05-14-2011, 01:16 PM
Hello,
I am new here, and i have to say i am very impressed on the site layout and the value of members that are on here. I am pleased to join such an appropriate forum to learn from!
Now, if i may get started on my little problem that i am having with my registration form. Before i get further into detail i am a nub at php coding, i have been getting into it lately and want to advance my learning with it.
Ok, that being said i would like to disable html sign up's on my registration. People are inserting html tag's in my registration field causing the members page to mess up. They inserted a big image that covered my whole page with the word 'hacked on it'. Which is very funny because it doesn't cause any harm but it's my stupidity for not disabling html tag's.
I would like some help with this so people can stop doing this stupid crap. I added a spam filter to my project so people don't use wpe pro to spam the mysql database and waist space.
Here is my register.php code:
Here is register-exec.php:
If i could get some help with this i would be greatly appreciated. This can be annoying to other's, and i thought this would be a place to submit a question like this to users with the same problem...
Regards,
Leprechaun Coder
I am new here, and i have to say i am very impressed on the site layout and the value of members that are on here. I am pleased to join such an appropriate forum to learn from!
Now, if i may get started on my little problem that i am having with my registration form. Before i get further into detail i am a nub at php coding, i have been getting into it lately and want to advance my learning with it.
Ok, that being said i would like to disable html sign up's on my registration. People are inserting html tag's in my registration field causing the members page to mess up. They inserted a big image that covered my whole page with the word 'hacked on it'. Which is very funny because it doesn't cause any harm but it's my stupidity for not disabling html tag's.
I would like some help with this so people can stop doing this stupid crap. I added a spam filter to my project so people don't use wpe pro to spam the mysql database and waist space.
Here is my register.php code:
PHP Code:
<?php session_start() ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>DigiChat Member</title>
<link rel="stylesheet" href="images/main.css" media="screen">
<link rel="stylesheet" href="images/colors.css" media="screen">
<link href="loginmodule.css" rel="stylesheet" type="text/css" />
<style type="text/css">
.style1 {
color: #CCCCCC;
font-style: italic;
font-weight: bold;
}
</style>
</head>
<body>
<p> </p>
<p> </p>
<div id="container">
<div id="header">
<a id="logo" href="#" title="Support Center"><img src="images/head.png" alt="Support Center" width="801" height="64" border="0"></a></div>
<ul id="nav">
<li><a class="ticket_status" href="./index.php">Home</a></li>
<li><a class="new_ticket" href="./members.php">Members</a><a class="new_ticket" href="./register.php">Register</a><a class="new_ticket" href="./news.php">News</a></li>
<li></li>
</ul>
<div id="content">
<div id="index"><?php
if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
echo '<ul class="err">';
foreach($_SESSION['ERRMSG_ARR'] as $msg) {
echo '<li>'.strip_tags($msg).'</li>';
}
echo '</ul>';
unset($_SESSION['ERRMSG_ARR']);
}
?>
<h1 align="left">Register A Free Account! </h1>
<form id="loginForm" name="loginForm" method="post" action="register-exec.php">
<p> </p>
<table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
<tr>
<th>First Name </th>
<td><input name="fname" type="text" class="textfield" id="fname" /></td>
</tr>
<tr>
<th width="124">Real Name </th>
<td width="168"><input name="realname" type="text" class="textfield" id="realname" /></td>
</tr>
<tr>
<th>Last Name </th>
<td><input name="lname" type="text" class="textfield" id="lname" /></td>
</tr>
<tr>
<th>Login</th>
<td><input name="login" type="text" class="textfield" id="login" /></td>
</tr>
<tr>
<th>Site ID</th>
<td><input name="SiteID" type="text" class="textfield" id="SiteID" /></td>
</tr>
<tr>
<th>Age</th>
<td><input name="Age" type="text" class="textfield" id="Age" /></td>
</tr>
<tr>
<th>Exit Message </th>
<td><input name="exitmessage" type="text" class="textfield" id="exitmessage" /></td>
</tr>
<tr>
<th>Comments </th>
<td><input name="comments" type="text" class="textfield" id="comments" /></td>
</tr>
<tr>
<th>Url</th>
<td><input name="Url" type="text" class="textfield" id="Url" /></td>
</tr>
<tr>
<th>Password</th>
<td><input name="password" type="password" class="textfield" id="password" /></td>
</tr>
<tr>
<th>Confirm Password </th>
<td><input name="cpassword" type="password" class="textfield" id="cpassword" /></td>
</tr>
<tr></tr>
<tr>
<tr></tr>
<tr></tr>
<tr></tr>
<tr>
<td></td>
<td><div align="center">
<p><img id="captcha" src="securimage_show.php" alt="CAPTCHA Image" /></p>
<p>
<input name="captcha_code" type="text" class="textfield" size="10" maxlength="6" />
<input type="submit" name="submit" value="Submit" />
</p>
</div></td>
</tr>
<td></td>
</tr> <tr></tr>
</table>
</form>
</div>
<div style="clear:both"></div>
</div>
<div id="footer"></div>
</div>
<div align="center">
<img src="images/poweredby.png" height="38" width="802"></div>
</body></html>
Here is register-exec.php:
PHP Code:
<?php
//Start session
session_start();
//Include database connection details
require_once('config.php');
include_once ('securimage.php');
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$login = clean($_POST['login']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);
$securimage = new Securimage();
//Input Validations
if($fname == '') {
$errmsg_arr[] = 'First name missing';
$errflag = true;
}
if($lname == '') {
$errmsg_arr[] = 'Last name missing';
$errflag = true;
}
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($SiteID == '') {
$errmsg_arr[] = 'Site ID missing';
$errflag = true;
}
if($Age == '') {
$errmsg_arr[] = 'Age missing';
$errflag = true;
}
if($Url == '') {
$errmsg_arr[] = 'Url missing';
$errflag = true;
}
if($exitmessage == '') {
$errmsg_arr[] = 'Exit Message missing';
$errflag = true;
}
if($comments == '') {
$errmsg_arr[] = 'Comments missing';
$errflag = true;
}
if($realname == '') {
$errmsg_arr[] = 'Real Name missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}
if($cpassword == '') {
$errmsg_arr[] = 'Confirm password missing';
$errflag = true;
}
if( strcmp($password, $cpassword) != 0 ) {
$errmsg_arr[] = 'Passwords do not match';
$errflag = true;
}
if ($securimage->check($_POST['captcha_code']) == false) {
$errmsg_arr[] = 'Captcha Incorrect';
$errflag = true;
}
//Check for duplicate login ID
if($login != '') {
$qry = "SELECT * FROM members WHERE login='$login'";
$result = mysql_query($qry);
if($result) {
if(mysql_num_rows($result) > 0) {
$errmsg_arr[] = 'Login ID already in use';
$errflag = true;
}
@mysql_free_result($result);
}
else {
die("Query failed");
}
}
//If there are input validations, redirect back to the registration form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: register.php");
exit();
}
//Create INSERT query
$qry = "INSERT INTO members(firstname, lastname, login, SiteID, Age, Url, exitmessage, comments, realname, passwd) VALUES('$fname','$lname','$login','$SiteID','$Age','$Url','$exitmessage','$comments','$realname','".md5($_POST['password'])."')";
$result = @mysql_query($qry);
//Check whether the query was successful or not
if($result) {
header("location: success.php");
exit();
}else {
die("Query failed");
}
?>If i could get some help with this i would be greatly appreciated. This can be annoying to other's, and i thought this would be a place to submit a question like this to users with the same problem...
Regards,
Leprechaun Coder