User System Segment 1 - A Must See!

ib4 · 01-04-2006, 10:59 PM

Here is a VERY basic SQL User System tutorial for you php new guys n girls.
This will be done in segments becuase i am trying to keep it detailed for you learners.

So this post is segment #1 DB - Config - Register

NOTES TO MY TUTORIAL:

EVERY PIECE OF CODE IS IN EXACT ORDER IT WOULD BE IN THE FILE. SO WHEN YOU COPY AND PASTE
EVERYTHING JUST GOES RIGHT BELOW THE NEXT THING.

VAR means Variable
DB means Database

<? signifys the start of the code in the file and ?> will signify the end of the code in the file.

Tutorial:

You can take plenty of time as you learn php to learn more advanced ways. This is not my mission though. I am writing this mainly to show you how simple your php can be if you are new.

Now I am not going to give you the sql tables becuase it is always good to do it your self to learn.

Open you sql and do the following:

Create a database named - portal

Then in the database create a table named user_db with these fields:

id - int - value 12 - auto increment - index
username - VARCHAR - value 255
password - VARCHAR - value 255
status - varchar - value 100 - default 0
email - text

Very simple. If you do not know how to do that then msg me. If enough people message me i will build them a PHPmyAdmin tutorial.

Now lets go to the PHP.

Lets start off with a configuration file.

Create your self a new file named config.php.

Now in a configuration file, you want to add global variables n such. By that I mean code that you can call to in any file of yours without having to re-write it.

So lets start of with your connection:

Code:

<?

$dbh = mysql_connect ("localhost", "Username", "Password") 
or die 
('Problem: ' . mysql_error());

mysql_select_db ("ROOTNAME_portal");

Now your connection is established with the function mysql_connect().

Your localhost can be localhost or a mysql host they provide for you. The difference
is "Loacalhost" is located already on your hosts server. Now if they provide you with
the SQL host name it just means its on a different sql server. No worries.

Now the "or die ('Problem: ' . mysql_error());" is to tell you what is the problem with your connection if you cannot connect. You need to know right?

Now it needs to know which DB to look at right? Right that is why we use:

mysql_select_db ("ROOTNAME_portal");

This opens the correct DB. ROOTNAME must be changed to w/e yours is.

Now that your connection is established lets move on to keeping a global cookie variable.
Its good to have this becuase it keeps your users cookie info around. This way you can easily
Enable or disable things for users and non users.

Cookie Vars:

Code:


$username = $_COOKIE['username_pl'];
$password = $_COOKIE['password_pl'];

Not much to say here. But this is how you will grab your cookie info. The $_COOKIE['username_pl'];
and $_COOKIE['password_pl']; is giving the cookies names. That way they are id-able.

Now these next few snippets are just to keep important variables around.

Here we'll add a VAR for ip a VAR for time and a VAR for date.

Code:

$ip = getenv("REMOTE_ADDR");

$dt = date("D M d, Y");

$hour_diff = "1";
$time_adjust = ($hour_diff * 60 * 60);
$time = date("h:i a",time() + $time_adjust);

?>

Not much to say for gaining you ip from the server lol. As for the time. I made this becuase
Sometimes a server will be off by the time. So all you need to do is check the server time. If
It is off change the $hour_diff = "1"; to however many hours off. If not leave it.

Congratulations You have finished your database and config file. Lets move on to the Register file.

Create a new file and name it register.php.

Here is the code to the form. An essential part to PHP use and interactivity on the net is Forms.

Code:

<html>
<body>

(*) Means field is required!<br>
<form action=register.php?x=make method=post>

*Username:<br>
<input type=text name=user><br><br> 

*Password:<br>
<input type=password name=pass><br><br>

*Retype Password:<br>
<input type=password name=pass2><br><br>

*E-Mail:<br>
<input type=text name=email><br><br>

<input type=submit value=Register> <input type=reset value=Clear>

</body>
</html>

Now here is an interesting little lesson I didnt notice i would include.
If you notice in the form it says " ?x=make ". Now i dont know exactly how to explain this but
that is mainly jsut a way for including many functions in a file or many "spots" you might say.

In this case it is used to minmize the amount of files. This will keep the form and the script
all on one page.

?x=make is the location inside the file where creating a user will be executed.

Now for the tons of explaining lol.

We must start by including the file that keeps things simple and global. Remember? Ah yes the

Config file!

Lets start:

Code:

<?

include "config.php";

if($x == 'make') {

Now what this will do for us is include the variables we wrote earlier, to the register file.
That way we dont have to re-write the variables. conveniant

Now lets move on.

Ok now when you have people signing up, you dont want them using symbols they shouldnt or words.
So what we need to do is create a string that eliminates those things.

Code:

$user = str_replace(array('<', '>', '\\', '/', '=', ' ', '$', '!', '@', '%', '^', '&', '*', '(', ')', '{', '}', ':', ';', '?', '#', 'fuck', 'bitch', 'damn', 'slut', 'fuckin', 'gay', 'fag', 'faggot', 'queer'), "", $user);
$email = str_replace(array('<', '>'), "", $email);

What the str_replace(); function does for you is take what you tell it not to add and replaces
it with what it should add incase used.

So in this case what not to use is:

('<', '>', '\\', '/', '=', ' ', '$', '!', '@', '%', '^', '&', '*', '(', ')', '{', '}', ':', ';', '?', '#', 'fuck', 'bitch', 'damn', 'slut', 'fuckin', 'gay', 'fag', 'faggot', 'queer'),

Which will now be replaced with:

"",

Which means a blank space lol.

This also comes in handy to stop exploits. People may try and get funny and throw a redirect
html tage in there to annoy others. Or something stupid. That is a good reason these are used too.

I through the email string in there just as another example for you.

Now, we should probably go make sure they filled out the fields.

Code:

if($user == '' || $pass == '' || $pass2 == ''){

	echo "Forget a required field?";

}else{

Now what we have here is a checking if statement. You can break it down to 3 if's if you want to.
If you did that you could tell them exactly what they forgot. In this case we will put it
together.

An if statement is a key to all php programming. Its basically your cause and effect to bring
your stuff to life.

One thing to know is " == " is like, "is equal to" and " != " is like, "is not eqaul to". There are more
but this is all you need here.

What this is saying is - IF your user filed($user) and/or your first password field($password) and/or
your second password filed($pass2) is blank, then ECHO (say,print out w/e) "Forget a required field?".
If not, the ELSE (move on).

Now we have made it to where, without the three key parts of signing up...YOU AINT GOING NO WHERE!! lol

Ok so now its probably smart to see if this username already exists right? Right...if you didnt know that
i dont know what to tell you lol.

Code:

$name_check = mysql_query("SELECT username FROM user_db WHERE username = '$user'");
$name_check = mysql_num_rows($name_check);

if($name_check == 1){

	echo "Username already taken.";

}else{

Soooo. Now we have a SQL QUERY! Oh goody. What this is is something that calls to the database and does
whatever you ask it to. Most likely your grabbing info or putting in or editing.

In this case we are grabbing info and checking. The:

$name_check = mysql_query("SELECT username FROM user_db WHERE username = '$user'");
$name_check = mysql_num_rows($name_check);

Is what does so. It is opening up the db and looking for the username you put in the user field($user).

Now we need to see if it is ther or not.

if($name_check == 1){
echo "Username already taken.";
}else{

Now you know what if/else statements are. So what this is doing is taking the query VAR which is
$name_check and checking if it exists. 1 means yes 0 means no.

Good. Lets move on.

Now of course...we have two password fields...why? Becuase we want to make sure people KNOW their password.

So lets check and make sure they are the same.

Code:

if($pass != $pass2){
	
	echo "Passwords dont match!";
	
}else{

VERY SIMPLE. We take the 1st and 2nd password fields names/VAR and say if they do not match
" != " then you dont move forward. Simple as that.

So now we have everything checked out. Lets grab one more thing before we submit. The ip!
Always good for security reasons. You may need to track someone or report them to there ISP.
Or ban them simply. Heres how we do so:

OH MY GOSH! WE HAVE ALREADY DONE IT BECUASE WE USED A CONFIG FILE! ITS AMAZING! Wow see how
that comes together? Awesome huh?.

