Functional Register Script [v15] - Quality

[TheJacob]

Register Script

The register script registers the following information; username, password. It has basic anti-sql and xss injection protection. It also includes one of my personal favorite additions (the random text field). It's very customizable, and very easy to configure. I've posted various notes throughout the script to assist you further, as well as a configuration security check.

The script has no hidden exploits, or wholes that someone may use to hack in, or sql inject etc. The script should be 100% safe from basic exploits (sql and xss).

The script is one file (what ever you'd like to name it - probably register.php). The configuration is included at the top, so do not forgot to fill it in.

The script has not been tested, it was written in this RaGEZONE thread. I will test it for 100% functionality when I get a chance, but if you're having any problems (wrong coding) let me know and I'll surely fix it up for everyone ASAP.

Legend: Red = Recent changes from last edit.

Create the function v1.0 (done by Reim):

Code:

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE PROCEDURE [dbo].[createaccount] 
@account VARCHAR(15),
@password VARCHAR(32)

AS

SET NOCOUNT ON

DECLARE @DateActivated AS CHAR(8)

IF NOT EXISTS (SELECT account FROM ACCOUNT_TBL WHERE account = @account) BEGIN
INSERT INTO ACCOUNT_TBL (account, [password], id_no2, isuse, member, realname) 
VALUES (@account, @password, @password, 'T', 'A', 'F')

SET @DateActivated = CONVERT(CHAR(8), GETDATE()-1, 112 ) --Is the date today - 1
--UPDATE ACCOUNT_TBL_DETAIL SET BlockTime = @DateYesterday WHERE account = @userid	
--INSERT INTO ACCOUNT_TBL_DETAIL (account, gamecode, tester, m_chLoginAuthority, regdate, BlockTime, EndTime, WebTime, isuse)
--	VALUES (@account, 'A000', '2', 'F', GETDATE(), '20990101', '20990101', '20050101', 'O')

INSERT INTO ACCOUNT_TBL_DETAIL (account, gamecode, tester, m_chLoginAuthority, regdate, BlockTime, EndTime, WebTime, isuse)
VALUES (@account, 'A000', '2', 'F', GETDATE(), @DateActivated, '20990101', '20050101', 'O')

END

The script v1.0:

Code:

<?php

#############################
##Copyright (c) TheJacob#####
##All Rights Reserved########
##thejacobpollack@gmail.com##
#############################

#############################
#############################

##Configuration##
$mssql_server = ""; //MSSQL name
$mssql_username = ""; //MSSQL username
$mssql_password = ""; //MSSQL password
$mssql_account_db = ""; //MSSQL account database name
$mssql_account_table = ""; //MSSQL account table name
$mssql_username_column = ""; //MSSQL username column in account table
$mssql_password_column = ""; //MSSQL password column in account table
$hash = ""; //Hash code
$random_text_text = "e=mc2"; //Random text they must enter to register

#############################
#############################

##Configuration Settings Check##
if (($mssql_server == "") || ($mssql_username == "") || ($mssql_password == "") || ($mssql_account_db == "") || ($mssql_account_table == "") || ($mssql_username_column == "") || ($mssql_password_column == "") || ($hash == "") || ($random_text_text == "")) {
die ("<strong>Please fill in all the configuration settings! For your own security and the functionality of the script, you cannot leave them blank.</strong>");
}

##Connect##
$mssql_connect = mssql_connect($mssql_server, $mssql_username, $mssql_password) or die ("<strong>Cannot connect to the MSSQL Database.</strong>");
$mssql_select = mssql_select_db($mssql_account_db) or die ("<strong>Cannot select the MSSQL Database.</strong>");

##Function##
function doesUsernameExist($username){
$exit = FALSE;
$result = @mssql_query("SELECT * FROM $mssql_account_table WHERE $mssql_username_column='$username'");
if (mssql_num_rows($result) != 0){
$exit = TRUE;
}
return $exit;
} 

$pusername = $_POST['username']; //Post wsername
$ppassword = $_POST['password']; //Post password
$prpassword = $_POST['rpassword']; //Post re-enter password
$fpassword = md5($hash . $password); //Full/Final password
$random_text = $_POST['random_text']; //Random text

if (isset($_POST['submit']) == true) {
$username = preg_replace("/[^a-zA-Z0-9\-\_\!\$\#\@\^\&\*\(\)\^\+\ \.\?]/", "", $pusername);
$password = preg_replace("/[^a-zA-Z0-9\-\_\!\$\#\@\^\&\*\(\)\^\+\ \.\?]/", "", $ppassword);

if ((isset($_POST['submit']) == true) and (strlen($pusername) < 3) || (strlen($pusername) > 15)) {
echo "Your username must be between 3 and 15 characters in length.";
}

else if ((isset($_POST['submit']) == true) and ((strlen($ppassword) < 3) || (strlen($ppassword) > 15) || (strlen($prpassword) < 3) || (strlen($prpassword) > 15))) {
echo "The password must be between 3 and 15 characters in length.";
}

else if ((isset($_POST['submit']) == true) and ($ppassword != $prpassword)) {
echo "The passwords must be the same.";
}

else if ((isset($_POST['submit']) == true) and (($pusername == $ppassword) || ($pusername == $prpassword))) {
echo "The username and password cannot be the same.";
}

else if ((isset($_POST['submit']) == true) and ($random_text != $random_text_text)) {
echo "The random text must be filled in correctly. Please take another look at the random text.";
} else {
if ((isset($_POST['submit']) == true) and (!doesUsernameExist($username))) {
$stmt = mssql_init('createaccount', $mssql_connect);
mssql_bind($stmt, '@account', $username, SQLVARCHAR, false, false, 15);
mssql_bind($stmt, '@password', $fpassword, SQLVARCHAR, false, false, 36);
mssql_execute($stmt) or die ("<strong>Error occurred while executing the statement.</strong>");
mssql_free_statement($stmt);
echo "You've been successfully registered as <strong>" . $username . "</strong>!";
} else {
echo "The username already exists.";
}
}
}

