Page 1 of 1

register script not working?

Posted: Sun Mar 04, 2012 3:18 pm
by dyr
I'm not sure what I'm doing wrong. It was working fine earlier, until I added the callname class to my users table. Now, it shows me the "Success!" registered message but doesn't actually insert the given data in to the database. I've looked this over so much my eyes are sore, probably missing something really obvious. Why isn't this working?

Code: Select all

<?php
   
include('config.php');

if($loggedin == '1')
die("You can't register another account while you're logged in.");

if(isset($_POST['submit']))
{

$callname = mysql_real_escape_string($_POST['callname']);
$uname = mysql_real_escape_string($_POST['username']);  
$password = mysql_real_escape_string($_POST['password']);  
$email = mysql_real_escape_string($_POST['email']);  

if((!isset($_POST['username'])) || (!isset($_POST['callname'])) || (!isset($_POST['email'])) || (!isset($_POST['pass'])) || ($uname == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=register.php>Continue</a>");

$check = @mysql_query("SELECT id FROM users WHERE username = '$uname'");
$check = @mysql_num_rows($check);

if($check > 0)
die("Sorry, that username has already been taken. Please try again.
<br><br>
<a href=register.php>Continue</a>");

function validateEmailAddress($email) {
	return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email);
}
if(validateEmailAddress($email) !=1) {
	echo "That email address does not exist.<br /><br /><a href=register.php>Continue</a>";
	exit();
}

$pass = md5($_POST['pass']);

$date = date("m/d/y");

$newPlayer = @mysql_query("INSERT INTO users (username, password, callname, email, registered) VALUES ('$uname', '$pass', '$callname', '$email', '$date')" or die('Cant connect to database').mysql_error());

echo 'You have been registered! You may now <a href=index.php>Log in</a>.';

}
else
{

echo '<form action=register.php method=post>
Callname: <input type=text name=callname><br>
Username: <input type=text name=username><br>
Email: <input type=text name=email><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>';

}


?>

Re: register script not working?

Posted: Sun Mar 04, 2012 3:29 pm
by social_experiment
Currently the message displaying is only dependant on 1 condition: the submit button being clicked. The code below is an example of how you could check whether the data was added successfully into the database.

Code: Select all

<?php
$newPlayer = @mysql_query("INSERT INTO users (username, password, callname, email, registered) VALUES ('$uname', '$pass', '$callname', '$email', '$date')";

if (!$newPlayer) { echo mysql_error(); }
else {
 echo 'You have been registered! You may now <a href=index.php>Log in</a>.';
}
?>

Re: register script not working?

Posted: Sun Mar 04, 2012 4:04 pm
by dyr
Thanks, I also noticed I made a syntax error, that's why the script was not inserting in to the database, was supposed to add a ')' after the ". However right now after I login it only lets me go to one page, then after that whenever I click on a 'logged in only' link it says I must login to view this page. I'm attempting to use sessions so that if the user is logged in they can keep their session and stay logged in as long as they want. I do this by including my date.php (lists main links, time, and session check to see if they're logged in) on each page I want logged in-only access.

date.php

Code: Select all

<?php

session_start();
if ($_SESSION['id']=="") {
     header("Location: YouMustLogInNotice.html");
    }
echo '<head>';
    echo '<center><a href=index.php>Main</a> | <a href=myprofile.php>Profile</a> | <a href=inbox.php>Inbox</a> | <a href=page1.php>To-Do List</a> | <a href=logout.php>Logout</a></center>';
echo '</head>';

print date('g:i a - l, F jS');

echo '<br /><br />';

?>
is it conflicting with my configuration page? Because on the config.php page, i use variables loggedin and logged out, as well as isset sessions.

Code: Select all

<?php

$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
$dbname = 'mygame';

$link = mysql_pconnect($dbhost, $dbuser, $dbpass) 
or die("Could not connect to server.");
$selectdb = mysql_select_db($dbname, $link) 
or die("Could not connect to database.");

if((!isset($_SESSION['id'])) || (!isset($_POST['callname'])) || (!isset($_SESSION['username'])) || (!isset($_SESSION['email'])) || (!isset($_SESSION['password'])))
{
unset($_SESSION['callname']);
unset($_SESSION['username']);
unset($_SESSION['email']);
unset($_SESSION['password']);
unset($_SESSION['id']);

$loggedin = 0;
}
else
{
$loggedin = 1;
}

?>
Here's my log-in page if that's helpful at all:

Code: Select all

<?php

include('config.php');

if($loggedin == '0')
{
if(isset($_POST['submit']))
{

if((!isset($_POST['username'])) || (!isset($_POST['pass']))
|| ($_POST['username'] == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=index.php>Continue</a>");

