[Request/Help] PHP Registration

[Torsen]

Let's start with what I am trying to do. Flash Gunz Registration. I am pretty good with flash and was able to make a MySql register. Now I am trying Unsucesfully to make a Mssql to GunZ reg Script. All I need is a VERY simple script for this. Don't need anything extra like antisql or Checking if email already exists.

Or you can tell me why the hell this script would not work.

Code:

<?php
// set your infomation.
$dbhost='********\SQLEXPRESS';
$dbusername='sa';
$dbuserpass='blah';
$dbname='GunzDB';
mssql_connect("$dbhost", "$dbusername", "$dbuserpass")or die("cannot connect to server"); 
mssql_select_db("$dbname")or die ("no database");

// value sent from form 
//$Flashemail=$_POST['email'];
//echo "$Flashemail";
$tbl_name=Login; 
//$sql="SELECT email FROM $tbl_name WHERE email='$Flashemail'";
//$result=mssql_query($sql);
$count=mssql_num_rows($result);
$rows=mssql_fetch_array($result);
//$your_password=$rows['email'];
//echo "$your_password";
//if($your_password==$Flashemail){
//$signal=4;
//echo "signal=$signal";
//}
else {
if (!mssql_select_db("$dbname")) die(mssql_error());
$name = $_POST['name'];
$pass = $_POST['pass'];
//$email = $_POST['email'];
$query = "INSERT INTO member (UserID, Password) VALUES('$name','$pass')";
mssql_query($query) or die(mssql_error());
//echo "$user succussfully registered!";
$signal=5;
echo "signal=$signal";
}
?>

Yes I removed all references to Email. It makes it easier. Please help. Person who makes this work, gets my flash source>.>


I am sorry, I had to repost this because some narb locked the other one. They must have smoked too much of something.

[MentaL]

[Donald Duck]

mssql_error doesn't exist in PHP. mysql_error does.

Anyhow, the structure would be as follows:

PHP Code:

<?php
//The connection.. write this yourself

//An example of an insert query.
mssql_query("INSERT INTO Account (UserID, Name) VALUES ('" . $_POST['userid'] . "', '" . $_POST['name'] . "')");

Note that there is no protection, anyone could do a sql injection.

[Torsen]

Thank you for your reply. This will most likely help. As for protection there is some, however flash sided. I will be adding more than just AntiSQL protection. If this works would you like the Whole source?

Oh yes, However what is the point of using $-POST if I already defined it.
$name = $_POST['name'];
$pass = $_POST['pass'];

[Guy]

Thank you for your reply. This will most likely help. As for protection there is some, however flash sided. I will be adding more than just AntiSQL protection. If this works would you like the Whole source?

Oh yes, However what is the point of using $-POST if I already defined it.
$name = $_POST['name'];
$pass = $_POST['pass'];

There's not much else you can be vulnerable for in this type of setup, other than SQL injection - XSS/tag injection, maybe LDAP injection (Or similar services, if used), and maybe code injection (If eval-type calls are used).

[ygoraugusto]

<?php
// set your infomation.
$dbhost='********\SQLEXPRESS';
$dbusername='sa';
$dbuserpass='blah';
$dbname='GunzDB';
mssql_connect("$dbhost", "$dbusername", "$dbuserpass")or die("cannot connect to server");
mssql_select_db("$dbname")or die ("no database");

// value sent from form
//$Flashemail=$_POST['email'];
//echo "$Flashemail";
$tbl_name=Login;
//$sql="SELECT email FROM $tbl_name WHERE email='$Flashemail'";
//$result=mssql_query($sql);
$count=mssql_num_rows($result);
$rows=mssql_fetch_array($result);
//$your_password=$rows['email'];
//echo "$your_password";
//if($your_password==$Flashemail){
//$signal=4;
//echo "signal=$signal";
//}
else {
if (!mssql_select_db("$dbname")) die(mssql_error());
$name = $_POST['name'];
$pass = $_POST['pass'];
//$email = $_POST['email'];
$query = "INSERT INTO member (UserID, Password) VALUES('$name','$pass')";
mssql_query($query) or die(mssql_error());
//echo "$user succussfully registered!";
$signal=5;
echo "signal=$signal";
}
?>


play is gunz hakied the register page -'-

[Torsen]

Care to say something in English ygoraugusto?

gWX0, Yes however there is still the chance of forcing flash to literally send all the infromation to a host. If the host site is found, they can recreate itto send different commands and removal of the antiSQL. I am working on making that dual protection PHP and Flash sided.

[Guy]

Care to say something in English ygoraugusto?

gWX0, Yes however there is still the chance of forcing flash to literally send all the infromation to a host. If the host site is found, they can recreate itto send different commands and removal of the antiSQL. I am working on making that dual protection PHP and Flash sided.

You obviously would never have the client do the sanitization; the server end is what sanitizes data.

[Torsen]

In this case, both. Flash for those narbs who dunno shit, and php for people like Sayuta.

[sayuta]

In this case, both. Flash for those narbs who dunno shit, and php for people like Sayuta.

Lolwut why me ? xD

[Trilest]

In this case, both. Flash for those narbs who dunno shit, and php for people like Sayuta.

Not true.

Flash can be handy in alot of ways.
But yeah php will always be better ;)

[obsedianpk]

If you need a simple script just make something that creates a new table in the column.

- JackOfSpades

[Guy]

In this case, both. Flash for those narbs who dunno shit, and php for people like Sayuta.

That'd be entirely pointless - you'll end up double escaping data, and if there's a limit on the length of a string, you may run into that limit, without the user not necessarily understanding why.

Not true.

Flash can be handy in alot of ways.
But yeah php will always be better ;)

Flash is the user interface, it should never be relied on for the backend functions, unless the security of said functions doesn't matter

PHP acts as the backend scripting language, when used in a web-environment; these are two unlike things and cannot be compared.

[Torsen]

If you need a simple script just make something that creates a new table in the column.

- JackOfSpades

DogBreath. You don't know what the hell you're talking about. You already said the same thing on MSN over 30 times, yet you don't even know what it means.