[Release] A PHP register script

[Zen]

Well, I'm downloading Loong atm, and thought while I'm waiting I'd whip up a quick little registration script, seeing as the other released one, which a friend of mine, thecode, showed me is quite honestly hilarious.

Requirements:

• PHP 5.3.0 or higher
• a reCAPTCHA account (can be obtained for free from here
  You must be registered to see links
  )
• mysqli enabled in your php.ini

To Install:

1. Open inc/config.php
2. fill in the values which are not set (its commented out in a fairly foolproof manner)
3. register some Ducking accounts, baby

This script is currently untested, as I haven't actually got the database files yet. Later when they are downloaded I will test it, as of right now, it should work... But if you encounter anything which doesn't work the way it should, please tell me about it here.

There is some very minor CSS styling just to format the inputs a little, if you dont like it, remove it. I kept this as clean as I possibly could, so you can style it into your site yourself.


Technologies:

• MySQLi
• PHP Prepared Statements
• HTML5 Doctype

Credits to whoever it was who made the originally released PHP registration script, I stole bits of his/her SQL queries shamelessly, and disregarded the rest of their otherwise horrible code :

This script is secure as far as XSS and SQL Injection, it also has a reCAPTCHA to protect you against automated account creation.

Download is attached.


Enjoy



If there is a new version available, you don't need to overwrite your /inc/ folder unless it is explicitly detailed below


CHANGELOG:

version 1.1:

- Now salts the password with the string released by reflex (http://forum.ragezone.com/f671/release-account-password-md5-salt-735486/)

The salting issue is now fixed, the script should work properly now, please re download.

version 1.2:

- MySQLi connection further secured thanks to reflex

 

[HuninHune]

Nice work Zen it's beastly as I would expect from you

 

[versacebg]

Thanks for the nice share !

 

[Cain142]

Using that registration page wont work. Since the password hash will be wrong. Loong uses a salted md5 encrypted password.

 

[versacebg]

Using that registration page wont work. Since the password hash will be wrong. Loong uses a salted md5 encrypted password.

yes not working also thats why i will need to code :scared:

 

[Zen]

what does it use as the salt?

as i said, i coped the logic of it from some crappy reg script that was released here, and they just md5'd it.

 

[versacebg]

what does it use as the salt?

as i said, i coped the logic of it from some crappy reg script that was released here, and they just md5'd it.

So please release something simple and that working also 100% not crap if it possible lol or better lock section and send to trash.
Because this is = trash :tongue:

 

[Zen]

So please release something simple and that working also 100% not crap if it possible lol or better lock section and send to trash.
Because this is = trash :tongue:

this = trash?

I took the logic from the register script that was released and a few people said was working, it had no salt, it was a plain MD5, if someone can point me to or tell me what it salts the password with, I can correct the issue.

If you can do better, please do so. I was under the impression that Loong accepts a regular md5'd password, it seems I was wrong, so instead of going "blah blah its crap", help to identify the problem.

 

[versacebg]

this = trash?

I took the logic from the register script that was released and a few people said was working, it had no salt, it was a plain MD5, if someone can point me to or tell me what it salts the password with, I can correct the issue.

If you can do better, please do so. I was under the impression that Loong accepts a regular md5'd password, it seems I was wrong, so instead of going "blah blah its crap", help to identify the problem.

okey i will try help you soon :tongue:

 

[reflax]

Ok a few errors I noted.

// Check for Errors
if(mysqli_connect_errno())
{
echo mysqli_connect_error();
}

Soon as you get an error you are not halting the current function, meaning it will display there is an error then continue to attempt to process the script.

I will fix your script in a few moments.

//edit
If you want to fix yours, you can reverse the salt from the password application released. Its packed with molebox, easy to reverse.


//edit2
Here is the fixed script, with proper md5 salt.

