Register Script

Haddman

I've been working on this for a while and it works now and i wanted to know what you think about this register script:

if(isset($_POST['register'])){
$stamp=gmdate("g:i a, M nS Y");

$user=$_POST['user'];
$pass=$_POST['pass'];
$pass2=$_POST['pass2'];

$user=mysql_real_escape_string($user);
$pass=mysql_real_escape_string($pass);
$pass2=mysql_real_escape_string($pass2);

if($user==""){
	$userbad="Username field is empty!";
	$userb=1;
}

if($pass==""){
	$passbad="Password field is empty!";
	$passb=1;
}

if($pass2==""){
	$pass2bad="Repeat Password field is empty!";
	$pass2b=1;
}

if($pass!=$pass2 && $passb!=1 && $pass2b!=1){
	$passcombad="Passwords do not match!";
	$passcomb=1;
}

if($user==$pass || $user==$pass2){
	if($userb!=1 && $passb!=1 && $pass2b!=1){
		$userpasssamebad="Your username can not be the same as you password!";
		$userpasssameb=1;
	}
}

if(strlen($pass)<6){
	$passminbad="Passwords needs to be atleast 6 letters!";
	$passminb=1;
}

if(strlen($user)>200){
	$differenceu=strlen($user)-200;
	$userlenbad="Username ".$differenceu." letters to long!";
	$userlenb=1;
}

if(strlen($pass)>200){
	$differencep=strlen($pass)-200;
	$passlenbad="Password ".$differencep." letters to long!";
	$passlenb=1;
}

$getu=runit("SELECT*FROM `user` WHERE `user`='".$user."' LIMIT 1","Comparing username with the db.","user");
if(mysql_num_rows($getu)==1){
	$userdbbad="The username ".$user." has already been taken!";
	$userdbb=1;
}

if($userb==1 || $passb==1 || $pass2b==1 || $passcomb==1 || $userpasssameb==1 || $passminb==1 || $userlenb==1 || $passlenb==1 || $userdbb==1){
	$run_error=1;
}elseif($userb!=1 || $passb!=1 || $pass2b!=1 || $passcomb!=1 || $userpasssameb!=1 || $passminb!=1 || $userlenb!=1 || $passlenb!=1 || $userdbb!=1){
	$pass=md5($pass);
	$success="You have successfully registered. You can now login <a href='index.php'>here</a>.";
	runit("INSERT INTO `user` (id,user,pass,admin,joined) VALUES ('".$_POST['id']."','".$user."','".$pass."','0','".$stamp."')","Inserting user details into db","user");
}
}

Code that outputs the errors, if any....

if($run_error==1){
	echo "<ul>";
		if($userb==1){ echo "<li>".$userbad."</li>"; }
		if($userdbb==1){ echo "<li>".$userdbbad."</li>"; }
		if($userpasssameb==1){ echo "<li>".$userpasssamebad."</li>"; }
		if($passb==1){ echo "<li>".$passbad."</li>"; }
		if($pass2b==1){ echo "<li>".$pass2bad."</li>"; }
		if($passcomb==1){ echo "<li>".$passcombad."</li>"; }
		if($userlenb==1){ echo "<li>".$userlenbad."</li>"; }
		if($passlenb==1){ echo "<li>".$passlenbad."</li>"; }
		if($passminb==1){ echo "<li>".$passminbad."</li>"; }
	echo "</ul>";
}elseif(!$run_error){
	if(!$run_error){ echo "<li>".$success."</li>"; }
}

rincewind456

What happens if my username is a space and my password is 6 spaces?

would suggest you use [man]trim()[/man] to check for spaces.

Neville1985

rincewind456;10931614 wrote:
What happens if my username is a space and my password is 6 spaces?

would suggest you use [man]trim()[/man] to check for spaces.

Use something like this

function validateTextNS ($input, $error_description) {

	$string		=	"/^([a-zA-z0-9])*([-a-zA-z0-9])+$/";
	$error_desc	=	(string)	$error_description;

	if(preg_match($string, $input)) {
		return true;	
	} else {
		$this->errors[]	=	$error_desc;
		return false;
	}
}

It takes the options of spaces away, and forces the person to enter alphanumeric elements in as a string with NO spaces. It fails on any special chars including spaces, but not including '-'. When it fails it spits the error message to a function that lists them.

If you want a bit of help with this, pm me.

laserlight

I think that Neville1985's suggestion is a good one, but the regular expression pattern is not quite correct. Something like this is more likely to be what you are looking for:

function validateTextNS($input, $error_description) {
    $pattern = '/^[a-z0-9][-a-z0-9]*$/i';
    if (preg_match($pattern, $input)) {
        return true;
    } else {
        $this->errors[] = (string)$error_description;
        return false;
    }
}

Before sending a private message, read the PHP manual on PCRE.

Haddman

rincewind456;10931614 wrote:
What happens if my username is a space and my password is 6 spaces?

would suggest you use [man]trim()[/man] to check for spaces.

Hadn't thought of that.....

Thanks for the advise, Neville1985 and laserlight, but seeing as i barely know what you're doing i came up with something different, and more simple.
User:

if($user!=""){
	$whitespacecheck=str_replace(" ","",$user);
	if($whitespacecheck==""){
		// Error
	}
}

Password:

if($pass!=""){
	$count=strlen($pass);
	$whitespacep=trim($pass);
	if($count!=strlen($whitespacep)){
		// Error
	}
}

You think this would do the trick?

Neville1985

Haddman;10931732 wrote:
Hadn't thought of that.....

Thanks for the advise, Neville1985 and laserlight, but seeing as i barely know what you're doing i came up with something different, and more simple.
User:
if($user!=""){
	$whitespacecheck=str_replace(" ","",$user);
	if($whitespacecheck==""){
		// Error
	}
}

That works fine, but I really wouldn't suggest it for almost every security reason under the sun, as laser and I have said, regular expressions are the best way to handle things like this. You can use something like the above to edit the string after the fact.

Password one; Let me see if i got this right.

Counts the $pass strings length
Trims the white-space from either end of the $pass string.
Recounts the string length then checks to see if its equal to the original string length.

I see your logic and it works, although if you use trim() you will get yourself into trouble with white-space(s) within your $pass string.

$pass1 = "    pass 1   ";
$pass2 = "    pass 2    ";

//result of password after str_replace() and trim() respectively

$pass1 = "pass1";
$pass2 = "pass 2";

You won't remove the internal white-space. If you really want to continue along this path do this:

//Assuming $user and $pass have been filled by a $_POST, $_GET or $_REQUEST
//It would look like this:
//$user = (string) $_REQUEST['username'];
//$pass =	 (string) $_REQUEST['password'];


$user = (string) " user 1 2 3 "; 
$pass = (string) " pass 1 2 3 ";
$pass_cnt_1 = (int) countLen($pass);

$user = (string) removeWS($user);	
$pass = (string) removeWS($pass);
$pass_cnt_2 = (int) countLen($pass);

if ( $user && $pass != "" && $pass_cnt_1 === $pass_cnt_2) {
	//Pass Scripts Here
} else {
	//Failed Scripts Here
	unset($user,$pass,$pass_cnt_1,$pass_cnt_2); //Release the variables
}

//function that removes white-spaces
function removeWS($input) {
	$value = str_replace(" ", "",$input);
	return $value;
}
//function that counts string length
function countLen($input) {
	$total = strlen($input);
	return $total;
}

Now, before you go off I understand this is a little more programming (even though not by much.) Also I am understanding that your not as experienced as some on this board. Although programming this way shows you good practices, some 'security' (lol), refined if...else statement, reusable functions and last but not least, its more readable.

All you need to do is replace the "test 1 2 3" strings in the $user and $pass vars with data of your choice and off you go.

Remember it will blank page if you don't tell it to do something in the //Pass / Failed script areas

Hope this helps.

@: thanks for the expression fix.

