Registreer Systeem met formulier probleem.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?
$con = mysql_connect("mijn database server", "mijn username", "mijn wachtwoord");
mysql_select_db("mijn database naam", $con);
//Register Script \\
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$password2 = $_REQUEST['password2'];
$email = $_REQUEST['email'];
$apemail = $_REQUEST['apemail'];
$upline = $_REQUEST['upline'];
if (empty($username)) {
echo "Please Enter your Username";
} else
if (empty($password) or empty($password2)) {
echo "Please Enter a Password";
} else
if (empty($email) or empty($apemail)) {
echo "Please Enter an Email";
} else
if ($password != $password2) {
echo "The entered passwords don't match";
} else {
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$email = mysql_real_escape_string($email);
$apemail = mysql_real_escape_string($apemail);
$upline = mysql_real_escape_string($upline);
$user_check = mysql_query("SELECT username FROM members WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
$email_check = mysql_query("SELECT email FROM members WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
$apemail_check = mysql_query("SELECT email FROM members WHERE apemail='$apemail'");
$do_apemail_check = mysql_num_rows($apemail_check);
if($do_user_check > 0){
echo "Username is already in use!";
} else
if($do_email_check > 0){
echo "Email is already in use!";
} else
if($do_apemail_check > 0){
echo "Paypal Email is already in use!";
} else {
$insert = mysql_query("INSERT INTO users (username, password, email, apemail, upline) VALUES ('$username', '$password', '$email', '$apemail', '$upline')");
if(!$insert){
echo "Error: ".mysql_error();
} else {
echo $username.", you are now registered.";
}
}
}?>
$con = mysql_connect("mijn database server", "mijn username", "mijn wachtwoord");
mysql_select_db("mijn database naam", $con);
//Register Script \\
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
$password2 = $_REQUEST['password2'];
$email = $_REQUEST['email'];
$apemail = $_REQUEST['apemail'];
$upline = $_REQUEST['upline'];
if (empty($username)) {
echo "Please Enter your Username";
} else
if (empty($password) or empty($password2)) {
echo "Please Enter a Password";
} else
if (empty($email) or empty($apemail)) {
echo "Please Enter an Email";
} else
if ($password != $password2) {
echo "The entered passwords don't match";
} else {
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$email = mysql_real_escape_string($email);
$apemail = mysql_real_escape_string($apemail);
$upline = mysql_real_escape_string($upline);
$user_check = mysql_query("SELECT username FROM members WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
$email_check = mysql_query("SELECT email FROM members WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
$apemail_check = mysql_query("SELECT email FROM members WHERE apemail='$apemail'");
$do_apemail_check = mysql_num_rows($apemail_check);
if($do_user_check > 0){
echo "Username is already in use!";
} else
if($do_email_check > 0){
echo "Email is already in use!";
} else
if($do_apemail_check > 0){
echo "Paypal Email is already in use!";
} else {
$insert = mysql_query("INSERT INTO users (username, password, email, apemail, upline) VALUES ('$username', '$password', '$email', '$apemail', '$upline')");
if(!$insert){
echo "Error: ".mysql_error();
} else {
echo $username.", you are now registered.";
}
}
}?>
En mijn Formulier:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<form action="" method="post">
Username: <input type="text" name="Username" size="15"/><br />
Password: <input type="password" name="Password" size="15"/><br />
Password: <input type="password" name="Password2" size="15" /><br />
Email: <input type="text" name="email" size="30" /> <br />
Paypal Email: <input type="text" name="email" size="30" /> <br />
<input type="hidden" name="email" value="<? echo date('D, M, Y');?>" />
<input type="hidden" name="upline" value="<? echo $_GET['ref'];?>" />
<input type="submit" value="Register" /> <br />
</form>
Username: <input type="text" name="Username" size="15"/><br />
Password: <input type="password" name="Password" size="15"/><br />
Password: <input type="password" name="Password2" size="15" /><br />
Email: <input type="text" name="email" size="30" /> <br />
Paypal Email: <input type="text" name="email" size="30" /> <br />
<input type="hidden" name="email" value="<? echo date('D, M, Y');?>" />
<input type="hidden" name="upline" value="<? echo $_GET['ref'];?>" />
<input type="submit" value="Register" /> <br />
</form>
Wat ik ook doe er staat nu gewoon constant "Please Enter a Password".
