My security scripts, pro check it fast :)

[phpnoob]

Hi Just want to know it have any problem in my security.Plz check it fast, i want to del the good scripts, and if you not find bad script post it, and dont quote any php codes

[boen_robot]

Oh my... you're using mysql_real_escape_string() all over the place, as if it's a universal kill for security issues... it's not!!!mysql_real_escape_string() is ONLY to be used when placing a variable as a string of an MySQL query. In all other instances, variables should keep their original value.In other contexts, there are other, more appropriate functions, again applicable ONLY in that other context.Just one example:

<input type="text"  value="'.$email.'" name="email" />

In here, using htmlspecialchars() is what's appropriate instead, i.e.

<input type="text"  value="'. htmlspecialchars($email, ENT_COMPAT, 'UTF-8'/*Assuming you've set everything else to UTF-8 also*/) .'" name="email" />

To avoid unnecessary "protections", I'd recommend that instead of having a single double quoted string, you make it a sequence of concatenated strings with mysql_real_escape_string() being called then, i.e. instead of (for example):

$email=mysql_real_escape_string($_POST['email']);$confirmcode=mysql_real_escape_string($_POST['confirmcode']);//...if (mysql_num_rows(mysql_query("SELECT * FROM users WHERE userid='$confirmcode' and email='$email'")) == 1)

have it as

if (mysql_num_rows(mysql_query("SELECT * FROM users WHERE userid='" . mysql_real_escape_string($_POST['confirmcode']) . "' and email='" . mysql_real_escape_string($_POST['email']) . "'")) == 1)

On a side note, consider using the MySQLi extension instead of MySQL extension.

[phpnoob]

and if need to give pass to another process? how can i do that? if the mysql_real_escape_string not in the post process?

[boen_robot]

You mean another query? Sure, in that case, you can store the escaped value in a variable and reuse it, but the point is not to use the escaped value for anything other than a part of an SQL queries. In such instances, to avoid misusing the context, consider naming the variable after the context, like

$sqlEmail = mysql_real_escape_string($_POST['email']);$htmlEmail = htmlspecialchars($_POST['email']);

That way, as soon as you see something like

<input value="' . $sqlEmail . '" name="email" type="text" />

You'll know something is not right here.

[phpnoob]

i was said, reg have weak point, but i cant find it, some1 help me.

<?php function reg(){$title=Reg;echo main($title);echo '<div class="mainbox" align="center"><form method="post" action="users.php?cat=reg"><p /><table><tr><th><h2>Reg</h2></th></tr><tr><td width="400" colspan="2" align="left"><b>Message</b>: <span style="color:#FF0000" ><font size="-1">';$nick=mysql_real_escape_string($_POST['nick']);$email=mysql_real_escape_string($_POST['email']);$pass1=mysql_real_escape_string($_POST['pass1']);$pass2=mysql_real_escape_string($_POST['pass2']); if ($_POST['reg']){  if (!empty($nick) && !empty($email) && !empty($pass1) && !empty($pass2) )  {   if (strlen($nick) >=5 && strlen($nick)<= 20)   {		if(ereg('[a-zA-Z0-9\-\_áéíóöüóűÁÉÍÓÖÜŐŰ]+$', $nick))		{		 if(eregi("^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$", $email))		 {		  if(mysql_num_rows(mysql_query("SELECT nick FROM users WHERE nick='".$nick."' "))==0)		  {		   if(mysql_num_rows(mysql_query("SELECT email FROM users WHERE email='".$email."'"))==0)		   {				if ($pass1==$pass2)				{				 if (strlen($pass1) >= 5 && strlen($pass1) <= 25)				 {				  $pass=md5($pass1);$date=date("Y-m-d H:i:s");$random=md5(rand(1,99999999999));$ip=$_SERVER['REMOTE_ADDR'];				  $sql="INSERT INTO users (nick,pass,email,cookie,session,ip,regdate) VALUES('$nick','$pass','$email','$random','$random','$ip','$date')";				  if (mysql_query($sql))				  {				   echo '<span style="color:#0000FF"><b><FONT SIZE="3">Reg success. </font></b><span>'; echo '<a href="index.php">continue</a>';				  }				  else				  {				   echo Database Error';				  }				 }				 else				 {				  echo "The pass minimum 5 and 25 leght character allowed";				 }				}				else				{				 echo "The 2 pass not match";				}		   }		   else		   {				echo 'This mail address is taked';		   }		  }		  else		  {		   echo 'This reg name are taked';		  }		 }		 else		 {		  echo "Wrong email address.";		 }		}		else		{		 echo "sry i cant translate this message to english ";		}   }   else   {		echo ' The Nickname:minimum 5 and max 20 character length allowed.';   }  }  else  {   echo "Fill all input";  }}echo'</font></span></td></tr><tr><td><b>Username</b>: <div class="info">Min 5 and Max 20 character allowes.</div></td><td><input type="text"   value="'.$nick.'" name="nick" /></td></tr><tr><td>Email address: </td><td><input type="text"  value="'.$email.'" name="email" /></td></tr><tr><td><b>Pass</b>:<div class="info">Min 5 and max 25 character allowed</div></td><td><input type="password"  value="12345678901234567" onblur="if(this.value==\'\') this.value=\'12345678901234567\';" onfocus="if(this.value==\'12345678901234567\') this.value=\'\';"   name="pass1" maxlength="25" /></td></tr><tr><td>Pass again</td><td><input type="password"   value="12345678901234560" onblur="if(this.value==\'\') this.value=\'12345678901234560\';" onfocus="if(this.value==\'12345678901234560\') this.value=\'\';"  name="pass2" maxlength="25" /></td></tr><tr><td colspan="2"><input type="submit" name="reg" value="reg" /> </td></tr></table></form>';echo '</div>';}?>

oh and, i made a GET secure to, but i guess its not good if XSLT senior was true

<?php session_start();include "config.php";$getpage=empty($_GET['page']) ? header("Location: index.php?page=news") : mysql_real_escape_string($_GET['page']); <---

what secure can i add in here?

[boen_robot]

I don't know about secure, but you have a parsing error here:

 echo Database Error';

It should be

 echo 'Database Error';

And on a related note,

$title=Reg;

should probably be

$title='Reg';

Turn on error displays and fix everything that comes up, even if it's just a warning.

what secure can i add in here?

It depends on the context you use $getpage in, which doesn't really seem visible in the rest of your code.Maybe the problem you were pointed to was this part:

$pass=md5($pass1);

MD5 is not considered a secure hashing algorithm to store passwords in (not since a few years, given how fast computers have now become). Consider sha1() or better yet, crypt() with blowfish.

[phpnoob]

hehe, look i was modified some part you know why, this is a great secured login system, i don't want to show fully, i made some error. In reg.php i find what he means, it doesn't kick html tag, and i think he right, ereg doesn't do anything for html tags.