Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Phpzor (NOT SOLVED)

    I want to turn off register globals since some people said it's a security hazard and it's not checking if the ip is already in the database and if it is, it's suppose to not let them signup. It is letting you signup as many times as you want though. I would appreciate any help ^^
    ~Thanks again

    PHP Code:
    <?php
    $title 
    "Signup";
    include(
    "top.php");
    $IP $_SERVER['REMOTE_ADDR'];
    ?>


    <div id="content">
    <span>Signup</span>


    <p>
    <form method="POST" action="signup.php?action=signup">
                 Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
                 Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
          Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
                    Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

    Note: Your ip will be logged so please do not make multiple accounts<br><br>
    <input type="submit" name="turkey" value="submit"></form>



    <?php

    IF ($action == "signup"){

    $ipcheck mysql_query("select * from users where IP='$IP'");
    IF (@
    mysql_numrows($ipcheck) > 0) {
    $ipused "yes";
    }else{
    $ipused "no";
    }

    IF (
    $password == "$verpassword") {
    $passwordmatch "true";
    }else{
    $passwordmatch "false";
    }


    IF (
    $ipused == "no" && $passwordmatch == "true"){

    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')");
    echo 
    "Thanks for signing up!";
    }else{
    echo 
    "You etheir have an account already, or your passwords do not match!";
    }
    }
    ?>




    </div>

    <?php
    include("bottom.php");
    ?>
    Last edited by Fashong; 06-21-2005 at 05:12 PM.

  • #2
    Regular Coder
    Join Date
    May 2005
    Posts
    563
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Try this... if you turn off register globals you have to stop using them.
    PHP Code:
    <?php
    $title 
    "Signup";
    include(
    "top.php");
    $ip $_SERVER['REMOTE_ADDR'];
    ?>


    <div id="content">
    <span>Signup</span>


    <p>
    <form method="POST" action="signup.php?action=signup">
                 Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
                 Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
          Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
                    Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

    Note: Your ip will be logged so please do not make multiple accounts<br><br>
    <input type="submit" name="turkey" value="submit"></form>



    <?php

    IF (isset($_POST['action'] && $_POST['action'] == "signup"){

    $ipcheck mysql_query("select * from users where IP='$ip'");
    IF (
    mysql_num_rows($ipcheck) > 0) {
        
    $ipused "yes";
    }else{
        
    $ipused "no";
    }

    IF (
    $password == "$verpassword") {
        
    $passwordmatch "true";
    }else{
        
    $passwordmatch "false";
    }


    IF (
    $ipused == "no" && $passwordmatch == "true"){

    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')");
    echo 
    "Thanks for signing up!";
    }else{
    echo 
    "You etheir have an account already, or your passwords do not match!";
    }
    }
    ?>




    </div>

    <?php
    include("bottom.php");
    ?>

  • #3
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    There is no $_POST['action'], it should be $_GET['action'] as it's getting it from the url

  • #4
    Regular Coder
    Join Date
    May 2005
    Posts
    563
    Thanks
    0
    Thanked 3 Times in 3 Posts
    True, my bad... you should use this code instead.

    PHP Code:
    <?php 
    $title 
    "Signup"
    include(
    "top.php"); 
    $ip $_SERVER['REMOTE_ADDR']; 
    ?> 


    <div id="content"> 
    <span>Signup</span> 


    <p> 
    <form method="POST" action="signup.php"> 
                 Username:<br> <input type="text" name="username" size="20" maxlength="15"><br> 
                 Password:<br> <input type="password" name="password" size="20" maxlength="15"><br> 
          Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br> 
                    Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br><input type="hidden" name="action" value="signup">

    Note: Your ip will be logged so please do not make multiple accounts<br><br> 
    <input type="submit" name="turkey" value="submit"></form> 



    <?php 

    IF (isset($_POST['action'] && $_POST['action'] == "signup"){ 

    $ipcheck mysql_query("select * from users where IP='$ip'"); 
    IF (
    mysql_num_rows($ipcheck) > 0) { 
        
    $ipused "yes"
    }else{ 
        
    $ipused "no"


    IF (
    $password == "$verpassword") { 
        
    $passwordmatch "true"
    }else{ 
        
    $passwordmatch "false"



    IF (
    $ipused == "no" && $passwordmatch == "true"){ 

    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')"); 
    echo 
    "Thanks for signing up!"
    }else{ 
    echo 
    "You etheir have an account already, or your passwords do not match!"


    ?> 




    </div> 

    <?php 
    include("bottom.php"); 
    ?>

  • #5
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Won't this work to?