Anyway Its always good to make sure you have a back up so just in case. Yea..throw it in there lol.

Code:

$ip = getenv("REMOTE_ADDR");

Better safe then sorry right?

Ok SO FINALLY! Lets make their password secure and submit the info to the db!

This first snippet in the next code is jsut another check to make sure they didnt use symbols they shouldnt
as explained above. "EXTRA" security you might say.

Then..

Its always go to encrypt a users password. That way YOU or others do not ever know what kind
of password they use. To do this we use a little thing called. MD5. What this does is encrpyts
whatever string you ask it to and makes it unbreakable. It literally is...unbreakable to lol.

Then...

We need to submit the info to the DB.

so heres how we do so:

Code:

if(ereg('^[a-zA-Z0-9_\\-]+$', $user)){

	$pass = md5($pass2);
	mysql_query("INSERT INTO user_db (username,password,email,ip,status) VALUES('$user','$pass','$email', '$ip', '$status')") or print '<b>Error:</b> '.mysql_error();

	echo "<META HTTP-EQUIV=\"refresh\" content=\"0;URL=index.php\">";

}else{

	echo "Invalid Characters In Username!";

}
}
}
}

}	

?>

So this is the last bit. I explained the first snippet. The second one is the MD5. What it does
is takes the 2nd password field and names it $pass and encrypts it. Now you may say "I thought
we already used the $pass variable. We did, but becuase they got this far it means their pass's
matched which means we dont need $pass anymore, we can re-use it.

Then we submit the data to the DB using another mysql_query. Same thing jsut different type then before.
Remember i mentioned the different types? Well this is a insert one. It calls the fields:

(username,password,email,ip,status)

and matches them to the form field names/VARs:

VALUES('$user','$pass','$email', '$ip', '$status')")

Once again there is an error output incase something goes wrong.

Now if they are alrite they are done! It redirects them to the index.

If not it stops then because they have invalid characters in their username. And they go back
and fix it.

Also all the " } " those are just closing the satements you opened up.

End Tutorial

Well that was good! We will continue soon with the login forms. If you liked this tutorial sign up here and
become apart of the community!!!!!

Enjoy!

**PicoDeath** · 01-04-2006, 11:08 PM

Damn thats big, i just skimmed through it at the moment, because im waiting for my php book to come. Very good from what i've seen. GOOD work and i look foward to the rest.

ib4 · 01-04-2006, 11:10 PM

heh tanks. Please report anything i forgot....i jsut realised a few that i had to go back and edit...so please do so!

urmomma · 01-05-2006, 02:15 AM

Not to bad!

I suggest at the end...you put the complete code of what you have shown so far in the tutorial.

Is it wise to store a password in a cookie? I don't understand what you plan to do with it...but from personal expierence....its not wise...but I havn't read the whole tutorial yet so I don't really get what you want to do with that.

ib4 · 01-05-2006, 02:31 AM

well. depends how you look at it. the password is md5'ed. I havent figured out a way to exploit it yet. So i would say there is no problem. As for its use. I only put it there incase i find one. And probably for security around my site i shall put it to use. I will see i guess.

~~**Sonny**~~ · 01-05-2006, 03:09 AM

If it's MD5, I doubt anyone is gonna take the time to crack it. It can take months to decrypt one...

Good script, certainly helps me. I only skimmed through it, because I'm lazy... but it's well explained, and looks good.

urmomma · 01-05-2006, 04:50 AM

Months? It takes a night.

There are websites...where you can submit m5 hashes...and they will use their tables of data to crack it.

You could use programs like Cain and Abel to decrypt it. I'm suggesting you change this. Hashes should be stored in a database...and scripts that access them should have high security.

Your risking something....

**cabal** · 01-05-2006, 07:50 AM

Some passwords (mainly people who are experienced and know what it takes to beat a h4x3r) are gonna be tough to crack but others could just take minutes.

ib4 · 01-05-2006, 02:38 PM

Well i guess somewhere in time i will write the special user authentication i wrote for the config file and put it on here for others. As for securing the password...i will have to look into that more. I have been exploited by PLENTY of things. but never a password exploit.

TakeChaser · 01-05-2006, 08:12 PM

Deffinitly worth time to read!

Great Job Wade!!!

~~**Sonny**~~ · 01-06-2006, 02:07 AM

Quote:

Originally posted by urmomma@Jan 5 2006, 04:50 AM
Months? It takes a night.

There are websites...where you can submit m5 hashes...and they will use their tables of data to crack it.

You could use programs like Cain and Abel to decrypt it. I'm suggesting you change this. Hashes should be stored in a database...and scripts that access them should have high security.

Your risking something....

Quoted post

Cain and Abel takes MONTHS to decrypt an MD5. I'll give you my password out the database in MD5, and we'll see when you've cracked it! Tables of data are OK.... if your password is actually in the database etc. Jumbled up passwords will just take ages to decrypt, if at all!

@thescript: You could just scramble the MD5... still wouldn't be 100% secure, but would keep any amateurs out.

urmomma · 01-06-2006, 04:07 AM

@sonny...your silly :P When I'm talking tables...I hope your not confusing them for a dictionary attack

Something totally different. If you want, you can pm me for more information on them. The website I have in mind uses these tables...and cracks m5 hashes...overnight. I don't want to talk about them here very much...less peeps know about them the better... I hate hackers... especailly hacker wanna-be's...soo I don't want to talk about this on the forum

Cain and Abel...well it does depend on a password....but even passwords I developped to be hard to crack...have been cracked by a friend of mine who is an expert on m5 in 8 hours. My password was a sentence, no spaces, used semicolons, and random numbers with letters.

8 hours...

If you have been exploited alot of times, maybe you should pm me or something. I might be able to help. Have you included in your member script anti-hack blocks. Simply statements...from time to time....in sensitive areas

Basically... think like a hacker and you know the script...so exploit your own thing....and put "catching" scripts to stop such attacks...and end it with the exit(); command or something... (die...is ok for sql).

good luck.

ib4 · 01-06-2006, 04:29 AM

#1 This has turned into a ridiculous conversation. Someone should close this n just pm me if you have questions on the script.

Hacking and or script kiddes should be looked down upon. Sure "hacking" or w/e you guys choose to called these childish acts is good to know to fix your own scripts. You dont need to know how to exactly you jsut need to know what exists. Therefore you have enough knowledge to secure your script.

Anyway who has taking the time to even learn such acts of being able to get through something your NOT permited to should be shamed of. If its not your job in the rightful place of government then keep it to yourself and what is to come in the future for you is your business.

As for the script. You guys have probably completely frightened any php noobs. Good going. This script was not for people who have sites that get a billion visitors a day. SIMPLY for beginners. I do knot expect a Google tech to be looking at this script. ALSO, this is simple a beginner tutorials. My script is my script and has my techniques of securing it. Why would i post MY ways of securing it for the public? That is like AOL telling Fox news to tell the world about known exploits in their system.

Please close this topic. I will post the next segment soon. Thank you.

~~**Sonny**~~ · 01-06-2006, 12:41 PM

Quote:

Originally posted by urmomma@Jan 6 2006, 04:07 AM
@sonny...your silly :P When I'm talking tables...I hope your not confusing them for a dictionary attack Something totally different. If you want, you can pm me for more information on them. The website I have in mind uses these tables...and cracks m5 hashes...overnight. I don't want to talk about them here very much...less peeps know about them the better... I hate hackers... especailly hacker wanna-be's...soo I don't want to talk about this on the forum

Cain and Abel...well it does depend on a password....but even passwords I developped to be hard to crack...have been cracked by a friend of mine who is an expert on m5 in 8 hours. My password was a sentence, no spaces, used semicolons, and random numbers with letters.

8 hours...

If you have been exploited alot of times, maybe you should pm me or something. I might be able to help. Have you included in your member script anti-hack blocks. Simply statements...from time to time....in sensitive areas Basically... think like a hacker and you know the script...so exploit your own thing....and put "catching" scripts to stop such attacks...and end it with the exit(); command or something... (die...is ok for sql).

good luck.

Quoted post

Could well be the same site I have in mind.... where you have to sign up for an account, and then MD5 hashes can be submitted online or thru Cain & Abel. It still isn't 100% guaranteed; it can still not get the password.

~~**Sonny**~~ · 01-07-2006, 12:55 AM

I'm opening it, but discussion is finished. I'd hate users with problems etc with this to not be able to ask!

01-04-2006, 11:08 PM	#2
PicoDeath Join Date: Jun 2005 Location: England Posts: 10,156	Damn thats big, i just skimmed through it at the moment, because im waiting for my php book to come. Very good from what i've seen. GOOD work and i look foward to the rest. __________________ SEOContest2008 --------------------------------------- Gamernade - 360sigs - Fresh Myspace

01-05-2006, 02:15 AM	#4
urmomma Join Date: Nov 2005 Posts: 524	Not to bad! I suggest at the end...you put the complete code of what you have shown so far in the tutorial. Is it wise to store a password in a cookie? I don't understand what you plan to do with it...but from personal expierence....its not wise...but I havn't read the whole tutorial yet so I don't really get what you want to do with that. __________________ GlitchSeekers 1,700+ Renders/Stocks <?php echo "PHP is my anti-drug"; ?>

01-05-2006, 04:50 AM	#7
urmomma Join Date: Nov 2005 Posts: 524	Months? It takes a night. There are websites...where you can submit m5 hashes...and they will use their tables of data to crack it. You could use programs like Cain and Abel to decrypt it. I'm suggesting you change this. Hashes should be stored in a database...and scripts that access them should have high security. Your risking something.... __________________ GlitchSeekers 1,700+ Renders/Stocks <?php echo "PHP is my anti-drug"; ?>

01-05-2006, 07:50 AM	#8
cabal EvoCoder Join Date: Jul 2005 Location: Kidderminster,England Posts: 1,330	Some passwords (mainly people who are experienced and know what it takes to beat a h4x3r) are gonna be tough to crack but others could just take minutes. __________________

01-05-2006, 08:12 PM	#10
TakeChaser Join Date: Jan 2006 Location: New York Posts: 1	Deffinitly worth time to read! Great Job Wade!!! __________________ <img src=\'http://img.photobucket.com/albums/v625/radiogrounds/CallOfDuty2copy.gif\' border=\'0\' alt=\'user posted image\' />

