Help needed protecting user registry

trickytiger

I was notified by someone that the user registry on my forum is able to be hacked, so i was wondering if anyone here would be able to help me fix it

here is the member.php file:

<?php
# member.php

require "./include.php";

if($action == "reg" && $HTTP_POST_VARS['submit'] == "") {   # If user is trying to access register form
	$navaddon = "&gt; Register";
	page_header("$navaddon", $themsg);
	reg_form();
}


if($action == "reg" && $HTTP_POST_VARS['submit'] != "") {   # If they has submitted register info
	$navaddon = "&gt; Register";
	page_header("$navaddon", $themsg);
	$password1 = $HTTP_POST_VARS['password1'];
	$password2 = $HTTP_POST_VARS['password2'];
	$username = $HTTP_POST_VARS['username'];

if($password1 != $password2) {
	echo "Passwords don't match";
	exit;
}

$query = mysql_query("SELECT uid FROM $db_member WHERE username='$username'") or die(mysql_error());
$member = mysql_fetch_array($query);

if($member != "") {
	echo "Username already registered";
	exit;
}

$query = mysql_query("SELECT COUNT(*) FROM $db_member") or die(mysql_error());
$memnum = mysql_result($query, 0);

if($memnum == 0) {
	$status = "Administrator";
} else {
	$status = "Member";
}

$time = time();
$template = str_replace("cfg_", "", $template);
mysql_query("INSERT INTO $db_member VALUES ('', '$username', '$password1', '$status', '', '', '', '', '', '', '$time', '0', '$template')") or die(mysql_error());
echo "Registered successfully, now being redirected";
redirectit("index.php");
}


if($action == "list") {   # That darn member list! Gee golly!
	$navaddon = "&gt; Member List";
	page_header("$navaddon", $themsg);

# Do multipage stuff
$perpage = 30;
if($page == "") {
	$page = 1;
	$start = 0;
} else {
	$start = ($page - 1) * $perpage;
}

$query = mysql_query("SELECT COUNT(*) FROM $db_member") or die(mysql_error());
$mcount = mysql_result($query, 0);
$multi = multipage($mcount, $perpage, $page, "member.php?action=list");


mlist_header($multi);

$ttnum = 1;
$query = mysql_query("SELECT * FROM $db_member ORDER BY regdate LIMIT $start, $perpage") or die(mysql_error());
while($member = mysql_fetch_array($query)) {
	$member[regdate] = $datetime = date("M d Y G:i:s", $member[regdate]);
	mlist_row($member, $ttnum);
	$ttnum = altcolors($ttnum);
}

mlist_footer($multi);
}


if($action == "viewpro") {   # Vieweth Profileth
	$member = $HTTP_GET_VARS['member'];
	$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
	$member = mysql_fetch_array($query);

$member[regdate] = $datetime = date("M d Y G:i:s", $member[regdate]);

$navaddon = "&gt; View Profile For $member[username]";
page_header("$navaddon", $themsg);
viewpro_table($member);
}


if($action == "editpro" && $HTTP_POST_VARS['submit'] == "") {   # Edit a user's profile
	$navaddon = "&gt; Edit Profile";
	page_header("$navaddon", $themsg);

if($cmuser == "" || $cmpass == "") {
	echo "Must be logged in to access this page. <a href=\"loginout.php?action=login\">Login</a> or <a href=\"member.php?action=reg\">Register</a>";
	page_footer($memcount, $postcount, $onlinecount, $themsg, $fjump);
	exit;
}

$query = mysql_query("SELECT * FROM $db_member WHERE username='$cmuser'") or die(mysql_error());
$member = mysql_fetch_array($query);

$templates = array();
$dir = opendir("template/");
while($template = readdir($dir)) {
	array_push($templates, $template);
}
closedir($dir);

for($i = 0; $i < count($templates); $i++) {
	if(strstr($templates[$i], ".php") && strstr($templates[$i], "cfg_")) {
		$templates[$i] = str_replace(".php", "", $templates[$i]);
		$templates[$i] = str_replace("cfg_", "", $templates[$i]);

		if($templates[$i] != $member[template]) {
			$member[temphtml] .= "<option value=\"$templates[$i]\">$templates[$i]</option>";
		} else {
			$member[temphtml] .= "<option value=\"$templates[$i]\" selected=\"selected\">$templates[$i]</option>";
		}
	}
}

editpro_table($member);
}


if($action == "editpro" && $HTTP_POST_VARS['submit'] != "") {
	$navaddon = "&gt; Edit Profile";
	page_header("$navaddon", $themsg);

$newemail = $HTTP_POST_VARS['newemail'];
$newwebsite = $HTTP_POST_VARS['newwebsite'];
$newaim = $HTTP_POST_VARS['newaim'];
$newicq = $HTTP_POST_VARS['newicq'];
$newmsn = $HTTP_POST_VARS['newmsn'];
$newlocation = $HTTP_POST_VARS['newlocation'];
$newsig = $HTTP_POST_VARS['newsig'];
$newpassword = $HTTP_POST_VARS['newpassword'];
$newtemplate = $HTTP_POST_VARS['newtemplate'];

if($newpassword != "") {
mysql_query("UPDATE $db_member SET password='$newpassword' WHERE username='$cmuser'") or die(mysql_error());	
}

mysql_query("UPDATE $db_member SET email='$newemail', website='$newwebsite', aim='$newaim', icq='$newicq', msn='$newmsn', location='$newlocation', sig='$newsig', template='$newtemplate' WHERE username='$cmuser'") or die(mysql_error());
echo "Profile edited successfully, now being redirected.";
redirectit("index.php");
}

# etgay agepay ooterfay htmlay
page_footer($memcount, $postcount, $onlinecount, $themsg, $fjump);
?>

if you need any other files, let me know

void_function

What immediately comes to my attention is storing of plain passwords in database. I would use one-way encription, like MD5 for example:

INSERT INTO $db_member VALUES ('', '$username', MD5('$password1'), ....

or md5-ing the password within PHP, before sending through SQL.

That way you can't send the password back to the user if s/he forgot it, but would have to generate a new one and send via email to him, storing the new password in the table.

I can only ask how do you handle login and user authentication?

_void()