Please help me with my confirmation email scripts (scripts included)

Hello!
I really need some help. I have been struggling with my scripts for days now and I hope that someone can figure out the mistakes I have made.

register-exec

PHP Code:

<?php //Start session session_start(); //Include database connection details require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $confirmation_code = md5(uniqid(rand())); $fname = clean($_POST['fname']); $lname = clean($_POST['lname']); $login = clean($_POST['login']); $password = clean($_POST['password']); $cpassword = clean($_POST['cpassword']); //Input Validations if($fname == '') { $errmsg_arr[] = 'First name missing'; $errflag = true; } if($lname == '') { $errmsg_arr[] = 'Last name missing'; $errflag = true; } if($address == '') { $errmsg_arr[] = 'Address missing'; $errflag = true; } if($city == '') { $errmsg_arr[] = 'City missing'; $errflag = true; } if($postalcode == '') { $errmsg_arr[] = 'Postalcode missing'; $errflag = true; } if($state == '') { $errmsg_arr[] = 'State/Province missing'; $errflag = true; } if($country == '') { $errmsg_arr[] = 'Country missing'; $errflag = true; } if($login == '') { $errmsg_arr[] = 'Login ID missing'; $errflag = true; } if($password == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($cpassword == '') { $errmsg_arr[] = 'Confirm password missing'; $errflag = true; } if( strcmp($password, $cpassword) != 0 ) { $errmsg_arr[] = 'Passwords do not match'; $errflag = true; } //Check for duplicate login ID if($login != '') { $qry = "SELECT * FROM temp WHERE login='$login'"; $result = mysql_query($qry); if($result) { if(mysql_num_rows($result) > 0) { $errmsg_arr[] = 'Login ID already in use'; $errflag = true; } @mysql_free_result($result); } else { die("Query failed"); } } //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: register-form.php"); exit(); } //Create INSERT query $qry = "INSERT INTO temp(code, firstname, lastname, address, city, postalcode, state, country, email, login, passwd) VALUES('$confirmation_code','$fname','$lname','$address','$city','$postalcode','$state','$country','$email','$login','".md5($_POST['password'])."')"; $result = @mysql_query($qry); //Check whether the query was successful or not if($result) { $message="Your Confirmation link \r\n"; $message.="Click on this link to activate your account \r\n"; $message.="http://www.------------.com/confirmation.php?pass_key=$confirmation_code"; $sent_mail = mail("$email", "Registration Confirmation", "$message"); } else { echo "Not found your e-mail in our database"; } if($sent_mail) { echo "Your Confirmation link has been sent to your e-mail account"; } else { echo "cannot send confirmation link to your e-mail adress"; } ?>

confirmation.php

PHP Code:

<?php //Start session session_start(); //Include database connection details require_once('config.php'); $passkey=$_GET['pass_key']; //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Create INSERT query $qry1="SELECT * FROM temp(code) VALUES('$confirmation_code')"; $result=@mysql_query($qry1); if($result) { $count=mysql_num_rows($result); if($count==1) { $rows=mysql_fetch_array($result); $fnamex=$rows['firstname']; $emailx=$rows['email']; $passwordx=$rows['passwd']; $fname=str_replace(' ','',$fnamex); $email=str_replace(' ','',$emailx); $password=str_replace(' ','',$passwordx); $qry2 = "INSERT INTO members(firstname, lastname, address, city, postalcode, state, country, email, login, passwd) VALUES('$fname','$lname','$address','$city','$postalcode','$state','$country','$email','$login','".md5($_POST['password'])."')"; $result2=@mysql_query($qry2); } else {echo "wrong confirmation code";} if($result2){ header("Location:confirmation2.html"); } } ?>

So what's my problem? When someone enters their information in my register form they receive a confirmation email with a link. When they click on the link their data should go from my mysql database called temp to the database called 'members'. However, this doesn't happen.
I am just a starter with php so hopefully you can help me!

Thank you so much in advance!

I haven't seen anything that is clearly wrong. The general idea seems correct, so I hope that helps a little.

One thing I noticed, though this won't fix the overall problems, is that this code seems problematic:

Code:

$fname=str_replace(' ','',$fnamex); $email=str_replace(' ','',$emailx); $password=str_replace(' ','',$passwordx);

Why do you want to change these values after they have been saved? Don't you want to tell the user the username, email or password has been updated??

Hey Daniel, I just send you a reply on your email. Again thanks for the help :).

I thought I needed to remove the spaces because it is easy for people to forget those. But you're right, maybe it is not necessary and better to take it out.

Quote:

Originally Posted by djr33

I haven't seen anything that is clearly wrong. The general idea seems correct, so I hope that helps a little.

One thing I noticed, though this won't fix the overall problems, is that this code seems problematic:

Code:

$fname=str_replace(' ','',$fnamex); $email=str_replace(' ','',$emailx); $password=str_replace(' ','',$passwordx);

Why do you want to change these values after they have been saved? Don't you want to tell the user the username, email or password has been updated??

So to clarify:
The data goes into my temp database but after clicking on the link in the confirmation email it should go to the members database, which it doesn't

You can remove spaces if you'd like, but the user won't know about this and then won't be able to log in. A valid email cannot contain spaces, so that should not be a problem. But for the others, that will change what they type. If you want to remove spaces, that's probably a good idea, just tell them before they are allowed to register (in the first step).

Code:

$result2=@mysql_query($qry2);

That line is what matters, I think.
Immediately after that, try to add this:

Code:

echo $result2===FALSE?'It is broken':'It works'; exit();

(The format is: condition?if true:else [false], so this is like if/else, but just in one line.)

That will tell you whether the query executed. The only way to solve this now is to just use "trial and error", going one step at a time until you find the exact problem.

Again, this is just for debugging, and you will need to remove this line after you use it to test.

Thanks again for your help. However, the frustrating thing is that the page turns blank. So if I click on the link in the confirmation email I go to confirmation.php but there is nothing on the page. Usually when there is something wrong in my code I immediatelly see the error message.

Quote:

Originally Posted by djr33

You can remove spaces if you'd like, but the user won't know about this and then won't be able to log in. A valid email cannot contain spaces, so that should not be a problem. But for the others, that will change what they type. If you want to remove spaces, that's probably a good idea, just tell them before they are allowed to register (in the first step).

Code:

$result2=@mysql_query($qry2);

That line is what matters, I think.
Immediately after that, try to add this:

Code:

echo $result2===FALSE?'It is broken':'It works'; exit();

(The format is: condition?if true:else [false], so this is like if/else, but just in one line.)

That will tell you whether the query executed. The only way to solve this now is to just use "trial and error", going one step at a time until you find the exact problem.

Again, this is just for debugging, and you will need to remove this line after you use it to test.

Here it is late in the evening so I will leave this thread until tomorrow morning.
Thanks for all the help thus far and hopefully I see some helpful replies when I wake up :)

info disappears when making an error, please help.

hello everyone,

I finally managed to build my register/login script. However, I have one little question. When they fill in my form but forget to fill in their address they get the message: address missing. The problem is that when this happens all the information they already entered in the other fields disappears. This is really annoying because then they have to start all over again.

How can I solve this?

Thanks very much in advance.

Validate with js first or echo the entered values back into the values of the inputs.

Quote:

Originally Posted by bluewalrus

Validate with js first or echo the entered values back into the values of the inputs.

Can you explain this a little bit better I am just a newbie :)

This is part of my data:

Code:

//If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: register-form.php"); exit(); }

and this is data in my: register-form.php

<?php
if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
echo '<ul class="err">';
foreach($_SESSION['ERRMSG_ARR'] as $msg) {
echo '<li>',$msg,'</li>';
}
echo '</ul>';
unset($_SESSION['ERRMSG_ARR']);
}
?>

I'd need to see the form but basically. If it were...

Code:

<form action="this.php" method="post"> Name: <input type="text" name="name" /> Address: <input type="text" name="address" /> </form>

this.php

PHP Code:

<?php $error = false; $errormsg = ""; if(isset($_POST['name']) { $name = $_POST['name']; } else { $error = true; $errormsg = "name "; } if(isset($_POST['address']) { $address = $_POST['address']; } else { $error = true; $errormsg = $errormsg . "address"; } if ($error) { echo "please enter $errormsg."; ?> <form action="this.php" method="post"> Name: <input type="text" name="name" <?php if(isset($name)){ echo "value=\"$name\"";}?> /> Address: <input type="text" name="address" <?php if(isset($address)){ echo "value=\"$address\"";}?> /> </form> <?php } else { //process cause correct } ?>

Bluewalrus,
Thanks a lot for taking the time to help me out. I have been trying and trying with your suggestion however it is still not working. Every time I forget to fill in something I get the error message but all the other info disappears. I will show you my code and hope you have time to look

Thank you very much in advance.

Quote:

Originally Posted by bluewalrus

I'd need to see the form but basically. If it were...

Code:

<form action="this.php" method="post"> Name: <input type="text" name="name" /> Address: <input type="text" name="address" /> </form>

this.php

PHP Code:

