Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3

Thread: register script

  1. #1
    New Coder
    Join Date
    Mar 2009
    Posts
    97
    Thanks
    10
    Thanked 0 Times in 0 Posts

    register script

    can anybody see whats wrong with this script please it keeps teling me to enter a password but it's been entered :S and it says

    Notice: Undefined index: password in /home/youronli/public_html/regprocess.php on line 15
    [html]
    <form action="regprocess.php" method="post">
    <table border="0">
    <tr><td>Username:</td><td>
    <input type="text" name="username" maxlength="60">
    </td></tr>
    <tr><td>Password:</td><td>
    <input type="password" name="password " maxlength="10">
    </td></tr>
    <tr><td>Real Name</td><td>
    <input type="text" name="realname" maxlength="20">
    </td></tr>
    <tr><td>Age</td><td>
    <input type="text" name="age" maxlength="70">
    </td></tr>
    <tr><td>Location</td><td>
    [/html]


    PHP Code:
    $db mysql_connect($dbHost,$dbUser,$dbPass); // Connection Code
    mysql_select_db($dbname,$db);                 // Connects to database

    $user $_POST['username'];
    $pass $_POST['password'];
    $age $_POST['age'];
    $rname $_POST['realname'];
    $about $_POST['about'];
    $location $_POST['country'];


    if(!
    $user) {
        echo 
    "Please supply a username";
    }

    if(!
    $pass) {
        echo 
    "Please supply a password";
    }else 
    {
    $sql "INSERT INTO `users` (username,password,name,age,location,about) VALUES ('$user','$pass','$rname','$age','$location','$about')";
    $query mysql_query($sql);
    }

    ?> 

  • #2
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    change name="password " to name="password" you have a space after password. So the post value would be $_POST["password "] and not $_POST["password"]. But just remove the space in the html is all you need to do
    You can not say you know how to do something, until you can teach it to someone else.

  • #3
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Also you will need to do much more vigorous validation than you are doing. The only validation you have here is checking that the post values exist. If I knew this was your script and new the website it was for i could sign up and put something like


    Code:
     ','','','','','');DELETE FROM users;INSERT INTO users (username,password,name,age,location,about) VALUES ('Ted

    in the username field. That would complete your query then delete all the exsisting users from your database. Then carry on the insert. So you would be left with one user in your database. That the hacker put there anyway. In other words if you had 100 users stored in your database the hacker has easily just deleted all them from your table completely and left you with one useless user.

    So how do you prevent this kind of thing happening. Theres some good pear validation functions. Its a tricky one because you want to allow the user to use most chars especially for password etc. But you have to test for this kind of thing somehow. If this is a serious site e.g not just you playing around and you want it to be a live site let me know and ill think of some validation you could use. Or maybe someone else here has something of use.
    I'm only telling you all this because I have made sites similar to what your doing and have been hacked and had my tables deleted and dropped. Its better to learn now than the hard way.

    Another thing is it seems your planning to save your passwords in plain text. You can't really do that. Not sure it might not even be legal to do so. You have to hash the passwords then store the hash. Then when they log in you hash there log in request and compare the hashes not the passwords.

    I had to learn all this stuff in the past so you should spend a little extra time doing the same.

    Another thing is Age only need to be 3 chars long maybe something like
    Code:
    <input type="text" name="age" maxlength="3">
    would be more appropriate. I never met anyone over 999 so three chars would be fine.
    Last edited by timgolding; 03-22-2009 at 11:29 PM.
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •