Creating Accounts And Logging In

yiuyin

my first time making such a complicated code (for me 😛)... so please help me and check for mistakes, thanks!

(register.php)

<form action="process_register.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="text" name="password" />
Full Name: <input type="text" name="name" />
Email Address: <input type="text" name="mail" />
<input type="submit" />

(process_register.php)

<?php
$con = mysql_connect("mysql.x10hosting.com","yiuyin","password");
if (!$con)
{
die('Could not connect. Press back and fill in form again. ' . mysql_error());
}
mysql_select_db("accounts", $con);
$sql="INSERT INTO accounts (Username, Password, Name, EMail)
VALUES
('$POST[username]','$POST[password]','$POST[name]','$POST[mail]')";
if (!mysql_query($sql,$con))
{
die('Could not connect. Press back and fill in form again. ' . mysql_error());
}
echo "Your accont have been created! You may login now.";
mysql_close($con)
?>

(login.php)

<form action="process_login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="text" name="password" />
<input type="submit" />
</form>

(process_login.php)

<?php
$con = mysql_connect("mysql.x10hosting.com","yiuyin","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("accounts", $con);

$passwordt = mysql_query("SELECT Password FROM accounts
WHERE Username='$_POST["username"]'");

if (‘$POST["password"]’= ‘$password’)
{echo "You have logged in successfully.";
setcookie("user", "$POST["username"]", time()+86400);}
else
echo "Username/password incorrect, please try again.";
?>

zabmilenko

1) You aren't doing anything to your $_POST input before sending it to your database. See mysql_real_escape_string();

2) You have smart quotes near the bottom wrapped around a variable '$_POST["password"]'; Probably from Microsoft word or wordpad?

3) You are wide open to cookie spoofing. Anyone who knows a valid username can spoof your site using your cookie scheme. They just manually add a cookie to their browser with a user of "admin" or something.

4) The error message: 'Could not connect. Press back and fill in form again. ' is misleading. Maybe just "please try again later" ??

5) You did not wrap your forum post code in [ php ][ /php ] blocks to make it look pretty. This makes some of the senior community members here less likely to help you out.

6) There are several places where you double-nest quotes: "quoted 'nested "double" single' regular". Maybe it works, but at first glance it doesn't look like it.

That is first glance...

dougal85

yiuyin wrote:
my first time making such a complicated code (for me 😛)... so please help me and check for mistakes, thanks!

(register.php)
<form action="process_register.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="text" name="password" />
Full Name: <input type="text" name="name" />
Email Address: <input type="text" name="mail" />
<input type="submit" />

I'm not sure if this is the full page HTML. However, you are missing the closing form tag (</form>)

Change passwords inputbox to type="password" so people can't see what's being typed in.

yiuyin wrote:

(process_register.php)

<?php
$con = mysql_connect("mysql.x10hosting.com","yiuyin","password");
if (!$con)
{
die('Could not connect. Press back and fill in form again. ' . mysql_error());
}
mysql_select_db("accounts", $con);
$sql="INSERT INTO accounts (Username, Password, Name, EMail)
VALUES
('$_POST[username]','$_POST[password]','$_POST[name]','$_POST[mail]')";
if (!mysql_query($sql,$con))
{
die('Could not connect. Press back and fill in form again. ' . mysql_error());
}
echo "Your accont have been created! You may login now.";
mysql_close($con)
?>

As already mentioned - you need to clean variables that are entered by the user. Otherwise you are open to SQL injection hacks.

You have an error in your English. "Your accont have been created! You may login now." should be "Your account has been created! You may login now."

You may want to consider validating the format of the data passed in. ie. you don't want people putting names likes "$%^{$%^$"} etc. you only want letters.

yiuyin wrote:

(login.php)

<form action="process_login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="text" name="password" />
<input type="submit" />
</form>

Again you might want to change the input for password to type password.

yiuyin wrote:

(process_login.php)

<?php
$con = mysql_connect("mysql.x10hosting.com","yiuyin","password");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("accounts", $con);

$passwordt = mysql_query("SELECT Password FROM accounts
WHERE Username='$_POST["username"]'");

if (‘$_POST["password"]’= ‘$password’)
{echo "You have logged in successfully.";
setcookie("user", "$_POST["username"]", time()+86400);}
else
echo "Username/password incorrect, please try again.";
?>

Here you have "if (‘$_POST["password"]’= ‘$password’"

There are a number of problems with this line. You have the smart quotes as mentioned.
You shouldn't have quotes around $_POST - its a variable.
You are using = not == or ===. A single = assigns the variables, to compare you need double or triple =
I don't see where $password is set. So I think you are comparing to an unset variable.

Also in the line with setcookie, you have quotes around the $_POST - these are not needed and note you are using dirty user data again.

General Comment; You are not checking for page submission, for example I could go to process_register.php and your code doesn't check for a submitted form. Therefore it will try and register me with empty data.

Hope this helps