[MySQL][PHP] Small Usersystem

Hello, my name is XCON, this is my seconth post (on this account, my previous account, X1M!, I forgot the password to) on this forum.

I coded this small usersystem today, nothing too fancy, I just needed a small project to "get me back in the loop" so to speak, I haven't coded PHP for a while and I started to forget it, so I needed to code this.

It is coded in PHP (not OOP), using MySQL for storage.
This includes one of my personal designs, while I don't find it "sexy", I do find it quite compact and nice, fitting most of my needs.

Features:

Spoiler:

1. Logging In/Registering
2. Editing your settings
3. Rank system

Things I forgot to code:

1. Administration center

Printscreens:

Spoiler:

http://i.imgur.com/XrIX2.png
http://i.imgur.com/YfHzs.png
http://i.imgur.com/vKFdk.png
http://i.imgur.com/IEr46.png

Virus scan: VirusTotal.com
Download: MediaFire.com

Updates:

Spoiler:

http://pastebin.com/R48z4Hjj - Register.php (Password encryption)
http://pastebin.com/9wpmxTsq - Login.php (Password encryption)

This is not something I plan to continue on (maybe the design), but rather use as a base for future projects, and I'd gladly take any suggestions, tips and improvements you could give.

Maybe post some of your code here / on pastebin so we can look at it without having to download anything?

Yes, maybe.
Or, you download the 44.55kb file and check it out.
But sure, I could post some codes on pastebin.

http://pastebin.com/DbXzbdQK - Configuration.php
http://pastebin.com/GywNxX3u - Index.php

Wow very simple and I like it!

Thank you.

EDIT: I coded password encryption now, you can find the updates in the spoiler I added in the first post.

I don't like that you've been capitalizing your syntax commands, if I can input, but nice code, I suppose.

Good luck. I stopped my development since I'm working on more priority things.

I always capitalize my functions and classes. But thanks for your comment.

Using IF statements and switches like that isn't really the best way to return errors.

I know, but I couldn't be assed to create a custom exception handler at the time.

If you're coding this to be reused in your later projects you might not want to half-ass it lol.

The way I do it is just set up a class array variable to store errors. If an error occurs, $this->errorlist .= "your error";.

Then just do

PHP Code:

---

if($object->errorlist != ""){
// errors
echo $object->errorlist;
} else {
// no errors, display successful result
} 


---

There are probably better ways but I've found this to work great for me.

I use arrays for my error handling.

PHP Code:

---

<?php
$Errors = array();
if($Password != $Repeat_Password)
$Errors[] = 'The two passwords you entered do not match!';

if(empty($Errors))
{
//successful. No errors.
}
else
{
echo '<div class="alert-message warning">';
foreach($Errors AS $Error)
echo $Error.'<br />';
echo '</div>';
}
?>

---

Of course, I just wrote this, hence why indention is completely off. Oh well.

Encrypt it with SALT

I've never actually used SALTs because I think they dont actually make anything safer if you have double md5 encryptions, but rather safe than sorry right?

I'm going to rewrite the whole usersystem into my new version of this design, the alert system wasn't the smartest way of making pages.

Quote:

---

Originally Posted by XCON

I've never actually used SALTs because I think they dont actually make anything safer if you have double md5 encryptions, but rather safe than sorry right?

I'm going to rewrite the whole usersystem into my new version of this design, the alert system wasn't the smartest way of making pages.

---

It makes it safer because if you had a password: "horse". The password would be encrypted as: "!@R!TYGHHN()!GGH)@Gmnvfu8`1horse" if your salt was "!@R!TYGHHN()!GGH)@Gmnvfu8`1". That makes it more than 100x harder to crack your passwords.

Double encryption is what vBulletin does. md5(md5($Password), $UserSalt);

I'll consider using SALTs in the future, but wouldn't it be safer to have a salt on each side of the password? Otherwise, you could just use SubStr on the password until you have removed the salt.

Code:

---

<?php

$salt = "ABBBCBCBCBBCBCBCBCB0109293839299292920902";
function enc($in) { return sha1($salt.md5($in).$salt); }

?>

---

That would be a much safer alternative.

Quote:

---

Originally Posted by XCON

I'll consider using SALTs in the future, but wouldn't it be safer to have a salt on each side of the password? Otherwise, you could just use SubStr on the password until you have removed the salt.

Code:

---

<?php

$salt = "ABBBCBCBCBBCBCBCBCB0109293839299292920902";
function enc($in) { return sha1($salt.md5($in).$salt); }

?>

---

That would be a much safer alternative.

---

Go for it. If you know what you're doing, and feel it's a good thing to do, then try it.

I suggest using special characters in your SALT, such as "!*%!SGJ*!!()*!"

I have recoded the usersystem from scratch, the design has been updated and new features have been added.

There is now a page with a member list plus a user profile page.
There is also a page that lets you read and send private messages to other users.

I was thinking maybe coding a chatbox or a mini-forum.

If it works, great! But I'm with other people on this, I don't like the way you capitalize things such as expressions, but like I said if it works... great.

I also don't like the way you stretch functions onto one line instead of line breaking them and indenting. I know other people viewing the website won't see the PHP coding, but I have 'OCD' with my PHP and like to keep it all tidy behind the scenes, lol.

Nice work with it though.

I removed the capitalizations, while I do admit that it does look nicer, it will take some time to get used to.

I can also inform you that I wont be using functions in the same way this time, I wont have a function for getting the information from users and similar, the only functions I have now is for securing inputs from forms and encrypting passwords.

nice 1

Thanks.

