Everything worked fine until I did the encrypting, so the basic system is functional. As a last resort I won't encrpyt passwords at all; I doubt anyone would be interested in hacking my site. Or do spambots prowl the Internet looking to steal passwords?
Code (registration):
Code: Select all
<?php
include 'common.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
if(get_magic_quotes_gpc()) {
$uname = stripslashes($_POST['username']);
$email = stripslashes($email = $_POST['email']);
}
else {
$uname = $_POST['username'];
$email = $_POST['email'];
}
if ($uname=='' or $email=='') {
error('One or both required fields were left blank. Please fill them in and try again.');
}
else {
// connect to database
include 'db.php';
$sql = "SELECT COUNT(*) FROM logintest WHERE uname = '$uname'";
$result = mysql_query($sql) or die (mysql_error());
if (!$result) {
error ('A database error occured in processing your submission.');
}
if (@mysql_result($result,0,0)>0) {
error ('Username already taken');
}
else {
$newpass = substr(md5(time()),0,6);
$pword = md5($newpass);
$uname = mysql_real_escape_string($uname);
$email = mysql_real_escape_string($email);
session_start();
$_SESSION['reg'] = "1";
header ("Location: registered.php");
$sql = ("INSERT INTO logintest SET uname='$uname', pword='$pword',
email='$email', regdate='CURDATE()'") or die (mysql_error());
$result = mysql_query($sql) or die (mysql_error());
if (!result) {
error('A database error occured during submission');
}
else {
mysql_close($db_handle);
}
}
}
}
?>
Code: Select all
<?PHP
$errorMessage = "Error logging on. Check that you are registered, and that your username and password are correct.";
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$uname = $_POST['username'];
$pword = $_POST['password'];
// Database connect
$dbuser = "myuser";
$dbpass = "mypassword";
$database = "database";
$server = "localhost";
$db_handle = mysql_connect($server, $dbuser, $dbpass);
$db_found = mysql_select_db($database, $db_handle);
if ($db_found) {
$pword = md5($pword);
$uname = mysql_real_escape_string($uname);
$SQL = "SELECT * FROM logintest WHERE uname = '$uname' AND pword = '$pword'";
$result = mysql_query($SQL) or die (mysql_error());
$num_rows = mysql_num_rows($result);
// result checking
if ($result) {
if ($num_rows > 0) {
session_start();
$_SESSION['login'] = "1";
$_SESSION['uname'] = "$uname";
header ("Location: loginsuccess.php");
}
else {
session_start();
$_SESSION['login'] = "";
print $errorMessage;
}
}
mysql_close($db_handle);
}
}
?>