01-04-2006, 10:59 PM	#1
ib4 Join Date: Jan 2006 Location: Atlanta, Georgia Posts: 16	Here is a VERY basic SQL User System tutorial for you php new guys n girls. This will be done in segments becuase i am trying to keep it detailed for you learners. So this post is segment #1 DB - Config - Register NOTES TO MY TUTORIAL: EVERY PIECE OF CODE IS IN EXACT ORDER IT WOULD BE IN THE FILE. SO WHEN YOU COPY AND PASTE EVERYTHING JUST GOES RIGHT BELOW THE NEXT THING. VAR means Variable DB means Database <? signifys the start of the code in the file and ?> will signify the end of the code in the file. Tutorial: You can take plenty of time as you learn php to learn more advanced ways. This is not my mission though. I am writing this mainly to show you how simple your php can be if you are new. Now I am not going to give you the sql tables becuase it is always good to do it your self to learn. Open you sql and do the following: Create a database named - portal Then in the database create a table named user_db with these fields: id - int - value 12 - auto increment - index username - VARCHAR - value 255 password - VARCHAR - value 255 status - varchar - value 100 - default 0 email - text Very simple. If you do not know how to do that then msg me. If enough people message me i will build them a PHPmyAdmin tutorial. Now lets go to the PHP. Lets start off with a configuration file. Create your self a new file named config.php. Now in a configuration file, you want to add global variables n such. By that I mean code that you can call to in any file of yours without having to re-write it. So lets start of with your connection: Code: <? $dbh = mysql_connect ("localhost", "Username", "Password") or die ('Problem: ' . mysql_error()); mysql_select_db ("ROOTNAME_portal"); Now your connection is established with the function mysql_connect(). Your localhost can be localhost or a mysql host they provide for you. The difference is "Loacalhost" is located already on your hosts server. Now if they provide you with the SQL host name it just means its on a different sql server. No worries. Now the "or die ('Problem: ' . mysql_error());" is to tell you what is the problem with your connection if you cannot connect. You need to know right? Now it needs to know which DB to look at right? Right that is why we use: mysql_select_db ("ROOTNAME_portal"); This opens the correct DB. ROOTNAME must be changed to w/e yours is. Now that your connection is established lets move on to keeping a global cookie variable. Its good to have this becuase it keeps your users cookie info around. This way you can easily Enable or disable things for users and non users. Cookie Vars: Code: $username = $_COOKIE['username_pl']; $password = $_COOKIE['password_pl']; Not much to say here. But this is how you will grab your cookie info. The $_COOKIE['username_pl']; and $_COOKIE['password_pl']; is giving the cookies names. That way they are id-able. Now these next few snippets are just to keep important variables around. Here we'll add a VAR for ip a VAR for time and a VAR for date. Code: $ip = getenv("REMOTE_ADDR"); $dt = date("D M d, Y"); $hour_diff = "1"; $time_adjust = ($hour_diff * 60 * 60); $time = date("h:i a",time() + $time_adjust); ?> Not much to say for gaining you ip from the server lol. As for the time. I made this becuase Sometimes a server will be off by the time. So all you need to do is check the server time. If It is off change the $hour_diff = "1"; to however many hours off. If not leave it. Congratulations You have finished your database and config file. Lets move on to the Register file. Create a new file and name it register.php. Here is the code to the form. An essential part to PHP use and interactivity on the net is Forms. Code: <html> <body> () Means field is required!<br> <form action=register.php?x=make method=post> Username:<br> <input type=text name=user><br><br> Password:<br> <input type=password name=pass><br><br> Retype Password:<br> <input type=password name=pass2><br><br> E-Mail:<br> <input type=text name=email><br><br> <input type=submit value=Register> <input type=reset value=Clear> </body> </html> Now here is an interesting little lesson I didnt notice i would include. If you notice in the form it says " ?x=make ". Now i dont know exactly how to explain this but that is mainly jsut a way for including many functions in a file or many "spots" you might say. In this case it is used to minmize the amount of files. This will keep the form and the script all on one page. ?x=make is the location inside the file where creating a user will be executed. Now for the tons of explaining lol. We must start by including the file that keeps things simple and global. Remember? Ah yes the Config file! Lets start: Code: <? include "config.php"; if($x == 'make') { Now what this will do for us is include the variables we wrote earlier, to the register file. That way we dont have to re-write the variables. conveniant Now lets move on. Ok now when you have people signing up, you dont want them using symbols they shouldnt or words. So what we need to do is create a string that eliminates those things. Code: $user = str_replace(array('<', '>', '\\', '/', '=', ' ', '$', '!', '@', '%', '^', '&', '', '(', ')', '{', '}', ':', ';', '?', '#', 'fuck', 'bitch', 'damn', 'slut', 'fuckin', 'gay', 'fag', 'faggot', 'queer'), "", $user); $email = str_replace(array('<', '>'), "", $email); What the str_replace(); function does for you is take what you tell it not to add and replaces it with what it should add incase used. So in