<?php
// load included files
require_once('inc/config.php');
require_once('inc/recaptchalib.php');
?>
<!DOCTYPE html>
<html>
	<head>
		<title>
			Secure Registration
		</title>
		<link rel="stylesheet" href="style.css" type="text/css">
	</head>
	<body>
		<?php
		// Check if the fields are set
		if(isset($_POST['username']) && isset($_POST['password'])) 
		{	
			//reCAPTCHA handling stuff
			$resp = recaptcha_check_answer (RC_PRIV,
			                                $_SERVER["REMOTE_ADDR"],
			                                $_POST["recaptcha_challenge_field"],
			                                $_POST["recaptcha_response_field"]);

			
			if (!$resp->is_valid) {
			// What happens when the CAPTCHA was entered incorrectly
			die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
				"(reCAPTCHA said: " . $resp->error . ")");
				
				
			} 
			else 
			{
				// Connect to MySQL
				$link = mysqli_connect(DB_HOST, DB_ID, DB_PW, DB_NAME);

				// Check for Errors
				if(mysqli_connect_errno())
				{

					//echo mysqli_connect_error(); //shouldnt show client specific error information.
					die('Error connecting to mysql database please report.');
				}

				// Username check query - declare it
				$query = "SELECT 'name' FROM 'account' WHERE 'name'=?";

				// Setup parameter to be bound into query
				$name = $_POST['username'];

				// Get instance of statement
				$stmt = $mysqli->stmt_init();

				// Prepare query
				if($stmt->prepare($query))
				{
					// Bind Parameters [s for string]
					$stmt->bind_param("s",$name);

					// Execute statement
					$stmt->execute();

					// Bind result variables
					$stmt->bind_result($result);

					// Fetch Value
					$stmt->fetch();

					// catch num_rows result as variable :D
					$username_result = $result->num_rows;

					// Close Statement
					$stmt->close();
				}

				// If the username is valid, register the player an account
				if($username_result == 0)
				{
					// Registreation query - declare it
					$query = "INSERT INTO account (name, psd, worldname_crc)
							  VALUES(?, ?, '3277318139')";

					// Setup parameter to be bound into query
					$name = $_POST['username'];
					$password = md5($_POST['password'] . 'xvDvgqZq');

					// Get instance of statement
					$stmt = $mysqli->stmt_init();

					// Prepare query
					if($stmt->prepare($query))
					{
						// Bind Parameters
						$stmt->bind_param("ss", $name, $password);

						// Execute statement
						$stmt->execute();

						// Bind result variables
						$stmt->bind_result($result);

						// Fetch Value
						$stmt->fetch();

						// Close Statement
						$stmt->close();
						
						// echo a message
						echo "<center>Your account has been registered</center>";
					}
				
				}
				else
				{
					echo "The username you entered is already taken, please try another";
				}
			}	
		}
		else
		{
		?>
		<form type="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
			<p>
				<label>Username: <input type="text" name="username" maxlength="10"></label>
			</p>
			<p>
				<label>Password: <input type="password" name="password" maxlength="10"></label>
			</p>
			<p>
				<?php
				echo recaptcha_get_html(RC_PUB);
				?>
			<p>
				<input type="submit" value="Submit" />
			</p>
		</form>
		<?php } ?>
	</body>
</html>

 

[Zen]

Ok a few errors I noted.

// Check for Errors
if(mysqli_connect_errno())
{
echo mysqli_connect_error();
}

Soon as you get an error you are not halting the current function, meaning it will display there is an error then continue to attempt to process the script.

I will fix your script in a few moments.

//edit
If you want to fix yours, you can reverse the salt from the password application released. Its packed with molebox, easy to reverse.


//edit2
Here is the fixed script, with proper md5 salt.

<?php
// load included files
require_once('inc/config.php');
require_once('inc/recaptchalib.php');
?>
<!DOCTYPE html>
<html>
	<head>
		<title>
			Secure Registration
		</title>
		<link rel="stylesheet" href="style.css" type="text/css">
	</head>
	<body>
		<?php
		// Check if the fields are set
		if(isset($_POST['username']) && isset($_POST['password'])) 
		{	
			//reCAPTCHA handling stuff
			$resp = recaptcha_check_answer (RC_PRIV,
			                                $_SERVER["REMOTE_ADDR"],
			                                $_POST["recaptcha_challenge_field"],
			                                $_POST["recaptcha_response_field"]);

			
			if (!$resp->is_valid) {
			// What happens when the CAPTCHA was entered incorrectly
			die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
				"(reCAPTCHA said: " . $resp->error . ")");
				
				
			} 
			else 
			{
				// Connect to MySQL
				$link = mysqli_connect(DB_HOST, DB_ID, DB_PW, DB_NAME);

				// Check for Errors
				if(mysqli_connect_errno())
				{

					//echo mysqli_connect_error(); //shouldnt show client specific error information.
					die('Error connecting to mysql database please report.');
				}

				// Username check query - declare it
				$query = "SELECT 'name' FROM 'account' WHERE 'name'=?";

