Page 1 of 1

Process new user login form

Posted: Fri Mar 11, 2011 9:44 pm
by SassyDragon
trying to get a process.php script that tests a user submitting a form to my social network
the comments cover what I know so far or am stuck on
Thank you very much

Code: Select all

<?php
  function addmember($db,$un,$pw)
  {
    //encrypt password and insert
    $e_pw = md5(trim($pw));
    $query = "INSERT INTO 'members' SET password,
      ='{$e_pw}', username = '{$un}'";
    $db->query($query);
    unset($query);
  }

?>

<?php
  //process the new user form request
  //for a social network site, records username
  //encrypted password, email, birthday, home,
  
  //wondering if someone could help me with email confirmation
  //and why this script keeps getting caught at email.php
  //the names of the location's arn't actual scripts just for testing
  require_once('db.class.php');
  require_once('add_member.php');
  
  //establish db connection
  $db = new db('db name','localhost','name','password');
    
  //set form to variables
  $name=$_POST['Username'];
  $password=$_POST['Password1'];
  $email=$_POST['Email Address'];
  $bday = $_POST['Birthday'];
  $home=$_POST['Most Frequently In'];
  
  //passowrds didn't match
  if($password!=$_POST['Password2'])
    header('Location: cpw.php');
  
  //email accounts didn't match
  if($email!=$_POST['Confirm Email Address'])
    header('Location: cemail.php');
  
  //query to see if username exists
  $query = "SELECT * FROM members WHERE email='{$email}'";
  $result = $db->query($query);
  $row=$db->numRows($result);
  
  // email exists
  if($row!=0)
    header('Location: email.php');
  else
  {
    addmember($db,$name,$password);
    
    require_once('_Header.php');
    
    $output .= "Congrats on registering!<br />";
	
    //include('confirmation_email.php');
    //write function to send - test for email/sending failure
    $output .= "An email has been sent to you.";
  
    require_once('_Footer.php');
  
   }
	  
?>

Re: Process new user login form

Posted: Mon Mar 14, 2011 12:04 pm
by social_experiment

Code: Select all

if($row!=0)
    header('Location: email.php');
You are telling the code to redirect if the result is not equal to 0, which means if a row is found (i.e $row == 1) the page is redirected. Change it to $row != 1 and see if it works :)
Hth

Re: Process new user login form

Posted: Tue Mar 15, 2011 7:19 am
by Mordred
Security:
1. Multiple SQL injection problems
2. exit() after every header("location

Also:

3. "INSERT INTO 'members' SET password, <-- this comma shouldn't be here
4. No need for unset($query);
5. You're losing the email address, so you'll allow multiple accounts with the same username