this case what not to use is: *('<', '>', '\\', '/', '=', ' ', '$', '!', '@', '%', '^', '&', '', '(', ')', '{', '}', ':', ';', '?', '#', 'fuck', 'bitch', 'damn', 'slut', 'fuckin', 'gay', 'fag', 'faggot', 'queer'), Which will now be replaced with: "", Which means a blank space lol. This also comes in handy to stop exploits. People may try and get funny and throw a redirect html tage in there to annoy others. Or something stupid. That is a good reason these are used too. I through the email string in there just as another example for you. Now, we should probably go make sure they filled out the fields. Code: if($user == '' \|\| $pass == '' \|\| $pass2 == ''){ echo "Forget a required field?"; }else{ Now what we have here is a checking if statement. You can break it down to 3 if's if you want to. If you did that you could tell them exactly what they forgot. In this case we will put it together. An if statement is a key to all php programming. Its basically your cause and effect to bring your stuff to life. One thing to know is " == " is like, "is equal to" and " != " is like, "is not eqaul to". There are more but this is all you need here. What this is saying is - IF your user filed($user) and/or your first password field($password) and/or your second password filed($pass2) is blank, then ECHO (say,print out w/e) "Forget a required field?". If not, the ELSE (move on). Now we have made it to where, without the three key parts of signing up...YOU AINT GOING NO WHERE!! lol Ok so now its probably smart to see if this username already exists right? Right...if you didnt know that i dont know what to tell you lol. Code: $name_check = mysql_query("SELECT username FROM user_db WHERE username = '$user'"); $name_check = mysql_num_rows($name_check); if($name_check == 1){ echo "Username already taken."; }else{ Soooo. Now we have a SQL QUERY! Oh goody. What this is is something that calls to the database and does whatever you ask it to. Most likely your grabbing info or putting in or editing. In this case we are grabbing info and checking. The: $name_check = mysql_query("SELECT username FROM user_db WHERE username = '$user'"); $name_check = mysql_num_rows($name_check); Is what does so. It is opening up the db and looking for the username you put in the user field($user). Now we need to see if it is ther or not. if($name_check == 1){ echo "Username already taken."; }else{ Now you know what if/else statements are. So what this is doing is taking the query VAR which is $name_check and checking if it exists. 1 means yes 0 means no. Good. Lets move on. Now of course...we have two password fields...why? Becuase we want to make sure people KNOW their password. So lets check and make sure they are the same. Code: if($pass != $pass2){ echo "Passwords dont match!"; }else{ VERY SIMPLE. We take the 1st and 2nd password fields names/VAR and say if they do not match " != " then you dont move forward. Simple as that. So now we have everything checked out. Lets grab one more thing before we submit. The ip! Always good for security reasons. You may need to track someone or report them to there ISP. Or ban them simply. Heres how we do so: OH MY GOSH! WE HAVE ALREADY DONE IT BECUASE WE USED A CONFIG FILE! ITS AMAZING! Wow see how that comes together? Awesome huh?. Anyway Its always good to make sure you have a back up so just in case. Yea..throw it in there lol. Code: $ip = getenv("REMOTE_ADDR"); Better safe then sorry right? Ok SO FINALLY! Lets make their password secure and submit the info to the db! This first snippet in the next code is jsut another check to make sure they didnt use symbols they shouldnt as explained above. "EXTRA" security you might say. Then.. Its always go to encrypt a users password. That way YOU or others do not ever know what kind of password they use. To do this we use a little thing called. MD5. What this does is encrpyts whatever string you ask it to and makes it unbreakable. It literally is...unbreakable to lol. Then... We need to submit the info to the DB. so heres how we do so: Code: if(ereg('^[a-zA-Z0-9_\\-]+$', $user)){ $pass = md5($pass2); mysql_query("INSERT INTO user_db (username,password,email,ip,status) VALUES('$user','$pass','$email', '$ip', '$status')") or print '<b>Error:</b> '.mysql_error(); echo "<META HTTP-EQUIV=\"refresh\" content=\"0;URL=index.php\">"; }else{ echo "Invalid Characters In Username!"; } } } } } ?> So this is the last bit. I explained the first snippet. The second one is the MD5. What it does is takes the 2nd password field and names it $pass and encrypts it. Now you may say "I thought we already used the $pass variable. We did, but becuase they got this far it means their pass's matched which means we dont need $pass anymore, we can re-use it. Then we submit the data to the DB using another mysql_query. Same thing jsut different type then before. Remember i mentioned the different types? Well this is a insert one. It calls the fields: (username,password,email,ip,status) and matches them to the form field names/VARs: VALUES('$user','$pass','$email', '$ip', '$status')") Once again there is an error output incase something goes wrong. Now if they are alrite they are done! It redirects them to the index. If not it stops then because they have invalid characters in their username. And they go back and fix it. Also all the " } " those are just closing the satements you opened up. End Tutorial** Well that was good! We will continue soon with the login forms. If you liked this tutorial sign up here and become apart of the community!!!!! Enjoy!

