...

View Full Version : Phpzor (NOT SOLVED)



Fashong
06-20-2005, 02:41 PM
I want to turn off register globals since some people said it's a security hazard and it's not checking if the ip is already in the database and if it is, it's suppose to not let them signup. It is letting you signup as many times as you want though. I would appreciate any help ^^
~Thanks again



<?php
$title = "Signup";
include("top.php");
$IP = $_SERVER['REMOTE_ADDR'];
?>


<div id="content">
<span>Signup</span>


<p>
<form method="POST" action="signup.php?action=signup">
Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

Note: Your ip will be logged so please do not make multiple accounts<br><br>
<input type="submit" name="turkey" value="submit"></form>



<?php

IF ($action == "signup"){

$ipcheck = mysql_query("select * from users where IP='$IP'");
IF (@mysql_numrows($ipcheck) > 0) {
$ipused = "yes";
}else{
$ipused = "no";
}

IF ($password == "$verpassword") {
$passwordmatch = "true";
}else{
$passwordmatch = "false";
}


IF ($ipused == "no" && $passwordmatch == "true"){

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')");
echo "Thanks for signing up!";
}else{
echo "You etheir have an account already, or your passwords do not match!";
}
}
?>




</div>

<?php
include("bottom.php");
?>

SeeIT Solutions
06-20-2005, 03:10 PM
Try this... if you turn off register globals you have to stop using them.


<?php
$title = "Signup";
include("top.php");
$ip = $_SERVER['REMOTE_ADDR'];
?>


<div id="content">
<span>Signup</span>


<p>
<form method="POST" action="signup.php?action=signup">
Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

Note: Your ip will be logged so please do not make multiple accounts<br><br>
<input type="submit" name="turkey" value="submit"></form>



<?php

IF (isset($_POST['action'] && $_POST['action'] == "signup"){

$ipcheck = mysql_query("select * from users where IP='$ip'");
IF (mysql_num_rows($ipcheck) > 0) {
$ipused = "yes";
}else{
$ipused = "no";
}

IF ($password == "$verpassword") {
$passwordmatch = "true";
}else{
$passwordmatch = "false";
}


IF ($ipused == "no" && $passwordmatch == "true"){

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')");
echo "Thanks for signing up!";
}else{
echo "You etheir have an account already, or your passwords do not match!";
}
}
?>




</div>

<?php
include("bottom.php");
?>

Nightfire
06-20-2005, 03:34 PM
There is no $_POST['action'], it should be $_GET['action'] as it's getting it from the url

SeeIT Solutions
06-20-2005, 04:02 PM
True, my bad... you should use this code instead.


<?php
$title = "Signup";
include("top.php");
$ip = $_SERVER['REMOTE_ADDR'];
?>


<div id="content">
<span>Signup</span>


<p>
<form method="POST" action="signup.php">
Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br><input type="hidden" name="action" value="signup">

Note: Your ip will be logged so please do not make multiple accounts<br><br>
<input type="submit" name="turkey" value="submit"></form>



<?php

IF (isset($_POST['action'] && $_POST['action'] == "signup"){

$ipcheck = mysql_query("select * from users where IP='$ip'");
IF (mysql_num_rows($ipcheck) > 0) {
$ipused = "yes";
}else{
$ipused = "no";
}

IF ($password == "$verpassword") {
$passwordmatch = "true";
}else{
$passwordmatch = "false";
}


IF ($ipused == "no" && $passwordmatch == "true"){

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$username', '$email', '$password', 'Member', '$IP', '')");
echo "Thanks for signing up!";
}else{
echo "You etheir have an account already, or your passwords do not match!";
}
}
?>




</div>

<?php
include("bottom.php");
?>

Fashong
06-20-2005, 08:10 PM
Won't this work to?




<?php
$title = "Signup";
include("top.php");
$IP = $_SERVER['REMOTE_ADDR'];
?>


<div id="content">
<span>Signup</span>


<p>
<form method="POST" action="signup.php?action=signup">
Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>

Note: Your ip will be logged so please do not make multiple accounts<br><br>
<input type="submit" name="turkey" value="submit"></form>



<?php

if(isset($_POST['turkey'])){

$ipcheck = mysql_query("select * from users where IP='$IP'");
IF (@mysql_numrows($ipcheck) > 0) {
$ipused = "yes";
}else{
$ipused = "no";
}

IF ($_POST['password'] == "$_POST['$verpassword']") {
$passwordmatch = "true";
}else{
$passwordmatch = "false";
}


IF ($ipused == "no" && $passwordmatch == "true"){

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['$password']', 'Member', '$IP', '')");
echo "Thanks for signing up!";
}else{
echo "You etheir have an account already, or your passwords do not match!";
}
}
?>




</div>

<?php
include("bottom.php");
?>

SeeIT Solutions
06-21-2005, 12:33 AM
Why do you want to use the query string when it isn't needed... it is more secure to not use it, you cant set POST variables without submitting a form but you can set GET variables

Fashong
06-21-2005, 12:53 AM
Everything else is fine though?? What else can I use except mysql_query then?

Nightfire
06-21-2005, 01:09 AM
This line has an error



IF ($_POST['password'] == "$_POST['$verpassword']")

Should be


if ($_POST['password'] == $_POST['verpassword'])

You also use


mysql_numrows

It should be


mysql_num_rows

Fashong
06-21-2005, 03:48 AM
Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home2/fashong/public_html/signup.php on line 47




<?php
$title = "Signup";
include("top.php");
$IP = $_SERVER['REMOTE_ADDR'];
?>


<div id="content">
<span>Signup</span>


<p>
<form method="POST" action="signup.php?action=signup">
Username:<br> <input type="text" name="username" size="20" maxlength="15"><br>
Password:<br> <input type="password" name="password" size="20" maxlength="15"><br>
Verify Password:<br> <input type="password" name="verpassword" size="20" maxlength="15"><br>
Email:<br> <input type="text" name="email" size="20" maxlength="25"><br><br>


Note: Your ip will be logged so please do not make multiple accounts<br><br>
<input type="submit" name="turkey" value="submit"></form>



<?php

IF (isset($_POST['turkey'])){

$ipcheck = mysql_query("select * from users where IP='$IP'");
IF (@mysql_num_rows($ipcheck) > 0) {
$ipused = "yes";
}else{
$ipused = "no";
}

IF ($_POST['password'] == $_POST['verpassword']) {
$passwordmatch = "true";
}else{
$passwordmatch = "false";
}




IF ($ipused == "no" && $passwordmatch == "true"){

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['password']', 'Member', '$IP', '')");
echo "Thanks for signing up!";
}else{
echo "You etheir have an account already, or your passwords do not match!";
}
}
?>




</div>




<?php
include("bottom.php");
?>

Fashong
06-21-2005, 05:17 PM
Anyone?? ^_^

Fashong
06-22-2005, 11:49 PM
^_^.....

mrruben5
06-23-2005, 04:46 PM
$ipcheck = mysql_query("select * from users where IP='$IP'"); should be

$ipcheck = mysql_query("select * from users where IP=".$IP);

Why don't you use boolean values for ipused and passwordmatch?

$ipused = true/false

Kurashu
06-23-2005, 07:57 PM
Fahong: Your options for fixing the parsing error are still the same.

Sprintf, in my opinion, would be the best thing to use here since you don't have an obscene amount of variables. Your next best bet would be to concat the string with the variables in it. And the last one I would use, simply out of personal perference, would be to wrap the variables in curly brackets.

This is wrong:

$userupdate = mysql_query("INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '$_POST['username']', '$_POST['email']', '$_POST['password']', 'Member', '$IP', '')");

Here are the solutions to the problem:


//sprintf
$sql = sprintf('INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES (``, `%s`, `%s`, `%s`, `Member`, `%s`, ``)', $_POST['username'], $_POST['email'], $_POST['password'], $IP);

//concat
$sql = 'INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES (``, `' . $_POST['username'] . '`, `' . $_POST['email'] . '`, `' . $_POST['password'] . '`, `Member`, `' . $IP . '`, ``)';

//curly brackets
// I'm not all too sure about this, I've never used it, and I probably never will.
$sql = "INSERT INTO users (id, username, email, password, status, ipaddress, age) VALUES ('', '{$_POST['username']}', '{$_POST['email']}', '{$_POST['password']}', 'Member', '$IP', '')";


$userupdate = mysql_query($sql);



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum