Help with my registration script

eFlame · April 26, 2008, 8:54am

Im fairly new to php and am currently trying to make a user area on my site and i want to make a signup script but the one i’ve got isn’t working right.

reg_info.php

[code]<?

include(“config.php”);

$check[0] = mysql_query(“SELECT email FROM Account WHERE email = ‘$email’”);
$check[1] = mysql_query(“SELECT username FROM Account WHERE username = ‘$username’”);

mysql_select_db($db, $con);

function misc_valid($uname, $e_mail)
{
$query = mysql_query(“SELECT COUNT(id) FROM Account WHERE username = ‘$uname’”) or die(mysql_error());
$query2 = mysql_query(“SELECT COUNT(id) FROM Account WHERE email = ‘$e_mail’”) or die(mysql_error());

list($count) = mysql_fetch_array($query);
list($count2) = mysql_fetch_array($query2);

if($count > 0)
{
$status = 0;
$msg = $msg . "Username is already taken
";
}
elseif($count2 > 0)
{
$status = 0;
$msg = $msg . "Email is already taken
";
}
else
{
}
}

if(isset($reg) && $reg == “reg258741”)
{
$status = 1;
$msg = “”;

user_valid($username);
pass_valid($password, $password2);
email_valid($email);
misc_valid($username, $email);
$md5password = MD5($password);
$newusername = addslashes($username);
$newemail = addslashes($email);

if($status == 0)
{
echo “<color = ‘red’>” . $msg . "
Go Back and try again ";
}
else
{
mysql_query(“INSERT INTO Account (username, password, email) VALUES ($newusername, $md5password, $newemail)”);
echo "<color = ‘green’> You have successfully registered
";
echo "An email has been sent to the email address provided you will need to activate your account before logging in
";
echo “Please login here”;
}
}
else
{
echo “Please use the registration form”;
}
?>[/code]

config.php

[code]<?

// Database Variables //
$con = mysql_connect(“localhost”, “”, “”);
$db = “”;

// Form Variables //
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$password2 = $_POST[‘password2’];
$email = $_POST[‘email’];
$terms = $_POST[‘terms’];
$reg = $_POST[‘reg258741’];

?>[/code]

The problem im getting is that even if you fill form wrong it says account made, when the account hasn’t been made, any help please?

Ragster00 · April 26, 2008, 7:55pm

I would first start by putting error_reporting(‘E_ALL’) at the top of all pages. This will help to make sure that proper reporting is turned on.

suohryu · April 28, 2008, 9:35am

also i would make the suggestion of instead of using elseif for all your validation just use if

what i like to do is this

$error = "0";
//test form var's
if (!$var1){
$msg['somename'] = "some message";
$error++;
}

then for all the processing of the form so the actually adding the stuff to the database i would set inside a bit like this

if($error == "0"){
// add stuff to database and let user know if it worked or not
}

hope that helped

Zyppora · April 28, 2008, 2:45pm

I don’t see you using mysql_connect() or mysql_pconnect() anywhere? Are you connected to your database?
You’re running SELECT queries on table Accounts before calling mysql_select_db()?
Are you aware of SQL Injection, and that it’s easily possible in the script you posted?

eFlame · April 28, 2008, 5:22pm

Yes i realised i didn’t connect in there, but i already fixed the problems:

One i wasn’t connected to DB
Two i hadn’t used the global function so when i called the function and it set $status = 0; that was only available in the function.

And could you explain how mySQL injection could be used here, i used addslashes() and MD5(), is there anything else to make it more secure?