01-04-2006, 11:10 PM	#3
ib4 Join Date: Jan 2006 Location: Atlanta, Georgia Posts: 16	heh tanks. Please report anything i forgot....i jsut realised a few that i had to go back and edit...so please do so!

01-05-2006, 02:31 AM	#5
ib4 Join Date: Jan 2006 Location: Atlanta, Georgia Posts: 16	well. depends how you look at it. the password is md5'ed. I havent figured out a way to exploit it yet. So i would say there is no problem. As for its use. I only put it there incase i find one. And probably for security around my site i shall put it to use. I will see i guess.

01-05-2006, 03:09 AM	#6
~~Sonny~~ Banned Join Date: Jun 2005 Location: USA Posts: 2,126	If it's MD5, I doubt anyone is gonna take the time to crack it. It can take months to decrypt one... Good script, certainly helps me. I only skimmed through it, because I'm lazy... but it's well explained, and looks good.

01-05-2006, 02:38 PM	#9
ib4 Join Date: Jan 2006 Location: Atlanta, Georgia Posts: 16	Well i guess somewhere in time i will write the special user authentication i wrote for the config file and put it on here for others. As for securing the password...i will have to look into that more. I have been exploited by PLENTY of things. but never a password exploit.

01-06-2006, 04:07 AM	#12
urmomma Join Date: Nov 2005 Posts: 524	@sonny...your silly :P When I'm talking tables...I hope your not confusing them for a dictionary attack Something totally different. If you want, you can pm me for more information on them. The website I have in mind uses these tables...and cracks m5 hashes...overnight. I don't want to talk about them here very much...less peeps know about them the better... I hate hackers... especailly hacker wanna-be's...soo I don't want to talk about this on the forum Cain and Abel...well it does depend on a password....but even passwords I developped to be hard to crack...have been cracked by a friend of mine who is an expert on m5 in 8 hours. My password was a sentence, no spaces, used semicolons, and random numbers with letters. 8 hours... If you have been exploited alot of times, maybe you should pm me or something. I might be able to help. Have you included in your member script anti-hack blocks. Simply statements...from time to time....in sensitive areas Basically... think like a hacker and you know the script...so exploit your own thing....and put "catching" scripts to stop such attacks...and end it with the exit(); command or something... (die...is ok for sql). good luck. __________________ GlitchSeekers 1,700+ Renders/Stocks <?php echo "PHP is my anti-drug"; ?>

01-06-2006, 04:29 AM	#13
ib4 Join Date: Jan 2006 Location: Atlanta, Georgia Posts: 16	#1 This has turned into a ridiculous conversation. Someone should close this n just pm me if you have questions on the script. Hacking and or script kiddes should be looked down upon. Sure "hacking" or w/e you guys choose to called these childish acts is good to know to fix your own scripts. You dont need to know how to exactly you jsut need to know what exists. Therefore you have enough knowledge to secure your script. Anyway who has taking the time to even learn such acts of being able to get through something your NOT permited to should be shamed of. If its not your job in the rightful place of government then keep it to yourself and what is to come in the future for you is your business. As for the script. You guys have probably completely frightened any php noobs. Good going. This script was not for people who have sites that get a billion visitors a day. SIMPLY for beginners. I do knot expect a Google tech to be looking at this script. ALSO, this is simple a beginner tutorials. My script is my script and has my techniques of securing it. Why would i post MY ways of securing it for the public? That is like AOL telling Fox news to tell the world about known exploits in their system. Please close this topic. I will post the next segment soon. Thank you.

01-07-2006, 12:55 AM	#15
~~Sonny~~ Banned Join Date: Jun 2005 Location: USA Posts: 2,126	I'm opening it, but discussion is finished. I'd hate users with problems etc with this to not be able to ask!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode