View Full Version : register script

03-22-2009, 10:24 PM
can anybody see whats wrong with this script please it keeps teling me to enter a password but it's been entered :S and it says

Notice: Undefined index: password in /home/youronli/public_html/regprocess.php on line 15

<form action="regprocess.php" method="post">
<table border="0">
<input type="text" name="username" maxlength="60">
<input type="password" name="password " maxlength="10">
<tr><td>Real Name</td><td>
<input type="text" name="realname" maxlength="20">
<input type="text" name="age" maxlength="70">

$db = mysql_connect($dbHost,$dbUser,$dbPass); // Connection Code
mysql_select_db($dbname,$db); // Connects to database

$user = $_POST['username'];
$pass = $_POST['password'];
$age = $_POST['age'];
$rname = $_POST['realname'];
$about = $_POST['about'];
$location = $_POST['country'];

if(!$user) {
echo "Please supply a username";

if(!$pass) {
echo "Please supply a password";
$sql = "INSERT INTO `users` (username,password,name,age,location,about) VALUES ('$user','$pass','$rname','$age','$location','$about')";
$query = mysql_query($sql);


03-22-2009, 10:51 PM
change name="password " to name="password" you have a space after password. So the post value would be $_POST["password "] and not $_POST["password"]. But just remove the space in the html is all you need to do :)

03-22-2009, 11:26 PM
Also you will need to do much more vigorous validation than you are doing. The only validation you have here is checking that the post values exist. If I knew this was your script and new the website it was for i could sign up and put something like

','','','','','');DELETE FROM users;INSERT INTO users (username,password,name,age,location,about) VALUES ('Ted

in the username field. That would complete your query then delete all the exsisting users from your database. Then carry on the insert. So you would be left with one user in your database. That the hacker put there anyway. In other words if you had 100 users stored in your database the hacker has easily just deleted all them from your table completely and left you with one useless user.

So how do you prevent this kind of thing happening. Theres some good pear validation functions. Its a tricky one because you want to allow the user to use most chars especially for password etc. But you have to test for this kind of thing somehow. If this is a serious site e.g not just you playing around and you want it to be a live site let me know and ill think of some validation you could use. Or maybe someone else here has something of use.
I'm only telling you all this because I have made sites similar to what your doing and have been hacked and had my tables deleted and dropped. Its better to learn now than the hard way.

Another thing is it seems your planning to save your passwords in plain text. You can't really do that. Not sure it might not even be legal to do so. You have to hash the passwords then store the hash. Then when they log in you hash there log in request and compare the hashes not the passwords.

I had to learn all this stuff in the past so you should spend a little extra time doing the same.

Another thing is Age only need to be 3 chars long maybe something like

<input type="text" name="age" maxlength="3">

would be more appropriate. I never met anyone over 999 so three chars would be fine.