html - PHP, MySql. Requiring people to sign up with a key -
so i've created registration page , i've attempted try , make require "alpha" key game cannot working. i've got information in database , it's coming out error "err 02: failed register!"
<!doctype html> <html> <head> <title>register</title> </head> <body> <h3>registration form</h3> <form action="" method="post"> alpha key: <input type=text name='alphakey'><br/> username: <input type=text name='user'><br/> password: <input type=password name='pass'><br/> <input type=submit value='register' name='submit'> </form> <?php if (isset($_post['submit'])){ if(!empty($_post['user']) && !empty($_post['pass'])) { //mysql_real_escape_string() escapes special characters in string use in sql statement $user=mysql_real_escape_string($_post['user']); $pass=mysql_real_escape_string($_post['pass']); $alphakey=mysql_real_escape_string($_post['alphakey']); $con=mysql_connect('localhost','<my_user>','<my_password>') or die(mysql_error()); mysql_select_db('user') or die("cannot select db"); $query=mysql_query("select * login user='".$user."'"); //$query.=mysql_query("select * regkey alphakey='".$_post["alphakey"]."'"); $numrows=mysql_num_rows($query); if($numrows==0) { //md5() calculates md5 hash of string //$encrypt_password=password_hash($pass, password_default); $encrypt_password=md5($_post["pass"]); $sql="insert login(user,pass) values('".$_post["user"]."','$encrypt_password')"; $sql.="select * regkey alphakey='".$_post["alphakey"]."'"; $result=mysql_query($sql); if($result!=1) { echo "err 02: failed register"; } else{ echo "account created"; } } else { echo "that username exists! please try again another."; } } else { echo "all fields required!"; } } ?> <p><a href="register.php">register</a> | <a href="login.php">login</a></p> </body> </html>
i use following method.
foreword: consult footnotes use of insecure functions.
first check if reg key exists, insert db.
$query = mysql_query("select * login user='".$user."'"); $numrows = mysql_num_rows($query); // if user doesn't exist... if($numrows==0) { $encrypt_password = md5($_post["pass"]); $query_key = mysql_query("select * regkey alphakey='".$_post["alphakey"]."'") or die(mysql_error()); $check_key = mysql_num_rows($query_key); if($check_key >0){ $sql = mysql_query("insert login (user,pass) values ('".$_post["user"]."','$encrypt_password')") or die(mysql_error()); } } // brace if($numrows==0) if($sql){ echo "success."; } - give go. if have problems or may have misunderstood question, let me know , glad adjust answer accordingly.
footnotes:
your present code open sql injection. use prepared statements, or pdo prepared statements, they're safer.
password storage:
you using md5 old , considered broken method of hashing , no longer considered safe use.
i recommend use crypt_blowfish or php 5.5's password_hash() function.
for php < 5.5 use password_hash() compatibility pack.
pdo prepared statements example, including using password_hash().
pulled ircmaxell's answer https://stackoverflow.com/a/29778421/
just use library. seriously. exist reason.
- php 5.5+: use
password_hash() - php 5.3.7+: use
password-compat(a compatibility pack above - all others: use phpass
don't yourself. if you're creating own salt, you're doing wrong. should using library handles you.
$dbh = new pdo(...); $username = $_post["username"]; $email = $_post["email"]; $password = $_post["password"]; $hash = password_hash($password, password_default); $stmt = $dbh->prepare("insert users set username=?, email=?, password=?"); $stmt->execute([$username, $email, $hash]); and on login:
$sql = "select * users username = ?"; $stmt = $dbh->prepare($sql); $result = $stmt->execute([$_post['username']]); $users = $result->fetchall(); if (isset($users[0]) { if (password_verify($_post['password'], $users[0]->password) { // valid login } else { // invalid password } } else { // invalid username }
Comments
Post a Comment