$player = @mysql_query("SELECT id, username, password, callname, email, registered, lastlogin FROM users WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);
mysql_real_escape_string($username);
mysql_real_escape_string($password);

if($player['id'] == false)
die("Sorry, that user is not in our database.<br><br>
<a href=index.php>Back</a>");
else if($player['password'] != md5($_POST['pass']))
die("Wrong password!<br><br>
<a href=index.php>Back</a>");

$_SESSION['id'] = $player['id'];
$_SESSION['username'] = $player['username'];
$_SESSION['callname'] = $player['callname'];
$_SESSION['email'] = $player['email'];
$_SESSION['password'] = $player['password'];

$date = date("m/d/y");

$update = @mysql_query("UPDATE users SET lastlogin = '$date' WHERE id = '".$_SESSION['id']."'");

echo 'You are now logged in!';

}
else
{
echo 'You are not logged in. <br><br>
<form action=index.php method=post>
Username: <input type=text name=username><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>
Would you like to <a href=register.php>register?</a>';
}
}
else
{
echo 'You are logged in! 
Welcome to my game, '.$_SESSION['username'].'!';

}

?>

Re: register script not working?

Posted: Mon Mar 05, 2012 12:11 am
by social_experiment
I don't see a conflict but only testing it will reveal any if they exist; in any case the date.php page isn't included on the login page. If you do use the current date.php page you might want to add a bit more checks; check $_SESSION['id']'s length, maybe do a check against a 'fingerprint' value in the database.

Re: register script not working?

Posted: Mon Mar 05, 2012 5:43 pm
by dyr
Thanks, been working on trying to figure out what's going wrong for about 8 straight hours now. Right now I just want to focus on getting the script working before I add more features/security checks (just more code for me to fumble around with). However, will adding these securities correctly give me useful/any error messages that could solve my current problem? Or at this point they are simply to prevent hackers? Thanks for sticking with me and walking me through this.

Re: register script not working?

Posted: Tue Mar 06, 2012 12:07 am
by social_experiment
dyr wrote:Or at this point they are simply to prevent hackers?
The additional measures will add more security;
dyr wrote:I'm attempting to use sessions so that if the user is logged in they can keep their session and stay logged in as long as they want.
Is this the current problem you are having with the script?

Re: register script not working?

Posted: Tue Mar 06, 2012 9:32 am
by dyr
Yes, my current problem is staying logged in using sessions. After I login, I get the 'succes, you're logged in' message but the sessions aren't starting properly to keep me logged in (I have put a script that redirects the user to a .html "Login here!" page if they aren't logged in), therefore I'm just getting redirected constantly.

Re: register script not working?

Posted: Tue Mar 06, 2012 9:44 am
by social_experiment
You mentioned in an earlier post that you use 'date.php' to check if users are logged in; If this is the case the reason you are constantly redirected is that $_SESSION['id'] is not set, so equal to "". Add session_start() to the top of your login page (or top of your config page). If you want to use $_SESSION variables you have to start a session with session_start()

Re: register script not working?

Posted: Tue Mar 06, 2012 3:12 pm
by dyr
Thanks for your help! I forgot to include the session_start(); additions I added earlier in my posts above, the session start was added and still wasn't working. So I took a break and just came back to it. On config.php instead of $_SESSION for the callname I put $_POST, which screwed things up. I also just deleted the 'unsets', as they didn't make much sense being there in the first place and everything started working normally again. Thanks so much for sticking with me! I'd love to get your feedback on how I could make all these scripts more secure now. I noticed you mentioned 'fingerprint' value in the database. I tried searching for this term and tutorials on how to code this but all I can get are people actually trying to hook up a fingerprint scanner to scan their fingerprints when logging in, haha. Do you have any links/examples you recommend so I can learn how to set something like that up in my scripts?

Re: register script not working?

Posted: Tue Mar 06, 2012 3:29 pm
by social_experiment
I haven't seen any tutorials on the subject; what i know comes from a combination of playing with ideas and reading posts on the subject here on PHPDN.

The idea is really simple: When you login you create a value (a fingerprint). This value can be anything you choose; the more unpredictable the better. You then place that value in a session variable and in the database. When you check if a visitor is logged in you do two things: check if the value is set. This indicates that whoever is visiting the page has to be logged in because the fingerprint value is only set after a match for the username / password has been verified. But one check isn't enough so you check if that fingerprint exist in the database. If both those conditions are met, then you can assume that whoever is visiting the page is logged in.

I store the fingerprint value in the user database, the table could look like this: id, username, passkey, status, fingerprint.

If you put some more thinking in you can come up with a myriad of ideas on how to change this to suit your purposes. Post back if you need more assistance or have any questions :)