Need some help, and i have got some questions to ask as well.

codefreek · 10-20-2008, 03:21 AM

So i will start of with saying thank you to everyone who has helped me before and who will help out, and i will try to help out as much as i can. So for the question part. i was thinking what is the best way to secure an account i mean password and so on.

like password salt?
and stuff like that, i am
still a bit fuzzy on the part where you secure the password.
So all the help i can get is really appreciated.

And then i would need some help on why this is not working

i get this
print "You're account was made!";
but noting appears in the db.

PHP Code:


			
<?php
include 'config.php';
if(isset($_POST['submit']))
{

$username = $_POST['username'];
$password = $_POST['password'];
$email       = $_POST['email'];
$referral = $_POST['referral'];

      if(strlen($username)<1) 
    {
        echo "You forgot to put in a username!";
    }
    
    if(strlen($password)<1) 
    {
        echo "You Forgot to put in a password!";
    }
    
     if(strlen($email)<1) 
    {
        echo "You did not put in you're email!";
    }
    
    else
    {
        if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $email))
        {
            $query=( "INSERT INTO user (id, username,password,email,rank,referral,joined,ip) VALUES ('$id','$username',password('$password'),'$email','Normal','$referral',NOW(),'$ip')");
            mysql_query($query) or die(mysql_error());
        }
        
    else 
    {
            
         print "You're account was made!";
            
    }
  }
}
else 
{
         echo "<form action='register.php' method='post'>",
         "Please do mix, you're password with letters and numeric characters.</br>",
         "Username:",
         "<input type='text' name='username' size='15'/></br>",
         "Password:",
         "<input type='password' name='password' size='15'/></br>",
         "Email:",
         "<input type='text' name='email' size='15'/><br/>",
         "Referral:",
         "<input type='text' name='referral' size='15'/></br>",
         "<input type='submit' name='submit' value='submit'/></form>";    
}


?>

Thank you in advance!
Code;Freek!

awuehr · 10-20-2008, 06:17 AM

Hi cf,

your if-else block at the regex-thingy says: If the regex matches, do something in your Db, if not, output 'Your account was made'. I don't know if that is what you want your script to do.

Please filter your $_POST values, don't use them unfiltered in SQL statements. It's very dangerous(SQL-Injection).

Greetings,

Alex

CoryMathews · 10-20-2008, 11:17 AM

A good thing for storing passwords is to encrypt them and to use a salt with that like you said. An example would be

Quote:

$salt = "Some short string here";
$password = md5( $salt . sha1($password));

So then when you create the account you would use this on the password before inserting it to the db, as well as when that user logs in. This way their password is always encrypted, providing more security.

codefreek · 10-20-2008, 01:59 PM

awuehr, filter whit what?

Wildhoney · 10-20-2008, 02:09 PM

You could try mysql_real_escape_string. Although if you wanted to take it further, you could filter depending on what you're expecting the data to be. Integer, string, et cetera...

codefreek · 10-20-2008, 02:43 PM

i tried this but it wont work ? should i maybe do a check if the preg_match is valid by turning it into a var, and then running a check or how should i do it :S
Thank you!

PHP Code:


			
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $email))
        {
            $query=( "INSERT INTO user (id, username,password,email,rank,referral,joined,ip) VALUES ('$id','$username',password('$password'),'$email','Normal','$referral',NOW(),'$ip')");
            mysql_query($query) or die(mysql_error());
        
        }
        
        else 
        
            {
                
            echo 'Not a valid email!';
            
            }
                    
         else
            
            {
                echo 'Your account was made!';
                
            }
             
          }
     }
}

codefreek · 10-20-2008, 02:58 PM

i tried this, but it wont input anything to the db :S

PHP Code:


			
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $email))
        {
            $query=( "INSERT INTO user (id, username,password,email,rank,referral,joined,ip) VALUES ('$id','$username',password('$password'),'$email','Normal','$referral',NOW(),'$ip')");
            mysql_query($query) or die(mysql_error());
        
            print "your account was made!";
        }
        
        else 
        
            {
                
            echo 'not valid email!';
            
            }
                    
       
             
          }
     }

codefreek · 10-20-2008, 07:51 PM

i made a new pattern but i get ? insted of @ ;/
help..

PHP Code:


			
/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*\@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/

codefreek · 10-20-2008, 10:07 PM

omg, what a noob mistake ! ;P forgot to set a set on the db
working now thank you ;)

codefreek · 10-20-2008, 11:03 PM

why do i get error on this ?

PHP Code:


			
        $sql = printf("    INSERT INTO
            `users`
        SET
            `username` = '%s',
            `password` = '%s',
            `email` = '%s',
            `rank` = 'normal',
            `referral` = '%s',
            `joined` = NOW()",

        mysql_real_escape_string($username),
        mysql_real_escape_string($password),
        mysql_real_escape_string($email),
        mysql_real_escape_string($referral));

CoryMathews · 10-20-2008, 11:11 PM

using % instead of $ if those are variables.

codefreek · 10-20-2008, 11:27 PM

don't follow :S

codefreek · 10-21-2008, 12:15 AM

Fixed Thank you!