?>

<form method ="post" action="#">
<table>

<tr>
<td><strong>Username</strong></td>
</tr>
<tr>
<td><input name="username" type="username"></td>
</tr>
<tr>
<td><strong>Password</strong></td>
</tr>
<tr>
<td><input name="password" type="password"></td>
</tr>
<tr>
<td><strong>Re-enter Password</strong></td>
</tr>
<tr>
<td><input name="rpassword" type="password"></td>
</tr>
<tr>
<td><strong>Please enter "<?php echo $random_text_text ?>" without the brackets below</strong></td>
</tr>
<tr>
<td><input name="random_text" type="text"></td>
</tr>
<tr>
<td><input name="submit" type="submit" value="Register"></td>
</tr>

</table>
</form>

If you have any suggestions, comments, or stuff you'd like me to add or fix. Post it here and I'll see what I can do.

Credits:

Code:

TheJacob

[MentaL]

[DoGoXD]

wow thanks i've been looking for registeration page and u just posted one
im kinda new how do i configure it?
i have no idea what comes in the follows:

Code:

$mssql_account_db = ""; //MSSQL account database name
$mssql_account_table = ""; //MSSQL account table name
$mssql_username_column = ""; //MSSQL username column in account table
$mssql_password_column = ""; //MSSQL password column in account table
$hash = ""; //Hash code

[Nick1337]

Very good.

[Dell Honne]

Hmmm, the top parts seems complicated with all that stuff, using a procedure would have been quicker.

Anyways, good to see a better script out there. Good job :P

[Flash X]

Nice Script Good job

[TheJacob]

wow thanks i've been looking for registeration page and u just posted one
im kinda new how do i configure it?
i have no idea what comes in the follows:

Code:

$mssql_account_db = ""; //MSSQL account database name
$mssql_account_table = ""; //MSSQL account table name
$mssql_username_column = ""; //MSSQL username column in account table
$mssql_password_column = ""; //MSSQL password column in account table
$hash = ""; //Hash code

The first one you enter your MSSQL account database name, which is normally "ACCOUNT_DBF".

The second one you enter your MSSQL account table name, which is normally "ACCOUNT_TBL".

The third one you enter your MSSQL username column name, which is normally "username".

The fourth one you enter your MSSQL password column name, which is normally "password".

The hash is what ever hash you're using, could be "kikugalanet" etc...

If you're unsure of what they are, login to your MSSQL server and find it out by navigating through your database.

[spikensbror]

Why am I not surprised to see pity little FlyForFuria owner running around here...
Stealing my project name(titanflyff) and everything.
I gotta thank you though for that.

On topic:
Good script.

[Dell Honne]

Why am I not surprised to see pity little FlyForFuria owner running around here...
Stealing my project name(titanflyff) and everything.
I gotta thank you though for that.

On topic:
Good script.

Who? What? and Huh?

[spikensbror]

That there is former FlyForFuria owner Jacob.
He had a big argument with someone I was going to start a server with...
Ended up stealing our server name, spending 700 bucks on virtually nothing and throwing away Furia in one sweep.
Basically screwing himself.

[TheJacob]

Why am I not surprised to see pity little FlyForFuria owner running around here...
Stealing my project name(titanflyff) and everything.
I gotta thank you though for that.

On topic:
Good script.

TitanFlyFF is the name I suggested to Formatted, who suggested it to Andrew which you guys liked. But Formatted didn't know, nor did Andrew that I bought the domain before I suggested it (I forgot to tell him). So no, the name is mine, not your project.

On-Topic:
Thanks, let me know if it works 100% if you get the time, I wrote it up on here since my computer is in the shop atm (broke the screen somehow).

[spikensbror]

It doesn't work...
You have to make it insert in more than just 1 table, plus, make it insert dates and such...

EDIT:
Also, stop being such a schizophrenic...
FormattedError, is yourself.
Something in your imaginations.
It's weird how we haven't seen him since you started fighting with us anyways...

[TheJacob]

Is everyone using the database structure/tables etc that Dell Honne released? Plus this is just ment to be a basic script to work with anyones db from v1-15, but I can make it more "modernized" to work with his, if that's what people are using?

[N0lifE]

Ohyeah, Formatted happens to be you too as I remember.

[spikensbror]

Pathetic, plus...
Basic or not, it has to function and by just inserting into the account table, it won't work.

[TheJacob]

I see I see now. Didn't realize it depended on that, let me just add that in. I am assuming everyone is using "DudeKills" function?

UPDATE: My edits will rely on DudeKills function of createaccount.