Author Topic: Register / Login script. (Read 600 times)

Dunkthefunk · « **on:** September 08, 2010, 05:39:25 PM »

Hiya,

I'm fairly new to PHP and MySQL but I’ve toyed around with a Register and login script and i can now get most of it too work, however I’m having trouble with the passwords. When a user registers the password changes and comes up as jargon in my database. I can't really see much wrong with the script but i expect that’s due to my amateur PHP abilities. Here is the code relating to the Password. It stored as an array and as a cookie and the cookie is deleted upon log out.

(I'm also aware i havn't uncluded MySQL connect infomation... for obvious reasons

)

Kind regards

<?php
mysql_connect("", "", "") or die(mysql_error());
mysql_select_db("") or die(mysql_error());

if (isset($_POST['submit'])) {

if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {

die('You did not complete all of the required fields');

- Here is infomation about the Username.. that's working fine and dandy -

if ($_POST['pass'] != $_POST['pass2']) {

die('Your passwords did not match. ');

}

$_POST['pass'] = md5($_POST['pass']);

if (!get_magic_quotes_gpc()) {

$_POST['pass'] = addslashes($_POST['pass']);

$_POST['username'] = addslashes($_POST['username']);

}

$insert = "INSERT INTO users (username, password)

VALUES ('".$_POST['username']."', '".$_POST['pass']."')";

$add_member = mysql_query($insert);

?>

Pikachu2000 · « **Reply #1 on:** September 08, 2010, 10:49:30 PM »

The password isn't changing and coming up as jargon. It's being hashed by the MD5() function, and the resulting value of that hash is being stored in the database. That is the correct way to deal with passwords, however I'd have chosen a stronger hashing algorithm, and added a salt.

There's a problem or two here:

// if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) { All of the | should be ||
// die('You did not complete all of the required fields');
// The above would be better written as:
if ( empty(trim($_POST['username'])) || empty(trim($_POST['pass'])) || empty(trim($_POST['pass2'])) ) {
$error = 'Username, password and password confirmation fields are mandatory.';
}

Then you would check to see if $error is empty, and if not, present the error message. You could also validate each field separately, and store each error in an $error[] array element, then loop through the array to display specific errors. Using die() for form field validation errors is a horrible way to do it.

Dunkthefunk · « **Reply #2 on:** September 09, 2010, 06:11:15 AM »

Ahh thank you very much.

- Instead of using die, should i use exit?

Pikachu2000 · « **Reply #3 on:** September 09, 2010, 09:07:23 AM »

No, killing the script is like slamming the door in the user's face. You should store validation errors, then display them along with the form again, so the user has an opportunity to correct the errors and proceeding without using the back button or anything like that. I'll put up an example later that will illustrate basically how to do that.

Dunkthefunk · « **Reply #4 on:** September 09, 2010, 12:43:58 PM »

Right got'cha.

Thank's very much for your time and input, it's very helpful!

Pikachu2000 · « **Reply #5 on:** September 09, 2010, 05:47:07 PM »

Now that I have a few minutes, here is a basic illustration of what I was talking about. This is a basic jumping off point for validation and input error handling methods, and can be built upon to include placing the messages next to the field to which it applies, etc. Look through it, and if you have questions, please ask.

Code: [Select]

<?php
if( $_POST['submitted'] == 'true' ) { // if the hidden field's value is present, the form has been submitted. This caters to some browsers weaknesses in handling submit buttons.
	$errors = array(); // initialize an array to hold error messages
	if( empty($_POST['user_name']) ) {
		$errors[] = 'Username may not be blank';
	}
	if( empty($_POST['password']) || empty($_POST['password_conf']) ) {
		$errors[] = 'Password and password confirmation fields are both required.';
	} else {
		if( $_POST['password'] != $_POST['password_conf'] ) {
			$errors[] = 'Password and password confirmation fields must match.';
		}
	}
	if( empty($errors) ) {
		// Here is the code that is processed if the form has been submitted and there are no validation errors. Database insert, update, whatever.
	}
}
?>
<html>
<head>
<title>Test page for field validation</title>
</head>
<body>
<?php
if( !empty($errors) ) {  // starts the display process if the $errors array is not empty.
	$num = count($errors);
	$i = 1;
	foreach( $errors as $value ) { // Loops through the $errors array, and displays each error for the user.
		echo "<font color=\"red\">$value</font>";
		if( $i < $num ) {  // This conditional inserts a <br /> unless it's the last error message.
			echo '<br />';
		}
	$i++;
	}
}
?>
<form action="" method="post">
Username: <input type="text" name="user_name" /><br />
Password: <input type="password" name="password" /><br />
Re-type Password: <input type="password" name="password_conf" /><br />
<input type="hidden" name="submitted" value="true" />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

News:

Author Topic: Register / Login script. (Read 600 times)

Dunkthefunk

Register / Login script.

Pikachu2000

Re: Register / Login script.

Dunkthefunk

Re: Register / Login script.

Pikachu2000

Re: Register / Login script.

Dunkthefunk

Re: Register / Login script.

Pikachu2000

Re: Register / Login script.