				// Setup parameter to be bound into query
				$name = $_POST['username'];

				// Get instance of statement
				$stmt = $mysqli->stmt_init();

				// Prepare query
				if($stmt->prepare($query))
				{
					// Bind Parameters [s for string]
					$stmt->bind_param("s",$name);

					// Execute statement
					$stmt->execute();

					// Bind result variables
					$stmt->bind_result($result);

					// Fetch Value
					$stmt->fetch();

					// catch num_rows result as variable :D
					$username_result = $result->num_rows;

					// Close Statement
					$stmt->close();
				}

				// If the username is valid, register the player an account
				if($username_result == 0)
				{
					// Registreation query - declare it
					$query = "INSERT INTO account (name, psd, worldname_crc)
							  VALUES(?, ?, '3277318139')";

					// Setup parameter to be bound into query
					$name = $_POST['username'];
					$password = md5($_POST['password'] . 'xvDvgqZq');

					// Get instance of statement
					$stmt = $mysqli->stmt_init();

					// Prepare query
					if($stmt->prepare($query))
					{
						// Bind Parameters
						$stmt->bind_param("ss", $name, $password);

						// Execute statement
						$stmt->execute();

						// Bind result variables
						$stmt->bind_result($result);

						// Fetch Value
						$stmt->fetch();

						// Close Statement
						$stmt->close();
						
						// echo a message
						echo "<center>Your account has been registered</center>";
					}
				
				}
				else
				{
					echo "The username you entered is already taken, please try another";
				}
			}	
		}
		else
		{
		?>
		<form type="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
			<p>
				<label>Username: <input type="text" name="username" maxlength="10"></label>
			</p>
			<p>
				<label>Password: <input type="password" name="password" maxlength="10"></label>
			</p>
			<p>
				<?php
				echo recaptcha_get_html(RC_PUB);
				?>
			<p>
				<input type="submit" value="Submit" />
			</p>
		</form>
		<?php } ?>
	</body>
</html>

thanks for the heads up, implemented into the main post

 

[versacebg]

thanks for the heads up, implemented into the main post

Now working correctly your script also i'am not tested

 

[Cain142]

VALUES(?, ?, '3277318139')";

Why you have the value 3277318139 put in? the database puts in that value auto.

 

[h4pp3]

help me pls
Parse error: syntax error, unexpected T_CONST in C:\xampp\htdocs\loong\inc\config.php on line 5

 

[balonyiadam]

me too it's really bad situtation

 

[Cain142]

instead of whining just write up your own registration script. It is easy to make a basic registration script in php. If you are unsure how to do it then Google is your friend.

 

[ip0wns]

How to add correct md5 password creator?
This qweqwe password wount work. :/

Register.php code:

<title>Loong Registration</title>

<?php

//Database Information

$dbhost = "******";
$dbname = "******";
$dbuser = "******";
$dbpass = "******";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

//Vars

$name = $_POST['name'];
$password = md5($_POST['password']); 
$pass = $_POST['password'];  

//Check if username exists

$checkuser = mysql_query("SELECT name FROM account WHERE name='$name'");

$name_exist = mysql_num_rows($checkuser);

if($name_exist > 0){
    echo "<center>I'm sorry but the name you specified has already been taken.  Please pick another one.</center>";
    unset($name);
    include 'register.html';
    exit();
}

//Register function

$query = "INSERT INTO account (name, psd, worldname_crc)
VALUES('$name', '$password', '3277318139')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "<table border='0' width='225' align='center'>";
echo "<center>You have successfully Registered</center>";
echo "<center>you account information is below save the following information in a</center>";
echo "<center>secured area for future use.</center>";
echo "<p></p>";
echo "<center><b>Account information:</b></center>";
echo "<center><b>Name</b>: <i>$name</i></center>";
echo "<center><b>Password</b>: <i>$pass</i></center>";
echo "</table>";
?>

 

[Kreeate]

You could try adding this to your script ->

<?php
function eliteEncrypt($string) {
// Create a salt
$salt = md5($string."%*4!#$;\.k~'(_@");

// Hash the string
$string = md5("$salt$string$salt");

return $string;
}
?>


Credits to the guys over at this site ->

You must be registered to see links

 

[Exrider]

doesnt work

i edited it

it should work "

You must be registered to see links

"

 

[buntal]

help me pls
Parse error: syntax error, unexpected T_CONST in C:\xampp\htdocs\loong\inc\config.php on line 5

me to, can help me?