Creasy

Neville1985;10931846 wrote:

//function that counts string length
function countLen($input) {
	$total = strlen($input);
	return $total;
}

WTF? You can't be serious.

Creasy

OP, here's a better way to handle errors:

$errors = array();
$erred = false;

function error($message)
{
	global $errors, $erred;

$errors[] = $message;
$erred = true;
}

function print_errors()
{
	global $errors, $erred;

if($erred)
{
	echo '<ul>';
	foreach($errors as $message)
	{
		echo '<li>' . $message . '</li>';
	}
	echo '</ul>';
}
}

if($something_****ed_up)
{
	error('Something ****ed up!');
}

print_errors();

if( ! $erred)
{
	echo $success;
}

Use $var = true, not $var = 1.
Use empty($var) not $var == "".
Validate the username with a regular expression, as suggested above. Spaces are just one of many undesirable characters.
Your variable names are awful. $userpasssameb? At least differentiate words with an underscore or camel case.
Ignore any advice given to you by ricer Java programmers.

Shrike

Seems to me this is a case of premature optimisation. Is 6 spaces an invalid username? Does a 6 space username have a security implication? Honest users will not pick a username of 6 spaces, and as long as malicious users cannot circumvent any security with a username of 6 spaces then there was no problem to be fixed in the first place. If you are really worried about it then a simple regular expression would suffice rather than the excessive suggestions above (function countLen - why not just use strlen??)

Secondly, when you insert the user record you are not checking that the operation was successful, just assuming it was. So the insert could fail for some reason and your user would be told it was fine.

Weedpacket

While we're at it, what's wrong with a password of six spaces? Why is Roy Batty's speech (233 characters) deemed invalid when the when the first sentence of Hamlet's soliloquy (199 characters) is allowed? Storing passwords as salted hashes (which, I note, doesn't happen here) would mean that whatever password was used it would be stored in a known, fixed-length field.

laserlight

Shrike wrote:
Seems to me this is a case of premature optimisation. Is 6 spaces an invalid username? Does a 6 space username have a security implication? Honest users will not pick a username of 6 spaces, and as long as malicious users cannot circumvent any security with a username of 6 spaces then there was no problem to be fixed in the first place.

Since this is apparently the registration component, validation of the username is important since you may have legitimate users with weird taste in usernames. It is in the authentication component that this does not matter since an invalid username would not result in a match with any of the valid usernames that are on record.

Weedpacket wrote:
While we're at it, what's wrong with a password of six spaces?

It is too short. 😃 Then again, length is just one factor, e.g., "Cre@5y" is probably a better password than "packets", so increasing the minimum required length does not necessarily mean better passwords.

Shrike

laserlight;10931976 wrote:
Since this is apparently the registration component, validation of the username is important since you may have legitimate users with weird taste in usernames. It is in the authentication component that this does not matter since an invalid username would not result in a match with any of the valid usernames that are on record.

In my opinion the only significant part of a username is that it's unique and will fit into the relevant database field. All this talk about removing spaces seems a little extraneous.

Weedpacket

Trailing spaces ought to be removed, as anyone who's read Ender's Game will recall.

laserlight

Shrike wrote:
In my opinion the only significant part of a username is that it's unique and will fit into the relevant database field. All this talk about removing spaces seems a little extraneous.

That depends on what you are going to do with the username. If the username is solely for authentication, then it is likely that you do not need to do any special validation of it other than what you propose.

However, if the username is used to identify the user to others (i.e., it is more than just a unique identifier for login), then things like whitespace is a concern. For example, is "John Doe" the same as "John Doe"? You might think so, but there are two spaces in between "John" and "Doe" for the latter, and this could be confusing (i.e., just removing leading and trailing spaces is not necessarily good enough).

Another example is when the username is linked to some filesystem, with the names corresponding to directories on the filesystem, and this filesystem does not allow whitespace in directory names. Clearly, it is desirable to ensure that the username requested by the user conforms to the naming rules of the filesystem.

Shrike

I was really thinking solely in terms of web design - but I'll admit you make a good point 😉