Page 1 of 1

Registration Script not Accepting "strange" combin

Posted: Wed Aug 01, 2007 11:25 pm
by generalt
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Code: Select all

<?php # Script 13.6 - register.php
// This is the registration page for the site.

// Include the configuration file for error management and such.
require_once ('config.inc.php'); 

// Set the page title and include the HTML header.
$page_title = 'Register';
include ('header.html');

if (isset($_POST['submitted'])) { // Handle the form.

	require_once ('mysql_connect.php'); // Connect to the database.
	

	// Check for a username.
	if (eregi ('^[[]\.\' \-]{2,15}$', stripslashes(trim($_POST['username'])))) {
		$username = escape_data($_POST['username']);
	} else {
		$username = FALSE;
		echo '<p><font color="red" size="+1">Please enter your username!</font></p>';
	}
	
	// Check for a country.
	if ($_POST['country']) {
		$country = $_POST['country'];
	} else {
		$country = FALSE;
		echo '<p><font color="red" size="+1">Please select a country</font></p>';
	}
	
	// Check for a party name.
	if (eregi ('^[[]\.\' \-]{2,15}$', stripslashes(trim($_POST['party_name'])))) {
		$party_name = escape_data($_POST['party_name']);
	} else {
		$party_name = FALSE;
		echo '<p><font color="red" size="+1">Please enter your party name</font></p>';
	}
	

	// Check for a password and match against the confirmed password.
	if (eregi ('^[[]]{4,20}$', stripslashes(trim($_POST['password1'])))) {
		if ($_POST['password1'] == $_POST['password2']) {
			$p = escape_data($_POST['password1']);
		} else {
			$p = FALSE;
			echo '<p><font color="red" size="+1">Your password did not match the confirmed password!</font></p>';
		}
	} else {
		$p = FALSE;
		echo '<p><font color="red" size="+1">Please enter a valid password!</font></p>';
	}
	
	if ($username && $country && $party_name && $p) { // If everything's OK.

		// Make sure the username is available.
		$query = "SELECT user_id FROM users WHERE username='$username'";		
		$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());
		
		if (mysql_num_rows($result) == 0) { // Available.
		
			// Add the user.
			$query = "INSERT INTO users (first_name, username, password, country, party_name, registration_date) VALUES ('$username', '$username', SHA('$p'), '$country', '$party_name', NOW() )";		
			$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());

			if (mysql_affected_rows() == 1) { // If it ran OK.
				
				// Finish the page.
				echo '<h3>Thank you for registering!</h3>';
				include ('footer.html'); // Include the HTML footer.
				exit();				
				
			} else { // If it did not run OK.
				echo '<p><font color="red" size="+1">You could not be registered due to a system error. We apologize for any 

inconvenience.</font></p>'; 
			}		
			
		} else { // The username is not available.
			echo '<p><font color="red" size="+1">That username has already been registered.</font></p>'; 
		}
		
	} else { // If one of the data tests failed.
		echo '<p><font color="red" size="+1">Please try again.</font></p>';		
	}

	mysql_close(); // Close the database connection.

} // End of the main Submit conditional.
?>
	
<h1>Register</h1>
<form action="register.php" method="post">
	<fieldset>
	
	<p><b>Username:</b> <input type="text" name="username" size="30" maxlength="100" value="<?php if (isset($_POST['username'])) echo 

$_POST['username']; ?>" /></p>
		
	<p><b>Password:</b> <input type="password" name="password1" size="20" maxlength="20" /> <small>Use only letters and numbers. Must be between 4 and 20 

characters long.</small></p>
	
	<p><b>Confirm Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>

	<p><b>Country:</b> <select name="country">
			   <option value="Krishna">Krishna</option>
		           <option value="Alberno">Alberno</option>
			   <option value="United Tribes of Inaz">United Tribes of Inaz</option>
			   <option value="Red Republic">Red Republic</option>
			   </select></p>
	
	<p><b>Party Name:</b> <input type="text" name="party_name" size="30" maxlength="100" value="<?php if (isset($_POST['party_name'])) echo $_POST['party_name']; ?>" /></p>

	</fieldset>
	
	<div align="center"><input type="submit" name="submit" value="Register" /></div>
	<input type="hidden" name="submitted" value="TRUE" />

</form>

<?php // Include the HTML footer.
include ('footer.html');
?>
That is my register.php file.... It works with some usernames/party names, but not others. Any ideas as to how I can accept ALL usernames and party names?

This is the site: http://party_nations.phpnet.us/register.php

Test with this (does not work):
username: a_lot_of junk here
Party Name: People's Progressive Party

and (works):
username: admin
Party Name: Admin Party

(of course, if someone else beats you to this, the admin name will already be taken. but try something simple and it should work).

I don't know why this doesn't work, I thought all that stripslash and escape crap was supposed to take care of all this! as you can probably tell, I'm pretty new to php and programming in general. Any thoughts as to how I can fix this?


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Aug 02, 2007 12:12 am
by Benjamin
Based on the example you provided it appears that your database queries are failing when they contain certain characters (namely ') because your not escaping them.

This also means that your script is vulnerable to sql injection. Please research mysql_real_escape_string on php.net for more information.