Been working on a registration script but I'm not too good at security, and it needs to be secure. So can you try and break my registration script for me please? Only the javascript version is working at the mo, so you must have that enabled. Use whatever you want to break it, but nothing ott please as I don't want the db damaging etc.

http://travelderbyshire.com

If you break it, please tell me how so I can fix the problems you found. ta

I get login.php not found.

I get login.php not found.

Now that's secure. :D

lol :D

No, only the registration bit is complete. The login isn't done as I'm trying a new way (to me) of registering

Wow, a blank username and password.
Using all spaces.

After registering, the link doesn't change to log out unless I manually refresh the page if I click the X button instead of using the link.
You do not disallow some interesting user names. Such as '; select * from user
Someone might be able to use that to do something nasty.

Also you may want to use captcha to prevent bots. You auto-login the account instead of waiting for a mail confirmation, so bots could exploit this.

Ahh cheers for the x thing, forgot all about that.
Reason I've not disallowed any text or anything is as I want to see how secure it is at the moment, before I've added regex into there. Makes me feel better knowing that if something should fail for whatever reason, or done the regex wrong it'll still work as it should.

captcha will be added too and the auto login thing will be taken out I think as it kinda defeats the purpose of the confirmation email which'll get sent out when I've done it.

I've mainly just been working on trying to prevent sql injections and hoping it's not easy to hijack/control by joe blogs.

Seems to have worked so far - looks to have been 50 or so accounts created so far and none have caused any problems I've noticed.

Cheers for looking, if you find anything else let me know :D

Just going to the page and manually typing in the register.php link breaks things. Or I assume it does, as I got no error message for an empty username and clicking the button didn't seem to do a lot.
I assume you know this. :D

And nitpicky goodness: you misspelled 'receive'.

The best places for injection attacks are the places where things are selected.
An insert is not as vulnerable, at least in my experience. If I can insert a bad username, the next time it is selected, it can break things. But my favorite place to look is actually the login page, not the register page.

thanks, I'll know who to come to when the login's done then lol ;) Yeah I've not done anything to register.php yet, the form on there won't do anything as I've not linked the functions up to it :)