 3 and 15 characters long;

elseif( strcmp( $_POST[pass1] , $_POST[pass2] ) != 0 )
echo Please use 2x exactley the same passwords;

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(:userid, $_POST[username], PDO:TongueARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo Username already taken
Please choose another name;

else
{

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(:userid, $_POST[username], PDO:TongueARAM_STR);
$dbh->bindParam(:passwd, $pass , PDO:TongueARAM_STR);

$dbh->execute();

echo Your account is created.;

}

}
}

else
echo

</pre>
<table>UsernamePasswordPassword (again)</table>
<br><br> ;<br><br

now i have other error:

Notice: Undefined index: server in C:\xampp\htdocs\lc\register.php on line 21

 

Notice: Undefined index: dbase in C:\xampp\htdocs\lc\register.php on line 21

 

Notice: Undefined index: user in C:\xampp\htdocs\lc\register.php on line 25

 

Notice: Undefined index: pass in C:\xampp\htdocs\lc\register.php on line 25

Error connecting to the database

Registration is not possible at this moment.

 

i have my db configuration:

 

// Settings to change

$conf[db][test] = ;

$conf[db][newproject_db_auth] = ;

$conf[db][root] = ;

$conf[db][test] = ;