ColdEdge Posted February 24, 2009 Share Posted February 24, 2009 Hi, I made a PHP registration script but when Username is inputed its not validated to the one in database and still add's the same username that is already in database.here are the codesMySQL TablesMySQL Connect Script <?php$con = mysql_connect('localhost', '<-! DB USERNAME !->', '<!- DB PASSWORD -!>); // host, username, passwordmysql_select_db('<!- DB NAME -!>', $con);function db_query($sql){ return mysql_query($sql, $GLOBALS['con']);}?> PHP Registration Script <?phprequire_once 'connection.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'register'){ $username = trim($_POST['username']); // trim to remove whitespace $password = $_POST['password']; $conf_password = $_POST['conf_password']; $email = trim($_POST['email']); // trim to remove whitespace $age = $_POST['age']; $location = $_POST['location']; $secret_a = $_POST['secret_a']; if ($username == '') $error_string .= 'Please enter username.<br>'; if (strlen(trim($password)) < 6) $error_string .= 'You must enter a password of at least 6 characters.<br>'; if ($password != $conf_password) $error_string .= 'The password and confirmation password do not match.<br>'; if (!isValidEmail($email)) $error_string .= 'Please enter a valid email address.<br>'; if ($age == '') $error_string .= 'Please enter your age.<br>'; if($secret_a == '') $error_string .= 'Please enter secret answare.<br>'; if ($error_string == '') { $result = db_query("SELECT id FROM members WHERE email='" . mysql_real_escape_string($email) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That email address is already registerd.<br>'; $result = db_query("SELECT username FROM members WHERE username='" . mysql_real_escape_string($username) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That username is already in use.<br>'; else { $username = mysql_real_escape_string($username); $password = sha1($password); // hash password $email = mysql_real_escape_string($email); // protect against SQL attacks $location = mysql_real_escape_string($location); $age = mysql_real_escape_string($age); $secret_a = mysql_real_escape_string($secret_a); db_query("INSERT INTO members (username, password, email, age, location, secret_a) VALUES ('{$username}', '{$password}', '{$email}', '{$age}', '{$location}', '{$secret_a}')"); header('Location: thankyou.php'); exit(); } }}function isValidEmail($email = ''){ return preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*@[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix",$email);}?> Thank You Code <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html> <head> <title>Thank You</title> </head> <body> Thank you for registering, click <a href="login.php">here</a> to log in. </body></html> Also I have a field that says Secret Question: Your favorite anime? and the bottom fields is where you could input that but i am sure people will forget it so is there any way to make it so when user registers they will be send and e-mail with there Username, Password and Secret Answare?-Thank You! Link to comment Share on other sites More sharing options...
ColdEdge Posted February 24, 2009 Author Share Posted February 24, 2009 nvm i got it had to add this code... i had this code in index.php while register.php did not have $result = db_query("SELECT username FROM members WHERE username='" . mysql_real_escape_string($username) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That username is already in use.<br>'; but still need help with sending all register info to member.... Link to comment Share on other sites More sharing options...
justsomeguy Posted February 24, 2009 Share Posted February 24, 2009 It's already checking here, it's just checking email address instead of username: $result = db_query("SELECT id FROM members WHERE email='" . mysql_real_escape_string($email) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That email address is already registerd.<br>'; This is what you can use to send them an email with whatever you want in it:http://www.php.net/manual/en/function.mail.phpAs for the secret question, you might want to reconsider that. If I know what your favorite anime is (and you probably say what it is somewhere, or I can strike up a conversation with you and work that into it), I can change your password. The concept of a secret question as a way to reset a password makes the password much less secure, that should be what the email address is used for (email them a link they can use to change their password). A secret question is the reason why people like Paris Hilton and Sarah Palin get their email accounts "hacked". Link to comment Share on other sites More sharing options...
ColdEdge Posted February 24, 2009 Author Share Posted February 24, 2009 O.o ok will consider removing that but is there any way to add like an activation link? So when they register they will be send an activation link to there e-mail and then there account will be activated ^^ Link to comment Share on other sites More sharing options...
justsomeguy Posted February 24, 2009 Share Posted February 24, 2009 Yeah, change the secret answer field or add a new database field with an activation ID. Make it at least 20 characters. To produce a 20-character unique activation ID, you can use this: do { $code = substr(sha1(mt_rand() . time()), 0, 20); $result = mysql_query("SELECT COUNT(*) AS num FROM members WHERE activation_id='{$code}'"); $row = mysql_fetch_assoc($result); $in_use = $row['num'] > 0;} while ($in_use == false); After that, $code will be your 20-character unique ID. You can update the members table to assign that ID to the member you're activating, and include it on a link, e.g. activate.php?a={$code}. On the activate.php page you need to get the ID and look up a user in the database with that ID, and do whatever you want with that user. The activate page should also remove the ID from the database once the account is activated so they can't keep trying to use the same code. If you want more protection, add a second database field where you can store the time they registered and the activate page would also check the time to make sure it's been less than 24 hours or 48 hours or however long you want the code to be valid for. You do the same thing when someone wants to reset their password, generate a unique ID and store it with their account in the database then send them a link with that ID in it. Since the IDs are unique, each one will only apply to one user, and you can use the timestamp to make sure they have to reset their password within a certain time frame or else they have to generate a new ID and reset it again. Link to comment Share on other sites More sharing options...
ColdEdge Posted February 25, 2009 Author Share Posted February 25, 2009 so what should i do? I addedMySQL Tableactive, char(32) Link to comment Share on other sites More sharing options...
ColdEdge Posted February 25, 2009 Author Share Posted February 25, 2009 Here is the current register.phpRegister Script <?phprequire_once 'connection.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'register'){ $username = trim($_POST['username']); // trim to remove whitespace $password = $_POST['password']; $conf_password = $_POST['conf_password']; $email = trim($_POST['email']); // trim to remove whitespace $age = $_POST['age']; $location = $_POST['location']; if ($username == '') $error_string .= 'Please enter username.<br>'; if (strlen(trim($password)) < 6) $error_string .= 'You must enter a password of at least 6 characters.<br>'; if ($password != $conf_password) $error_string .= 'The password and confirmation password do not match.<br>'; if (!isValidEmail($email)) $error_string .= 'Please enter a valid email address.<br>'; if ($age == '') $error_string .= 'Please enter your age.<br>'; if ($error_string == '') { $result = db_query("SELECT id FROM members WHERE email='" . mysql_real_escape_string($email) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That email address is already registerd.<br>'; $result = db_query("SELECT username FROM members WHERE username='" . mysql_real_escape_string($username) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That username is already in use.<br>'; else { $username = mysql_real_escape_string($username); $password = sha1($password); // hash password $email = mysql_real_escape_string($email); // protect against SQL attacks $location = mysql_real_escape_string($location); $age = mysql_real_escape_string($age); $a = md5(uniqid(rand(), true)); db_query("INSERT INTO members (username, password, email, age, location, active) VALUES ('{$username}', '{$password}', '{$email}', '{$age}', '{$location}', '$a')"); $result = @mysql_query($query); if (mysql_affected_rows() == 1) { // Send the E-Mail $body = "Thank you for registering at AnimeFrost site. To activate your account, please click on thislink:\n\n"; $body .="http://www.mysiteurl.com/acc/finish.php?x=" .mysql_insert_id() . "&y=$a"; mail($_POST['email'], 'Registration Confirmation', $body,'From: no-reply@mysiteurl.com');// Show thank you message echo '<h3>Thank You!</h3> You have been registered, you have been sent an e-mail to theaddress you specified before. Please check your e-mails to activate youraccount.'; } else { echo '<font color="red">You could not be registered, pleasecontact us about the problem and we will fix it as soon as we can.</font>'; } } }}function isValidEmail($email = ''){ return preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*@[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix",$email);}?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Untitled Document</title><style type="text/css">input {border:1px solid #000000;background-image:url('input_hover.jpg');}input a {border:1px solid #000000;background-image:url('input_hover.jpg');}input a:hover {border:1px solid #ff9000;background-image:url('input_hover.jpg');}.error_text {color: #FF0000;width: 400px;text-align: center;}.left_box {float: left;width: 150px;text-align: right;padding-right: 5px;}.right_box {clear: right;}.text {color:#000000;font-family:arial;font-weight:bold;}span {color:#ff9000;font-weight:bold;font-family:arial;}</style></head><body><h1>Register</h1><div class="error_text"><?php echo $error_string; ?></div><form action="register.php?act=join" method="post"> <input type="hidden" name="page_mode" value="register"> <div class="left_box">Username*:</div> <div class="right_box"><input type="text" name="username" size="30" maxlength="45" value="<?php if (isset($username)) echo $username; ?>"></div><br/> <div class="left_box">Password*:</div> <div class="right_box"><input type="password" name="password" size="30" maxlength="45" value="<?php if (isset($password)) echo $password; ?>"></div><br/> <div class="left_box">Confirm Password*:</div> <div class="right_box"><input type="password" name="conf_password" size="30" value="<?php if (isset($conf_password)) echo $conf_password; ?>"></div><br/> <div class="left_box">E-Mail*:</div> <div class="right_box"><input type="text" name="email" size="30" maxlength="150" value="<?php if (isset($email)) echo $email; ?>"></div><br/> <div class="left_box">Location:</div> <div class="right_box"><input type="text" name="location" size="30" maxlength="150" ></div><br/> <div class="left_box">Age*:</div> <div class="right_box"><input type="text" name="age" size="30" maxlength="2" value="<?php if (isset($age)) echo $age; ?>"></div><br/> <div class="left_box"> </div> <div class="right_box"><input type="submit" value="Join Now!" size="30"></div></form><p>Note: All fields marked with * are required other wise optional.</p></body></html> Activation Page <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 0;}if ( ($x> 0) && (strlen($y) == 32)) { require_once ('connection.php'); $query = "UPDATE members SET active=NULL WHERE (user_id=$x AND active='". $y . "') LIMIT 1"; $result = mysql_query($query); if (mysql_affected_rows() == 1) { echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo '<p><font color="red" size="+1">Your account could not beactivated. Please re-check the link or contact the systemadministrator.</font></p>'; } mysql_close();} else { echo '<b>Activation link not valid!</b>';}?> Link to comment Share on other sites More sharing options...
justsomeguy Posted February 25, 2009 Share Posted February 25, 2009 That looks fine to me, is it not working correctly? Link to comment Share on other sites More sharing options...
ColdEdge Posted February 25, 2009 Author Share Posted February 25, 2009 well in values i fixed '$a' to '{$a}' but that still dosent solve the problem this what happends...when i input password and cofrim password and click submit with all the data for some reason the password field goes mad and gets ************************** while the confirm password stays the same as was the password before i clicked submit... and when i fix this and submit it again it add's user to database but this statment lunches } else { echo '<font color="red">You could not be registered, pleasecontact us about the problem and we will fix it as soon as we can.</font>'; } and the member sees the message while there data has bin added to the database but the activate has buntch of "45gh4535gh" in it so it means it dose add an activation key but never sends it to the member for activation...here you can test it here http://animefrost.com/acc/register.phpand I will post your data here that was generated by php and placed in MySQK Link to comment Share on other sites More sharing options...
justsomeguy Posted February 25, 2009 Share Posted February 25, 2009 When you do this:$password = sha1($password);You change the password that shows up in the password field, now it's the SHA hash instead of the original password. Maybe use a name other than $password for the hash.You're using mysql_affected_rows to see if the insert worked. This is where you do the insert and check: db_query("INSERT INTO members (username, password, email, age, location, active) VALUES ('{$username}', '{$password}', '{$email}', '{$age}', '{$location}', '$a')"); $result = @mysql_query($query); if (mysql_affected_rows() == 1) { Since mysql_affected_rows only checks the last operation, it's checking that middle line. You do the insert, then try to run another query, which is failing but you don't know that because you're using the error suppressing operator, then when you use mysql_affected_rows it's checking how many rows were affected by this:$result = @mysql_query($query);Why is that line even there? And why are you using error suppression when you're testing? You really shouldn't use error suppression at all, there's not really a reason to. The better solution would be to catch errors before they happen instead of letting them happen but not reporting them. Link to comment Share on other sites More sharing options...
ColdEdge Posted February 26, 2009 Author Share Posted February 26, 2009 well i never new it dose that i got it from a activation code and try to make it work as it seems i got it wrong so what should i put instead of thouse lines to make the activation link work? Link to comment Share on other sites More sharing options...
justsomeguy Posted February 26, 2009 Share Posted February 26, 2009 The activation presumably works, just remove this line:$result = @mysql_query($query); Link to comment Share on other sites More sharing options...
ColdEdge Posted February 26, 2009 Author Share Posted February 26, 2009 ok that works ^^ it sends me an activation link but now we hit the next problem activate.php states that the code is wrong....here is the code for activate.php...Activate Script <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 32;}if ( ($x> 0) && (strlen($y) == 32)) { require_once ('connection.php'); $query = "UPDATE members SET active=NULL WHERE (user_id=$x AND active='". $y . "') LIMIT 1"; if (mysql_affected_rows() == 1) { echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo '<p><font color="red" size="+1">Your account could not beactivated. Please re-check the link or contact the systemadministrator.</font></p>'; } mysql_close();} else { echo '<b>Activation link not valid!</b>';}?> and here is what i got in my e-mail.... Registration ConfirmationFrom: no-reply@animefrost.com Sent: February 25, 2009 7:54:04 PM To: myemailhere@hotmail.com Thank you for registering at AnimeFrost site. To activate your account, please click on this link:http://www.animefrost.com/acc/activate.php?x=22&y=942ae43f56391f6af5f960866b3a4689 by any chance @Justsomeguy do you know what i can do so when user dose click on activation link and the link is true activate.php send's a welcome message like this Welcome, to AnimeFrost!From: no-reply@animefrost.com Sent: February 25, 2009 7:54:04 PM To: e-mailhere@hotmail.com Welcome, Zen!You have confirmed your registration at AnimeFrost.com we would wish to thank you for choosing our services.This e-mail contains important information about your account, if you where to forget your password you couldrefer to this e-mail. -------------------------------------------YOUR ACCOUNT INFORMATION------------------------------------------------Username: ZenPassword: 123456 E-Mail: e-mailhere@hotmail.com-------------------------------------------------------------------------------------------------------------------------------Thank You for choosing AnimeFrost.com! We hope you enjoy our services, Zen!Note: This is an automated e-mail response please do not reply to it, thank you for your co-operation.-AnimeFrost Administration Thank You!--EDITED--Also I seem to have major problems with the damm validation when I added the activation code the PHP will now add the same e-mail even so its already in the database this means that 2 users can register with same e-mail while on registration page i get and error..."That email address is already registerd."it still adds this user with this e-mail to database and sends me and activation link....and i also have problems with the password even so i removed password confirmation and left original password as SHA... it adds ******************** so if my password is 12345it should look like ***** but it looks like **************************************** Link to comment Share on other sites More sharing options...
justsomeguy Posted February 26, 2009 Share Posted February 26, 2009 You're not actually running the update query. Change this:$query = "UPDATE members SET active=NULL WHERE (user_id=$x AND active='". $y . "') LIMIT 1";to this:$query = db_query("UPDATE members SET active=NULL WHERE (user_id=$x AND active='". $y . "') LIMIT 1"); by any chance @Justsomeguy do you know what i can do so when user dose click on activation link and the link is true activate.php send's a welcome message like thisYou've already got the one page sending an email, use that as an example to have the other page send an email. You'll just need to get the user's information from the database to add to the email body.this means that 2 users can register with same e-mail while on registration page i get and error...The code wasn't checking if there were no errors, only if there was not a specific error (the duplicate username error).Change this: else { $username = mysql_real_escape_string($username); ... to this: if ($error_string == '') { $username = mysql_real_escape_string($username); ... it adds ******************** so if my password is 12345it should look like ***** but it looks like ****************************************A SHA-1 hash is a 40-character string. You're still writing the hash to the password field instead of the original password. Link to comment Share on other sites More sharing options...
ColdEdge Posted February 26, 2009 Author Share Posted February 26, 2009 Ok.. i fixed the code and now it will not add Username to database even if its there..the activation link is send but when you click on the link it says "Activation Code Incorrect"and i remmoved SHA from $password = sha1($password); // hash password and it adds password to database but not HASHED so i will try this method$password = md5($password); instead not sure will it work but the activation link dosent wish to work.... that the only problem leftRegistration Code <?phprequire_once 'connection.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'register'){ $username = trim($_POST['username']); // trim to remove whitespace $password = $_POST['password']; $conf_password = $_POST['conf_password']; $email = trim($_POST['email']); // trim to remove whitespace $age = $_POST['age']; $location = $_POST['location']; if ($username == '') $error_string .= 'Please enter username.<br>'; if (strlen(trim($password)) < 6) $error_string .= 'You must enter a password of at least 6 characters.<br>'; if (!isValidEmail($email)) $error_string .= 'Please enter a valid email address.<br>'; if ($age == '') $error_string .= 'Please enter your age.<br>'; if ($error_string == '') { $result = db_query("SELECT id FROM members WHERE email='" . mysql_real_escape_string($email) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That email address is already registerd.<br>'; $result = db_query("SELECT username FROM members WHERE username='" . mysql_real_escape_string($username) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That username is already in use.<br>'; if ($error_string == '') { $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); // hash password $email = mysql_real_escape_string($email); // protect against SQL attacks $location = mysql_real_escape_string($location); $age = mysql_real_escape_string($age); $a = md5(uniqid(rand(), true)); db_query("INSERT INTO members (username, password, email, age, location, active) VALUES ('{$username}', '{$password}', '{$email}', '{$age}', '{$location}', '{$a}')"); if (mysql_affected_rows() == 1) { // Send the E-Mail $body = "Thank you for registering at AnimeFrost site. To activate your account, please click on thislink:\n\n"; $body .="http://www.animefrost.com/acc/activate.php?x=" .mysql_insert_id() . "&y=$a"; mail($_POST['email'], 'Registration Confirmation', $body,'From: no-reply@animefrost.com');// Show thank you message echo '<h3>Thank You!</h3> You have been registered, you have been sent an e-mail to theaddress you specified before. Please check your e-mails to activate youraccount.'; } else { echo '<font color="red">You could not be registered, pleasecontact us about the problem and we will fix it as soon as we can.</font>'; } } }}function isValidEmail($email = ''){ return preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*@[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix",$email);}?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Untitled Document</title><style type="text/css">input {border:1px solid #000000;background-image:url('input_hover.jpg');}input a {border:1px solid #000000;background-image:url('input_hover.jpg');}input a:hover {border:1px solid #ff9000;background-image:url('input_hover.jpg');}.error_text {color: #FF0000;width: 400px;text-align: center;}.left_box {float: left;width: 150px;text-align: right;padding-right: 5px;}.right_box {clear: right;}.text {color:#000000;font-family:arial;font-weight:bold;}span {color:#ff9000;font-weight:bold;font-family:arial;}</style></head><body><h1>Register</h1><div class="error_text"><?php echo $error_string; ?></div><form action="register.php?act=join" method="post"> <input type="hidden" name="page_mode" value="register"> <div class="left_box">Username*:</div> <div class="right_box"><input type="text" name="username" size="30" maxlength="45" value="<?php if (isset($username)) echo $username; ?>"></div><br/> <div class="left_box">Password*:</div> <div class="right_box"><input type="password" name="password" size="30" maxlength="45" value="<?php if (isset($password)) echo $password; ?>"></div><br/> <div class="left_box">E-Mail*:</div> <div class="right_box"><input type="text" name="email" size="30" maxlength="150" value="<?php if (isset($email)) echo $email; ?>"></div><br/> <div class="left_box">Location:</div> <div class="right_box"><input type="text" name="location" size="30" maxlength="150" ></div><br/> <div class="left_box">Age*:</div> <div class="right_box"><input type="text" name="age" size="30" maxlength="2" value="<?php if (isset($age)) echo $age; ?>"></div><br/> <div class="left_box"> </div> <div class="right_box"><input type="submit" value="Join Now!" size="30"></div></form><p>Note: All fields marked with * are required other wise optional.</p></body></html> Activation Code <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 0;}if ( ($x> 0) && (strlen($y) == 32)) { require_once ('connection.php'); $query = db_query("UPDATE members SET active=NULL WHERE (user_id=$x AND active='". $y . "') LIMIT 1"); if (mysql_affected_rows() == 1) { echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo '<p><font color="red" size="+1">Your account could not beactivated. Please re-check the link or contact the systemadministrator.</font></p>'; } mysql_close();} else { echo '<b>Activation link not valid!</b>';}?> I am not sure whats wrong as i checked the database and both x= "user id" and y= "activation key" match but i still unable to activate the account afetr clicknig on the link Link to comment Share on other sites More sharing options...
justsomeguy Posted February 26, 2009 Share Posted February 26, 2009 MD5 isn't going to fix anything. The solution is to use a different variable. If the variable you're writing to the password field in the form is called $password, then don't store the hash in the $password variable, use a different variable for the hash. $username = mysql_real_escape_string($username); $db_pass = mysql_real_escape_string(sha1($password)); // hash password $email = mysql_real_escape_string($email); // protect against SQL attacks $location = mysql_real_escape_string($location); $age = mysql_real_escape_string($age); $a = md5(uniqid(rand(), true)); db_query("INSERT INTO members (username, password, email, age, location, active) VALUES ('{$username}', '{$db_pass}', '{$email}', '{$age}', '{$location}', '{$a}')");For the activation issue, this is your if structure: if ( ($x> 0) && (strlen($y) == 32)) { // do activation} else { echo '<b>Activation link not valid!</b>';} If it's showing you that error message, then either $x is not greater than 0, or $y is not 32 characters. Those are the only two reasons why it would show that particular error, it doesn't even check the database. Link to comment Share on other sites More sharing options...
ColdEdge Posted February 26, 2009 Author Share Posted February 26, 2009 @JustsomeguyThank you very much, it HASHES the password now with out adding extar ******* to the original =)but I still am unable to get the activation code working =( I am not sure why it keeps giving me error"Your account could not be activated. Please re-check the link or contact the system administrator."kind of drives me mad.. that this keeps happening.. even so all info is correct so if you can help me re-write the code to work that would be really nice =) Link to comment Share on other sites More sharing options...
justsomeguy Posted February 27, 2009 Share Posted February 27, 2009 I'm not a big fan of using mysql_affected_rows, it doesn't tell a lot of information (why wasn't the record updated?). I would do this: <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 0;}if ( ($x > 0) && (strlen($y) == 32)) { require_once ('connection.php'); $result = db_query("SELECT active FROM members WHERE user_id={$x}"); if ($row = db_fetch_assoc($result)) { if ($row['active'] == $y) { db_query("UPDATE members SET active='' WHERE user_id={$x}"); echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo 'The activation code is not correct.'; } } else { echo 'The user ID was not found.'; }} else { echo '<b>Activation link not valid!</b>';}?> Link to comment Share on other sites More sharing options...
ColdEdge Posted February 27, 2009 Author Share Posted February 27, 2009 no good luck =( it still dosent activate =( my only choice is to roll back to the script provided by GrandMaster or use an account activation script that I found on the web...by the way @Justsomeguy would you be able to go over my script? after i am done to check for any SQL Injection holes or to prevent SHELL Access to the server or and to the MySQL Database...? -Thank You! Link to comment Share on other sites More sharing options...
justsomeguy Posted February 27, 2009 Share Posted February 27, 2009 no good luck =( it still dosent activate =(What error does it print? It should tell you exactly why it's not succeeding. Link to comment Share on other sites More sharing options...
ColdEdge Posted February 27, 2009 Author Share Posted February 27, 2009 Ok here is the error log file and the scripts...Activation Script <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 0;}if ( ($x > 0) && (strlen($y) == 32)) { require_once ('connection.php'); $result = db_query("SELECT active FROM members WHERE user_id={$x}"); if ($row = db_fetch_assoc($result)) { if ($row['active'] == $y) { db_query("UPDATE members SET active='' WHERE user_id={$x}"); echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo 'The activation code is not correct.'; } } else { echo 'The user ID was not found.'; } else { echo '<b>Activation link not valid!</b>';}?> Registration Script <?phprequire_once 'connection.php';$page_mode = isset($_POST['page_mode']) ? $_POST['page_mode'] : '';$error_string = '';if ($page_mode == 'register'){ $username = trim($_POST['username']); // trim to remove whitespace $password = $_POST['password']; $conf_password = $_POST['conf_password']; $email = trim($_POST['email']); // trim to remove whitespace $age = $_POST['age']; $location = $_POST['location']; if ($username == '') $error_string .= 'Please enter username.<br>'; if (strlen(trim($password)) < 6) $error_string .= 'You must enter a password of at least 6 characters.<br>'; if (!isValidEmail($email)) $error_string .= 'Please enter a valid email address.<br>'; if ($age == '') $error_string .= 'Please enter your age.<br>'; if ($error_string == '') { $result = db_query("SELECT id FROM members WHERE email='" . mysql_real_escape_string($email) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That email address is already registerd.<br>'; $result = db_query("SELECT username FROM members WHERE username='" . mysql_real_escape_string($username) . "'"); if (mysql_num_rows($result) > 0) $error_string .= 'That username is already in use.<br>'; if ($error_string == '') { $username = mysql_real_escape_string($username); $db_pass = mysql_real_escape_string(sha1($password)); // hash password $email = mysql_real_escape_string($email); // protect against SQL attacks $location = mysql_real_escape_string($location); $age = mysql_real_escape_string($age); $a = md5(uniqid(rand(), true)); db_query("INSERT INTO members (username, password, email, age, location, active) VALUES ('{$username}', '{$db_pass}', '{$email}', '{$age}', '{$location}', '{$a}')"); if (mysql_affected_rows() == 1) { // Send the E-Mail $body = "Thank you for registering at AnimeFrost site. To activate your account, please click on thislink:\n\n"; $body .="http://www.animefrost.com/acc/activate.php?x=" .mysql_insert_id() . "&y=$a"; mail($_POST['email'], 'Registration Confirmation', $body,'From: no-reply@animefrost.com');// Show thank you message echo '<h3>Thank You!</h3> You have been registered, you have been sent an e-mail to theaddress you specified before. Please check your e-mails to activate youraccount.'; } else { echo '<font color="red">You could not be registered, pleasecontact us about the problem and we will fix it as soon as we can.</font>'; } } }}function isValidEmail($email = ''){ return preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-][\d\w\/\.+!=#|$?%{^&}*`'~-]*@[A-Z0-9][A-Z0-9.-]{1,61}[A-Z0-9]\.[A-Z]{2,6}$/ix",$email);}?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Untitled Document</title><style type="text/css">input {border:1px solid #000000;background-image:url('input_hover.jpg');}input a {border:1px solid #000000;background-image:url('input_hover.jpg');}input a:hover {border:1px solid #ff9000;background-image:url('input_hover.jpg');}.error_text {color: #FF0000;width: 400px;text-align: center;}.left_box {float: left;width: 150px;text-align: right;padding-right: 5px;}.right_box {clear: right;}.text {color:#000000;font-family:arial;font-weight:bold;}span {color:#ff9000;font-weight:bold;font-family:arial;}</style></head><body><h1>Register</h1><div class="error_text"><?php echo $error_string; ?></div><form action="register.php?act=join" method="post"> <input type="hidden" name="page_mode" value="register"> <div class="left_box">Username*:</div> <div class="right_box"><input type="text" name="username" size="30" maxlength="45" value="<?php if (isset($username)) echo $username; ?>"></div><br/> <div class="left_box">Password*:</div> <div class="right_box"><input type="password" name="password" size="30" maxlength="45" value="<?php if (isset($password)) echo $password; ?>"></div><br/> <div class="left_box">E-Mail*:</div> <div class="right_box"><input type="text" name="email" size="30" maxlength="150" value="<?php if (isset($email)) echo $email; ?>"></div><br/> <div class="left_box">Location:</div> <div class="right_box"><input type="text" name="location" size="30" maxlength="150" ></div><br/> <div class="left_box">Age*:</div> <div class="right_box"><input type="text" name="age" size="30" maxlength="2" value="<?php if (isset($age)) echo $age; ?>"></div><br/> <div class="left_box"> </div> <div class="right_box"><input type="submit" value="Join Now!" size="30"></div></form><p>Note: All fields marked with * are required other wise optional.</p></body></html> Error Log [26-Feb-2009 15:20:10] PHP Parse error: syntax error, unexpected '}' in /home/animefro/public_html/acc/activate.php on line 35[26-Feb-2009 15:20:14] PHP Parse error: syntax error, unexpected '}' in /home/animefro/public_html/acc/activate.php on line 35[26-Feb-2009 15:20:43] PHP Parse error: syntax error, unexpected T_ELSE in /home/animefro/public_html/acc/activate.php on line 32[26-Feb-2009 19:44:23] PHP Fatal error: Call to undefined function db_fetch_assoc() in /home/animefro/public_html/acc/activate.php on line 18[26-Feb-2009 19:45:04] PHP Fatal error: Call to undefined function db_fetch_assoc() in /home/animefro/public_html/acc/activate.php on line 18[26-Feb-2009 19:45:56] PHP Parse error: syntax error, unexpected T_ELSE in /home/animefro/public_html/acc/activate.php on line 35[27-Feb-2009 12:49:36] PHP Parse error: syntax error, unexpected T_ELSE in /home/animefro/public_html/acc/activate.php on line 35[27-Feb-2009 12:49:41] PHP Parse error: syntax error, unexpected T_ELSE in /home/animefro/public_html/acc/activate.php on line 35 tables are for membersMy SQL Tables id int(11),username varchar(44),password varchar(45),email varchar(150),location varchar(150),age varchar(2),activate char(32),PRIMARY KEY (id) I think i might have to set activate to UNIQUE KEY to make it work not sure...Connection <?php$con = mysql_connect('localhost', 'DB USERNAME', 'DB PASSWORD'); // host, username, passwordmysql_select_db('DB NAME', $con);function db_query($sql){ return mysql_query($sql, $GLOBALS['con']);}?> This are how all codes look like upto date... Link to comment Share on other sites More sharing options...
justsomeguy Posted March 2, 2009 Share Posted March 2, 2009 It looks like I forgot a bracket: <?phpif (isset($_GET['x'])) { $x = (int) $_GET['x'];} else { $x = 0;}if (isset($_GET['y'])) { $y = $_GET['y'];} else { $y = 0;}if ( ($x > 0) && (strlen($y) == 32)) { require_once ('connection.php'); $result = db_query("SELECT active FROM members WHERE user_id={$x}"); if ($row = mysql_fetch_assoc($result)) { if ($row['active'] == $y) { db_query("UPDATE members SET active='' WHERE user_id={$x}"); echo "<h3>Your account is now active. You may now log in.</h3>"; } else { echo 'The activation code is not correct.'; } } else { echo 'The user ID was not found.'; }}else { echo '<b>Activation link not valid!</b>';}?> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.