professional create user script...advice?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

professional create user script...advice?

Post by scarface222 »

Hey guys I am pretty new to php and need to implicate a create-user script that will be secure and cover all the potential risks and considerations. I can make a shotty script but I was wondering if anyone knew of any good scripts. I have googled for a while and have not come across any good scripts. All of them have security flaws and other problems. Anyone have any advice?
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: professional create user script...advice?

Post by Eric! »

What in your mind is a create user script? Are you talking about creating a members only section on a website? Do you have mysql installed?
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: professional create user script...advice?

Post by scarface222 »

Thanks for the reply man. Yeah sorry I am talking about creating a user account through form input and inserting into a database. Just wondering if anyone had ideas on php scripts that would do all the necessary checks and add a certain amount of security when the user enters information for example username and password and has it inserted into mysql.

this is it so far what i have but I do not think it is very good...

Code: Select all

<?php 
if (isset($_POST['username'])){
$username=mysql_real_escape_string($_POST["username"]);
$password=mysql_real_escape_string($_POST["password"]);
$confirm_password=mysql_real_escape_string($_POST["confirm_password"]);
$first_query="SELECT * FROM users WHERE user ='$username'";
$result=mysql_query($first_query) or die('Error, select query failed');
$count=mysql_num_rows($result);
 
if (empty($password)){
echo 'please fill in all fields';
    return;
}
if (empty($username)){
echo 'please fill in all fields';
    return;
}
if (empty($confirm_password)){
echo 'please fill in all fields';
    return;
}
else if ($count>0){
    echo 'user exists';
    return;
}
else if ($password!=$confirm_password){
echo 'passwords do not match';
    return;
}
if (strlen($username) < 3 || strlen($username) > 10) { // if USERNAME is less than 3 or more than 10...
    echo "Your username is less than 3 or more than 10!";
    return; //stop here if username is less than 3 or more than 10
} 
 
if (strlen($password) < 3 || strlen($password) > 10) { // if PASSWORD is less than 3 or more than 10...
    echo "Your password is less than 3 or more than 10!";
    return;
}
 
else{
 
    
    $second_query = "INSERT INTO users (user,password) VALUES ('$username', '$password')";
mysql_query($second_query) or die('Error, insert query failed');
}
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: professional create user script...advice?

Post by Eric! »

Perhaps this is better asked on the php security forum.

I can suggest you filter the input fields for non-ascii characters so someone doesn't inject crap into your database. See http://www.metatitan.com/php/16/protect ... ction.html

Also add trim($input) to what you are reading from the form to remove any accidental trailing spaces which really screw up users.

some people like to encrypt the passwords immediately before storing them. That way if your database gets hacked they can't get the passwords. The downside is that if a users forgets the password it can't be recovered, only reset. See jatat_k example http://www.webmasterworld.com/forum88/4590.htm

Depending on what type of data you are handling you might need to be using https and security certificates to prevent session hijacks.

You can also add some hidden features like logging the ip's and number of successful logins and failed logins to monitor for a brute force attack on a specific account or multiple attempts on multiple accounts from the same ip.
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: professional create user script...advice?

Post by scarface222 »

thanks alot dude, just curious about injection attacks, I already used mysql_real_escape_string on the input variables, is that what you meant?
scarface222
Forum Contributor
Posts: 354
Joined: Thu Mar 26, 2009 8:16 pm

Re: professional create user script...advice?

Post by scarface222 »

also for encrypting the passwords say with md5... a long algorithm gets entered into the database. Can the user still enter their password and have it match with the database?
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: professional create user script...advice?

Post by Eric! »

You have to run it through the same process.

plain text -> encrypt -> now compare to stored encrypted string.

This will protect your database passwords, however without https the plain text password can be sniffed as it is entered iinto your form.
Post Reply