SECURE PASSWORDS

system · February 14, 2014, 2:40pm

This is my code but it’s sql injectable. I want it so for the password box you can only use the following:
A-Z
a-z
0-9
underscores > (_)
dashes > (-)
fullstops > .
slash > /

& so the email you must use an @ at least.

[php]<?php
session_start();
include_once “incfiles/connectdb.php”;

$rand1 = rand(0,100);
$rand2 = rand(0,100);
$answer = $rand1 + $rand2;

if ($_POST[‘SubmitReg’]){
$additional08989 = $_POST[‘additional’];
$answers = $_POST[‘answers’];
$register_user = $_POST[‘register_user’];
$register_pass = $_POST[‘register_pass’];
$register_pass2 = $_POST[‘register_pass2’];
$register_gender = $_POST[‘register_gender’];
$register_email = $_POST[‘register_email’];
$register_email2 = $_POST[‘register_email2’];
$register_location=strip_tags($_POST[‘register_location’]);
$register_user=trim($register_user);
$register_pass=trim($register_pass);

$today = gmdate(‘Y-m-d H:i:s’);

$register_user = stripslashes($register_user);
$register_email = stripslashes($register_email);
$quote = stripslashes($quote);
$register_user = strip_tags($register_user);
$register_email = strip_tags($register_email);
$number = $_POST[‘equals’];

if ($additional08989 != “GANCY78”){ echo “Use your head bro.”; }
elseif ($additional08989 == “GANCY78”){

if((!$register_user) || (!$register_email) || (!$register_location) || (!$register_pass)){
echo “Please fill in all of the fields.”; }else{

if ($number != “$answers”){ echo “Are you stupid bro? The answer is not $number.”; }
elseif ($number == “$answers”){

if ($register_pass != $register_pass2){
echo “The passwords you entered do not match.”;
}elseif ($register_pass == $register_pass2){

if ($register_email != $register_email2){
echo “The emails you entered do not match.”;
}elseif ($register_email == $register_email2){

if ($register_user == “0”){ echo “Haha good joke, now try using an actual name?”; }
elseif ($register_user != “0”){

if (ereg(’[^A-Za-z0-9 _]’, $register_user)) {
echo “You can’t use symbols in your name.”;
}elseif (!ereg(’[^A-Za-z0-9 _]’, $register_user)) {

if (strlen($register_user) <= 2 || strlen($register_user) >= 20){
echo “The username you entered is too big or too small.”;
}elseif (strlen($register_user) > 2 || strlen($register_user) < 20){

$email_check = mysql_query(“SELECT email FROM accounts WHERE email=’$register_email’ AND status=‘Alive’”);
$username_check = mysql_query(“SELECT username FROM accounts WHERE username=’$register_user’”);

$register_email_check = mysql_num_rows($email_check);
$username_check = mysql_num_rows($username_check);

if(($register_email_check > 0) || ($username_check > 0)){

if($register_email_check > 0){
echo “Some other gangster is already running that email address.”; unset($register_email); }
if($username_check > 0){
echo “some other gangster is already running that name.”; unset($register_user); }

}else{

$ip = $_SERVER[‘REMOTE_ADDR’];[/php]

Strider64 · February 14, 2014, 4:20pm

ereg is depreciated and you should do something like this:

[php] // Using Regex to check password:

if (preg_match("/^.(?=.{8,})(?=.[0-9])(?=.[a-z])(?=.[A-Z]).*$/", $password) === 0) {

$errMsg[] = ‘

Password must be at least 8 characters, and must contain at least one lower case letter, one upper case letter and one digit.

’;

}[/php]

However, I personally think it should be up to the user if he/she uses a strong password, but that is just my opinion.

Also use mysqli or PDO (My recommendation) for mysql is also depreciated.

Look at my signature for an example of a very simple login/registration script (it works).

JimL · February 14, 2014, 5:02pm

^- what he said

benanamen · February 14, 2014, 5:29pm

What they said…