This is my registration validation & account creation code (only the part that interests us):
Code: Select all
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if ((preg_match($clean['match'], $trimmed['password'])) && (preg_match($clean['match'], $trimmed['passconfirm']))){
if ($trimmed['password'] == $trimmed['passconfirm']){
$clean['salt'] = mysql_real_escape_string($trimmed['password']);
}else{
$clean['salt'] = '';
}
}
$clean['match'] = '/^[A-Za-z]+(-|_)?[A-Za-z]+(-|_)?[A-Za-z]+[0-9]*$/';
if (preg_match($clean['match'], $trimmed['username'])){
$clean['username'] = mysql_real_escape_string($trimmed['username']);
$clean['user'] = mysql_real_escape_string(sha1(sha1($clean['username'] . $clean['salt'] . 'hhuFjn-3C4#$sdf!@#adS')));
$clean['query'] = mysql_query("SELECT first_name from users WHERE username = '{$clean['user']}'");
if (mysql_num_rows($clean['query']) == 1){
$errors[] = 'That user name is not available.';
}
}else{
$errors[] = 'That is not a valid user name!';
}
$clean['match'] = '/^[A-Za-z]+(?:[0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*)@(?:[A-Za-z0-9]+)\.(?:[A-Za-z]{2,6})(\.)?(?(1)[A-Za-z]{2,6})$/';
if (preg_match($clean['match'], $trimmed['email'])){
$clean['address'] = mysql_real_escape_string($trimmed['email']);
$clean['email'] = mysql_real_escape_string(sha1(sha1($clean['address'] . 'ADuiku^%w2--dgh#%fg45')));
$clean['query'] = mysql_query("SELECT first_name from users WHERE email = '{$clean['email']}'");
if (mysql_num_rows($clean['query']) == 1){
$errors[] = 'That email address is already being used.';
}
}
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if ((preg_match($clean['match'], $trimmed['password'])) && (preg_match($clean['match'], $trimmed['passconfirm']))){
if ($trimmed['password'] == $trimmed['passconfirm']){
$clean['password'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
}
}
if (empty($errors)){
$clean['activation_string'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['email'] . 'as5435DHFGH%#$assd--sdfmmm')));
mysql_query("INSERT INTO users (first_name, last_name, username, password, email, activation_key, user_level, registration_date, last_activity)
VALUES ('{$clean['first']}', '{$clean['last']}', '{$clean['user']}', '{$clean['password']}', '{$clean['email']}', '{$clean['activation_string']}', '1', NOW(), NOW())");
}
Code: Select all
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if (preg_match($clean['match'], $trimmed['password'])){
$clean['salt'] = mysql_real_escape_string($trimmed['password']);
}else{
$clean['salt'] = '';
}
$clean['match'] = '/^[A-Za-z]+(-|_)?[A-Za-z]+(-|_)?[A-Za-z]+[0-9]*$/';
if (preg_match($clean['match'], $trimmed['username'])){
$clean['username'] = mysql_real_escape_string($trimmed['username']);
$clean['user'] = mysql_real_escape_string(sha1(sha1($clean['username'] . $clean['salt'] . 'hhuFjn-3C4#$sdf!@#adS')));
}else{
$errors[] = 'That is not a valid user name.';
}
$clean['match'] = '/^[A-Za-z0-9~!@#$%^&*-_]{6,}$/';
if (preg_match($clean['match'], $trimmed['password'])){
$clean['password'] = mysql_real_escape_string(sha1(sha1($clean['user'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
}
if (empty($errors)){
$clean['query1'] = mysql_query("SELECT first_name FROM users WHERE username = '{$clean['user']}' AND password = '{$clean['password']}'");
if (mysql_num_rows($clean['query1']) == 1){
$clean['query2'] = mysql_query("SELECT first_name, user_level FROM users WHERE username = '{$clean['user']}' AND password = '{$clean['password']}' AND activation_key IS NULL");
if (mysql_num_rows($clean['query2']) == 1){
//
// stuff here
//
}
Code: Select all
$clean['match'] = '/^[A-Za-z]+(?:[0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*(?:-|_)?[A-Za-z0-9]*)@(?:[A-Za-z0-9]+)\.(?:[A-Za-z]{2,6})(\.)?(?(1)[A-Za-z]{2,6})$/';
if (preg_match($clean['match'], $trimmed['email'])){
$clean['address'] = mysql_real_escape_string($trimmed['email']);
$clean['email'] = mysql_real_escape_string(sha1(sha1($trimmed['email'] . 'ADuiku^%w2--dgh#%fg45')));
$clean['query'] = mysql_query("SELECT first_name, username, password FROM users WHERE email = '{$clean['email']}'");
if (mysql_num_rows($clean['query']) == 0){
$errors[] = 'That email address was not found in our records.';
}
}else{
$errors[] = 'That is not a valid email address!';
}
if (empty($errors)){
$clean['row'] = mysql_fetch_array($clean['query']);
mysql_free_result($clean['query']);
$clean['salt'] = mysql_real_escape_string(substr($clean['row']['password'], 10, 10));
$clean['password'] = mysql_real_escape_string(sha1(sha1($clean['row']['username'] . $clean['salt'] . 'fsdS4fjk#%^@!-sdf23F-F34')));
mysql_query("UPDATE users SET password = '{$clean['password']}' WHERE email = '{$clean['email']}' LIMIT 1");
}
Thanks in advance to anyone who bothered!
PS: i know double hashing sucks but that's not a priority right now.