    PHP Code:
    <?php
    $title 
    "Signup";
    include(
    "top.php");
    $IP $_SERVER['REMOTE_ADDR'];
    ?>


    <div id="content">
    <span>Signup</span>


    <p>
    <form method="POST" action="signup.php?action=signup">
                 Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
                 Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
          Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
                    Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

    Note: Your ip will be logged so please do not make multiple accounts<br><br>
    <input type="submit" name="turkey" value="submit"></form>



    <?php

    if(isset($_POST['turkey'])){ 

    $ipcheck mysql_query("select * from users where IP='$IP'");
    IF (@
    mysql_numrows($ipcheck) > 0) {
    $ipused "yes";
    }else{
    $ipused "no";
    }

    IF (
    $_POST['password'] == "$_POST['$verpassword']") {
    $passwordmatch "true";
    }else{
    $passwordmatch "false";
    }


    IF (
    $ipused == "no" && $passwordmatch == "true"){

    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['$password']', 'Member', '$IP', '')");
    echo 
    "Thanks for signing up!";
    }else{
    echo 
    "You etheir have an account already, or your passwords do not match!";
    }
    }
    ?>




    </div>

    <?php
    include("bottom.php");
    ?>

  • #6
    Regular Coder
    Join Date
    May 2005
    Posts
    563
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Why do you want to use the query string when it isn't needed... it is more secure to not use it, you cant set POST variables without submitting a form but you can set GET variables

  • #7
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Everything else is fine though?? What else can I use except mysql_query then?

  • #8
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    This line has an error

    PHP Code:
    IF ($_POST['password'] == "$_POST['$verpassword']"
    Should be
    PHP Code:
    if ($_POST['password'] == $_POST['verpassword']) 
    You also use
    PHP Code:
    mysql_numrows 
    It should be
    PHP Code:
    mysql_num_rows 

  • #9
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home2/fashong/public_html/signup.php on line 47


    PHP Code:
    <?php
    $title 
    "Signup";
    include(
    "top.php");
    $IP $_SERVER['REMOTE_ADDR'];
    ?>


    <div id="content">
    <span>Signup</span>


    <p>
    <form method="POST" action="signup.php?action=signup">
                 Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
                 Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
          Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
                    Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>


    Note: Your ip will be logged so please do not make multiple accounts<br><br>
    <input type="submit" name="turkey" value="submit"></form>



    <?php

    IF (isset($_POST['turkey'])){

    $ipcheck mysql_query("select * from users where IP='$IP'");
    IF (@
    mysql_num_rows($ipcheck) > 0) {
    $ipused "yes";
    }else{   
    $ipused "no"
    }
                 
    IF (
    $_POST['password'] == $_POST['verpassword']) {
    $passwordmatch "true";
    }else{
    $passwordmatch "false";
    }   
        


        
    IF (
    $ipused == "no" && $passwordmatch == "true"){
        
    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['password']', 'Member', '$IP', '')");
    echo 
    "Thanks for signing up!";
    }else{
    echo 
    "You etheir have an account already, or your passwords do not match!";
    }
    }
    ?>




    </div>




    <?php
    include("bottom.php");
    ?>

  • #10
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Anyone?? ^_^

  • #11
    New Coder
    Join Date
    Jan 2005
    Posts
    89
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ^_^.....

  • #12
    Regular Coder
    Join Date
    Nov 2004
    Location
    The Netherlands
    Posts
    551
    Thanks
    0
    Thanked 0 Times in 0 Posts
    PHP Code:
    $ipcheck mysql_query("select * from users where IP='$IP'"); 
    should be
    PHP Code:
    $ipcheck mysql_query("select * from users where IP=".$IP); 
    Why don't you use boolean values for ipused and passwordmatch?

    $ipused = true/false
    CATdude about IE6: "All your box-model are belong to us"

  • #13
    Regular Coder
    Join Date
    Aug 2004
    Location
    The US of A
    Posts
    767
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Fahong: Your options for fixing the parsing error are still the same.

    Sprintf, in my opinion, would be the best thing to use here since you don't have an obscene amount of variables. Your next best bet would be to concat the string with the variables in it. And the last one I would use, simply out of personal perference, would be to wrap the variables in curly brackets.

    This is wrong:
    PHP Code:
    $userupdate mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['password']', 'Member', '$IP', '')"); 
    Here are the solutions to the problem:
    PHP Code:
    //sprintf
    $sql sprintf('INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES (``, `%s`, `%s`, `%s`, `Member`, `%s`, ``)'$_POST['username'], $_POST['email'], $_POST['password'], $IP); 

    //concat
    $sql 'INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES (``, `' $_POST['username'] . '`, `' $_POST['email'] . '`, `' $_POST['password'] . '`, `Member`, `' $IP '`, ``)'

    //curly brackets
    // I'm not all too sure about this, I've never used it, and I probably never will.
    $sql "INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '{$_POST['username']}', '{$_POST['email']}', '{$_POST['password']}', 'Member', '$IP', '')"


    $userupdate mysql_query($sql); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •