Login

Wizatek · 05-02-2012, 09:43 PM

Hi.

I seen a lot of PHP scripts that access the database in a unsafe way, giving hackers way to much information or maybe even access to your database.

To prevent this from happening i wrote this script to make the user registration a lot more secure.

<?php

// Settings to change
$conf['db']['server'] = '';
$conf['db']['dbase'] = '';
$conf['db']['user'] = '';
$conf['db']['pass'] = '';

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf['use_encryption'] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf['db']['dsn'] = sprintf("mysql:host=%s;dbname=%s", $conf['db']['server'], $conf['db']['dbase']);

try
{
$db = new PDO($conf['db']['dsn'], $conf['db']['user'], $conf['db']['pass']);
}
catch(PDOException $e)
{
die('Error connecting to the databaseRegistration is not possible at this moment.');
}

if( isset( $_POST['submit'] ) )
{

if( strlen( $_POST['username'] ) < 3 || strlen( $_POST['username'] ) > 15 )
echo 'Pick a username between 3 and 15 characters long';

elseif( !ctype_alnum( $_POST['username'] ) )
echo 'Please use only alfanumeric characters as username ( a-Z 0-9 )';

elseif( strlen( $_POST['pass1'] ) < 3 || strlen( $_POST['pass1'] ) > 15 )
echo 'Pick a password between 3 and 15 characters long';

elseif( strcmp( $_POST['pass1'] , $_POST['pass2'] ) != 0 )
echo 'Please use 2x exactley the same passwords';

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(':userid', $_POST['username'], PDO: Tongue

ARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo 'Username already takenPlease choose another name';

else
{

( $conf['use_encryption'] ? $pass = md5( $_POST['pass1'] ) : $pass = $_POST['pass1'] )

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(':userid', $_POST['username'], PDO: Tongue

ARAM_STR);
$dbh->bindParam(':passwd', $pass , PDO: Tongue

ARAM_STR);

$dbh->execute();

echo 'Your account is created.';

}

}
}

else
echo
'
<form method="post">
<table>
<tr>
<td>Username</td>
<td><input type="text" name="username" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass1" /></td>
</tr>
<tr>
<td>Password (again)</td>
<td><input type="password" name="pass2" /></td>
</tr>
<tr>
<td> colspan="2"><input type="submit" name="submit" value="Register" /></td>
</tr>
</table>
</form>
';

?>

vavan · 05-06-2012, 01:05 PM

ty, it would be cool if you did not only register but also login (like CP)

Blackfire · 05-13-2012, 08:19 AM

I get an error here.

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

Baikim · 05-18-2012, 11:52 AM

I get an error here. $dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

Same on me.

05-20-2012, 11:12 AM

me 2 xd

Blackfire · 05-20-2012, 11:17 AM

Any fix for that yet?

vavan · 05-20-2012, 11:41 AM

Hi.

I seen a lot of PHP scripts that access the database in a unsafe way, giving hackers way to much information or maybe even access to your database.

To prevent this from happening i wrote this script to make the user registration a lot more secure.

<?php

// Settings to change
$conf['db']['server'] = '';
$conf['db']['dbase'] = '';
$conf['db']['user'] = '';
$conf['db']['pass'] = '';

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf['use_encryption'] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf['db']['dsn'] = sprintf("mysql:host=%s;dbname=%s", $conf['db']['server'], $conf['db']['dbase']);

try
{
$db = new PDO($conf['db']['dsn'], $conf['db']['user'], $conf['db']['pass']);
}
catch(PDOException $e)
{
die('Error connecting to the databaseRegistration is not possible at this moment.');
}

if( isset( $_POST['submit'] ) )
{

if( strlen( $_POST['username'] ) < 3 || strlen( $_POST['username'] ) > 15 )
echo 'Pick a username between 3 and 15 characters long';

elseif( !ctype_alnum( $_POST['username'] ) )
echo 'Please use only alfanumeric characters as username ( a-Z 0-9 )';

elseif( strlen( $_POST['pass1'] ) < 3 || strlen( $_POST['pass1'] ) > 15 )
echo 'Pick a password between 3 and 15 characters long';

elseif( strcmp( $_POST['pass1'] , $_POST['pass2'] ) != 0 )
echo 'Please use 2x exactley the same passwords';

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(':userid', $_POST['username'], PDO: Tongue

ARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo 'Username already takenPlease choose another name';

else
{

( $conf['use_encryption'] ? $pass = md5( $_POST['pass1'] ) : $pass = $_POST['pass1'] )

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(':userid', $_POST['username'], PDO: Tongue

ARAM_STR);
$dbh->bindParam(':passwd', $pass , PDO: Tongue

ARAM_STR);

$dbh->execute();

echo 'Your account is created.';

}

}
}

else
echo
'
<form method="post">
<table>
<tr>
<td>Username</td>
<td><input type="text" name="username" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass1" /></td>
</tr>
<tr>
<td>Password (again)</td>
<td><input type="password" name="pass2" /></td>
</tr>
<tr>
<td> colspan="2"><input type="submit" name="submit" value="Register" /></td>
</tr>
</table>
</form>
';

?>

05-20-2012, 12:32 PM

Why you didnt use mysql_real_ESCAPE_string ?

Wizatek · 05-20-2012, 03:08 PM

Replace: (line 66)

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] )

To:

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

And...

This (line 100)

colspan="2">

to

Full code:

Ok, im busted for not testing it after i wrote it haha

Why you didnt use mysql_real_ESCAPE_string ?

I use PDO to communicate with the database and not the mysql_* functions of PHP.

PDO does all the escaping itself making mysql injection completely impossible.

05-20-2012, 09:17 PM

Replace: (line 66)

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] )

To:

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

And...

This (line 100)

colspan="2">

to

Full code:

<?php

// Settings to change
$conf[db][server] = ;
$conf[db][dbase] = ;
$conf[db][user] = ;
$conf[db][pass] = ;

// Set this to true if u want to use encrypted passwords in the database.
// Your Engine.dll must support this in order to set it to true.
// Its highly recommended to use it

$conf[use_encryption] = false;

// Dont change below here unless u know what u are doing -------------------------------------------------------------------

$conf[db][dsn] = sprintf("mysql:host=%s;dbname=%s", $conf[db][server], $conf[db][dbase]);

try
{
$db = new PDO($conf[db][dsn], $conf[db][user], $conf[db][pass]);
}
catch(PDOException $e)
{
die(Error connecting to the database
Registration is not possible at this moment.);
}

if( isset( $_POST[submit] ) )
{

if( strlen( $_POST[username] ) < 3 || strlen( $_POST[username] ) > 15 )
echo Pick a username between 3 and 15 characters long;

elseif( !ctype_alnum( $_POST[username] ) )
echo Please use only alfanumeric characters as username ( a-Z 0-9 );

elseif( strlen( $_POST[pass1] ) < 3 || strlen( $_POST[pass1] ) > 15 )
echo Pick a password between 3 and 15 characters long;

elseif( strcmp( $_POST[pass1] , $_POST[pass2] ) != 0 )
echo Please use 2x exactley the same passwords;

else
{

$dbh = $db->prepare("SELECT count(*) FROM bg_user WHERE user_id = :userid");
$dbh->bindParam(:userid, $_POST[username], PDO: Tongue

ARAM_STR);

$dbh->execute();

$result = $dbh->fetch();

if( $result[0] != 0 )
echo Username already taken
Please choose another name;

else
{

( $conf[use_encryption] ? $pass = md5( $_POST[pass1] ) : $pass = $_POST[pass1] );

$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:userid,:passwd)");

$dbh->bindParam(:userid, $_POST[username], PDO: Tongue

ARAM_STR);
$dbh->bindParam(:passwd, $pass , PDO: Tongue

ARAM_STR);

$dbh->execute();

echo Your account is created.;

}

}
}

else
echo

</pre>
<table>UsernamePasswordPassword (again)</table>
<br><br> ;<br><br

now i have other error:

Notice: Undefined index: server in C:\xampp\htdocs\lc\register.php on line 21

Notice: Undefined index: dbase in C:\xampp\htdocs\lc\register.php on line 21

Notice: Undefined index: user in C:\xampp\htdocs\lc\register.php on line 25

Notice: Undefined index: pass in C:\xampp\htdocs\lc\register.php on line 25

Error connecting to the database

Registration is not possible at this moment.

i have my db configuration:

// Settings to change

$conf[db][test] = ;

$conf[db][newproject_db_auth] = ;

$conf[db][root] = ;

$conf[db][test] = ;

Login
Username/Email:
Password:	Lost Password?
	Remember me