I haven't got the private messaging system working 100%, some problems with the Javascripts that are supposed to work.
EDIT: Works now. I hate that \n and \r breaks Javascript codes.

You should add an authorization level system, for admins and such.

PHP Code:

---

    function verifyauth($sessuser, $variable)
    {
        $query = mysql_query("SELECT AUTH FROM users WHERE ID = '".$sessuser."'");
        $run = mysql_fetch_assoc($query);

        if($variable == 1)
        {
            if($run["AUTH"] >= 1)
            {
                return true;
            }
        }        
        elseif($variable == 2)
        {
            if($run["AUTH"] >= 2)
            {
                return true;
            }
        }
        else
        {
            return false;
        }
    }

define("AUTH_1", (verifyauth($_SESSION["user"], 1)));
define("AUTH_2", (verifyauth($_SESSION["user"], 2))); 


---

There is an authorization system, just not completed yet, I'm working on that.

I added the feature to enable and disable private messaging.
I added the feature to hide and show your email address on your profile page.

I only glanced at the code, just throwing some ideas at you. authorization system shouldn't take too much work. with that code you just wrap different functions with:

PHP Code:

---

if(AUTH_1)
{
//execute code
}
else
{
echo "You do not have sufficient authorization.";
} 


---

What would I need an authorization system for? I have a rank system coded, in place and its working perfectly fine.

Try to make your code look like the code examples here:
Manual :: Coding Standards

Particularly your function definitions:
http://pear.php.net/manual/en/standards.funcdef.php

Also keep your lines limited to 75-85 characters, where a tab is 4 or 8 spaces (not both/either- pick one or the other.. pick 4).

Also this is already a bool:

PHP Code:

---

IsSet($_SESSION["id"]) && UserExist(Secure($_SESSION["id"])) 


---

So you don't need to append ' ? true : false ', as it's already going to be true/false. In fact, never use a control statement to evaluate to true/false.. it's already true/false.


Finally, refrain from your nesting habit.

PHP Code:

---

if(condition1)
{
    // condition1 code

    if(condition2)
    {
        // condition2 code

        if(condition3)
        {
            // condition3 code

        } else {
            error3
        }
    } else {
        error2
    }
} else {
    error1
} 


---

can easily be improved like so:

PHP Code:

---

if (!condition1)
{
    error1
}

// condition1 code

if (!condition2)
{
    error2
}

// condition2 code

if (!condition3)
{
    error3
}

// condition3 code 


---

If you're not going to have code for each condition, this is even better:

PHP Code:

---

if (   condition1
    && condition2
    && condition3
) {
    // code here
} 


---

No matter what you're coding, the goal is to keep it readable for your future self or other developers, as it's not going to be perfect the first time.

Quote:

---

Originally Posted by XCON

What would I need an authorization system for? I have a rank system coded, in place and its working perfectly fine.

---

If someone is an administrator, they have authorization to access certain functions, but a regular user without authorization would not be able to. This might be what you mean by rank system. Stuff such as editing/deleting users.

s-p-n, thanks for the advice, but I'm used to my way of coding, and I will probably keep using it.

zkemppel, the rank system I coded is very efficient and extendable, the authorization system you suggested isnt, but thank you for your advice.
Posted via Mobile Device

Welcome back ^^. Looks alright ^^ I'm maybe learning php so will look at how it works
Posted via Mobile Device

Thanks Donkjam, but as s-p-n made very clear, my code isn't the best learning source, however, if you do learn anything from me, I'm glad I could help.

I didn't check the code, but do you have MD5 and Sha1 encryption?

Your code just plain looks disgusting. The fact that you refuse to improve it, especially with s-p-n's suggestions, worries me.
Can you please tell me where you learned to code, so that I can personally not recommend it to anyone else? Thanks.

At the very least, please learn about capitalization, and when you should and should not use it. I don't think that I've ever seen }Else{ used, until now. You are lucky that PHP is very lenient in regards to capitalization, but that doesn't mean it is good practice, and it just plain makes your code look ugly.

Also, Sha512 > MD5. And there is little to no reason not to hash the password. Just use MySQL's password function.

Quote:

---

Originally Posted by timebomb

Your code just plain looks disgusting. The fact that you refuse to improve it, especially with s-p-n's suggestions, worries me.
Can you please tell me where you learned to code, so that I can personally not recommend it to anyone else? Thanks.

At the very least, please learn about capitalization, and when you should and should not use it. I don't think that I've ever seen }Else{ used, until now. You are lucky that PHP is very lenient in regards to capitalization, but that doesn't mean it is good practice, and it just plain makes your code look ugly.

Also, Sha512 > MD5. And there is little to no reason not to hash the password. Just use MySQL's password function.

---

this.

The reason for posting stuff here is to improve on yourself when criticism is made. I'd highly suggest following s-p-n's advice instead of ignoring it.

Quote:

---

Originally Posted by XCON

s-p-n, thanks for the advice, but I'm used to my way of coding, and I will probably keep using it.

zkemppel, the rank system I coded is very efficient and extendable, the authorization system you suggested isnt, but thank you for your advice.
Posted via Mobile Device

---

I guess it depends on how you look at it. Anyways, I was just throwing some ideas out there. I gave you a quick idea, not a complete authorization/ranking system, but clearly you posted this so you could defend your code from every single post and be closed minded? Off to somewhere more productive now; not trying to start a flame war, bye.

You may want to reconsider your secure() function.

I am almost certain that if you throw CHAR() at it, when it connects to the database, both add_slashes() and htmlspecialchars() do nothing to the command, so you are open to abuse of some sort.