Ik snap ook niet hoe de link wordt gemaakt tussen dit formulier en de php code die daarbij moet worden uitgevoerdt.
Ik hoop dat iemand mij kan helpen
Dirk
Modedit Chris:
Code in -tags geplaatst
Gewijzigd op 12/01/2012 00:58:13 door Chris
Gesponsorde koppelingen:
Overigens ziet deze code er echt heel erg oud en bevat hij een aantal opmerkingen:
- Je opent met shorttags, die zijn niet op alle servers ondersteunt
- Je controleert niet of het PHP script via een POST-request is aangevraagd
- Je variabelen zijn zowel via GET als POST bereikbaar, waarom?
- Je slaat je wachtwoorden als PLAIN-text op, waarom?
- Je hebt de mogelijkheid tot een XSS-injectie in je formulier
Je koppelt je formulier met de verwerking, door ze in aparte pagina's te stoppen. Je actie van het formulier, gaat naar het PHP script.
Gewijzigd op 12/01/2012 00:58:44 door Chris
Gewijzigd op 12/01/2012 02:28:53 door Dirk Hoekstra
Chris Horeweg op 12/01/2012 00:57:57:
Overigens ziet deze code er echt heel erg oud en bevat hij een aantal opmerkingen:
- Je opent met shorttags, die zijn niet op alle servers ondersteunt
Je controleert niet of het PHP script via een POST-request is aangevraagd- Je variabelen zijn zowel via GET als POST bereikbaar, waarom?
- Je slaat je wachtwoorden als PLAIN-text op, waarom?
- Je hebt de mogelijkheid tot een XSS-injectie in je formulier
Ik heb doorgestreept wat je gedaan hebt. De andere punten zie ik geen verandering in.
Edit: Okee, je hebt je post alweer verwijderd.
Gewijzigd op 12/01/2012 02:49:03 door - SanThe -
Toevoeging op 12/01/2012 20:43:37:
Oke, ik heb mijn script verbeterd:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['formname'] == 'register') {
$con = mysql_connect("dgbdatabase.db.8810975.hostedresource.com", "dgbdatabase", "msFZW4Mmdat");
mysql_select_db("dgbdatabase", $con);
//Register Script \\
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
$apemail = $_POST['apemail'];
$upline = $_POST['upline'];
$error = "";
$fontcol = "CF2323";
if (empty($username)) {
$error = "<b>Error: Please Enter a Username<b><br />";
} else
if (empty($password) or empty($password2)) {
$error = "<b>Error: Please Enter your Password<b><br />";
} else
if (empty($email) or empty($apemail)) {
$error = "<b>Error: Please Enter your Email<b><br />";
} else
if ($password != $password2) {
$error = "<b>Error: Passwords don't match!<br />password1: " . $password ."<br />password2: ".$password2."<b><br />";
} else {
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$email = mysql_real_escape_string($email);
$apemail = mysql_real_escape_string($apemail);
$upline = mysql_real_escape_string($upline);
$password = crypt($password);
$password2 = crypt($password2);
$user_check = mysql_query("SELECT username FROM members WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
$email_check = mysql_query("SELECT email FROM members WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
$apemail_check = mysql_query("SELECT email FROM members WHERE apemail='$apemail'");
$do_apemail_check = mysql_num_rows($apemail_check);
if($do_user_check > 0){
$error = "<b>Error: Username ".$username." is Taken.<b><br />";
} else
if($do_email_check > 0){
$error = "<b>Error: Email ".$email." is Taken.<b><br />";
} else
if($do_apemail_check > 0){
$error = "<b>Error: Alertpay Email ".$apemail." is Taken.<b><br />";
} else {
$insert = mysql_query("INSERT INTO members (username, password, email, apemail, upline) VALUES ('$username', '$password', '$email', '$apemail', '$upline')");
if(!$insert){
$error = "<b>Error: ".mysql_error()."</b><br />";
} else {
$error = "<b>Registered Succesfully as ". $username."!<br />You can now Login at the left of the webpage.</b><br />";
$fontcol = "96C058";
}
}
}
}
?>
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['formname'] == 'register') {
$con = mysql_connect("dgbdatabase.db.8810975.hostedresource.com", "dgbdatabase", "msFZW4Mmdat");
mysql_select_db("dgbdatabase", $con);
//Register Script \\
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
$apemail = $_POST['apemail'];
$upline = $_POST['upline'];
$error = "";
$fontcol = "CF2323";
if (empty($username)) {
$error = "<b>Error: Please Enter a Username<b><br />";
} else
if (empty($password) or empty($password2)) {
$error = "<b>Error: Please Enter your Password<b><br />";
} else
if (empty($email) or empty($apemail)) {
$error = "<b>Error: Please Enter your Email<b><br />";
} else
if ($password != $password2) {
$error = "<b>Error: Passwords don't match!<br />password1: " . $password ."<br />password2: ".$password2."<b><br />";
} else {
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$password2 = mysql_real_escape_string($password2);
$email = mysql_real_escape_string($email);
$apemail = mysql_real_escape_string($apemail);
$upline = mysql_real_escape_string($upline);
$password = crypt($password);
$password2 = crypt($password2);
$user_check = mysql_query("SELECT username FROM members WHERE username='$username'");
$do_user_check = mysql_num_rows($user_check);
$email_check = mysql_query("SELECT email FROM members WHERE email='$email'");
$do_email_check = mysql_num_rows($email_check);
$apemail_check = mysql_query("SELECT email FROM members WHERE apemail='$apemail'");
$do_apemail_check = mysql_num_rows($apemail_check);
if($do_user_check > 0){
$error = "<b>Error: Username ".$username." is Taken.<b><br />";
} else
if($do_email_check > 0){
$error = "<b>Error: Email ".$email." is Taken.<b><br />";
} else
if($do_apemail_check > 0){
$error = "<b>Error: Alertpay Email ".$apemail." is Taken.<b><br />";
} else {
$insert = mysql_query("INSERT INTO members (username, password, email, apemail, upline) VALUES ('$username', '$password', '$email', '$apemail', '$upline')");
if(!$insert){
$error = "<b>Error: ".mysql_error()."</b><br />";
} else {
$error = "<b>Registered Succesfully as ". $username."!<br />You can now Login at the left of the webpage.</b><br />";
$fontcol = "96C058";
}
}
}
}
?>
En mijn inlog form:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<form action="<?php echo basename(__FILE__); ?>" method="post">
Username:<br /> <input type="text" name="username" size="15"/><br /> <br />
Password:<br /> <input type="password" name="password" size="15"/><br />
Password:<br /> <input type="password" name="password2" size="15" /><br /><br />
Email:<br /> <input type="text" name="email" size="30" /> <br />
Alertpay Email:<br /> <input type="text" name="apemail" size="30" /> <br /><br />
<input type="hidden" name="date" value="<?php echo date('D, M, Y');?>" />
<input type="hidden" name="upline" value="<?php echo $_GET['ref'];?>" />
<input type="hidden" name="formname" value="register">
<div id="error">
<font color=<?php echo $fontcol?> size="3"><?php echo $error; ?></font>
<br />
</div>
<input type="submit" value="register" /> <br />
<input type='hidden' name='submit' />
</form>
Username:<br /> <input type="text" name="username" size="15"/><br /> <br />
Password:<br /> <input type="password" name="password" size="15"/><br />
Password:<br /> <input type="password" name="password2" size="15" /><br /><br />
Email:<br /> <input type="text" name="email" size="30" /> <br />
Alertpay Email:<br /> <input type="text" name="apemail" size="30" /> <br /><br />
<input type="hidden" name="date" value="<?php echo date('D, M, Y');?>" />
<input type="hidden" name="upline" value="<?php echo $_GET['ref'];?>" />
<input type="hidden" name="formname" value="register">
<div id="error">
<font color=<?php echo $fontcol?> size="3"><?php echo $error; ?></font>
<br />
</div>
<input type="submit" value="register" /> <br />
<input type='hidden' name='submit' />
</form>
Zou iemand misschien kunnen helpen met eventuele zwakke punten?
En misschien mij in de goede richting kunnen wijzen hoe ik een xss injectie tegenga?
Dirk.
Gewijzigd op 12/01/2012 20:46:32 door Dirk Hoekstra