<?php $error = false; $errormsg = ""; if(isset($_POST['name']) { $name = $_POST['name']; } else { $error = true; $errormsg = "name "; } if(isset($_POST['address']) { $address = $_POST['address']; } else { $error = true; $errormsg = $errormsg . "address"; } if ($error) { echo "please enter $errormsg."; ?> <form action="this.php" method="post"> Name: <input type="text" name="name" <?php if(isset($name)){ echo "value=\"$name\"";}?> /> Address: <input type="text" name="address" <?php if(isset($address)){ echo "value=\"$address\"";}?> /> </form> <?php } else { //process cause correct } ?>

registration-form.html

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Login Form</title> <link href="loginmodule.css" rel="stylesheet" type="text/css" /> </head> </body> </table> <?php if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) { echo '<ul class="err">'; foreach($_SESSION['ERRMSG_ARR'] as $msg) { echo '<li>',$msg,'</li>'; } echo '</ul>'; unset($_SESSION['ERRMSG_ARR']); } ?> <form id="loginForm" name="loginForm" method="post" action="reg.php"> <table width="405" border="0" align="left" cellpadding="2" cellspacing="0"> <tr> <th><div align="left">Name</div></th> <td><input name="name" type="text" class="textfield" id="name" size="45" /></td> </tr> <tr> <th><div align="left">Email </div></th> <td><input name="email" type="text" class="textfield" id="email" size="45" /></td> </tr> <tr> <th><div align="left">Confirm email </div></th> <td><input name="confemail" type="text" class="textfield" id="confemail" size="45" /></td> </tr> <tr> <th><div align="left">Password </div></th> <td><input name="pw" type="password" class="textfield" id="pw" size="45" /></td> </tr> </tr> <tr> <th><div align="left">Confirm Password </div></th> <td><input name="confpw" type="password" class="textfield" id="confpw" size="45" /></td> </tr> <tr> <td> </td> <td><input type="submit" name="Submit" value="Register" /></td> </tr> </table> </form> </body> </html>

reg.php

PHP Code:

<?php include('confform.php'); //Start session session_start(); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $name = clean($_POST['name']); $email = clean($_POST['email']); $confemail = clean($_POST['confemail']); //Input Validations if($name == '') { $errmsg_arr[] = 'Name missing'; $errflag = true; } if($email == '') { $errmsg_arr[] = 'Email missing'; $errflag = true; } if($confemail == '') { $errmsg_arr[] = 'Confirmation email missing'; $errflag = true; } if($pw == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($confpw == '') { $errmsg_arr[] = 'Confirmation password missing'; $errflag = true; } //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: register-form.php"); exit(); } //test to see if username is alphanumeric $test=$_POST['name']; if(!eregi("[^A-Za-z0-9]",$test)) { $query="SELECT * FROM mfc WHERE name ='$_POST(name)'"; $result=mysql_query($query); $num=mysql_num_rows($result); if($num == 0) { $query2="SELECT * FROM mfc WHERE name ='$_POST(email)'"; $result2=mysql_query($query2); $num2=mysql_num_rows($result2); if ($num2 == 0) { if(($_POST[pw]==$_POST[confpw])&&($_POST[email]==$_POST[confemail])) { $confirm_code=md5(uniqid(rand())); $name=strip_tags($_POST['name']); $email=strip_tags($_POST['email']); $pw=strip_tags($_POST['pw']); $sql="INSERT INTO tmp SET code='$confirm_code', name='$name', email='$email', pw='$pw'"; $result=mysql_query($sql); if($result) { $message="Your Confirmation link \r\n"; $message.="Click on this link to activate your account \r\n"; $message.="http://----------.com/confirmation.php?passkey=$confirm_code"; $sent_mail = mail("$email", "Registration Confirmation", "$message"); header("Location:thankyou.html"); } else { echo "Not found your e-mail in our database"; } if($sentmail) { echo "Your Confirmation link has been sent to your e-mail account"; } else { echo "cannot send confirmation link to your e-mail adress"; } } } else { header("location:badmatch.html"); } } else { header("Location:emailinuse.html"); } } else { header("Location:nameinuse.html"); } ?>

please help me with one question: register script

I have a good working register script.
When people leave one field blank they get the message that they have to fill in all the fields. I do this with the following code:

Code:

//Sanitize the POST values $name = clean($_POST['name']); $email = clean($_POST['email']); $confemail = clean($_POST['confemail']); //Input Validations if($name == '') { $errmsg_arr[] = 'Name missing'; $errflag = true; } if($email == '') { $errmsg_arr[] = 'Email missing'; $errflag = true; } if($confemail == '') { $errmsg_arr[] = 'Confirmation email missing'; $errflag = true; } if($pw == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($confpw == '') { $errmsg_arr[] = 'Confirmation password missing'; $errflag = true; } //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: register-form.php"); exit(); }

The problem is that all the information that already was entered.. disappears.
I want to solve this with the following php, but I don´t know where to place it in the script.

PHP Code:

?> <form action="this.php" method="post"> Name: <input type="text" name="name" <?php if(isset($name)){ echo "value=\"$name\"";}?> /> Address: <input type="text" name="address" <?php if(isset($address)){ echo "value=\"$address\"";}?> /> </form> <?php

Dont post the same question multiple times. Someone will answer you when they have a chance. I don't have a chance now.

I'd recommend a mod merge these two threads and delete the third and any others.

PHP Code:

<?php //Sanitize the POST values if (isset($_POST['name'])) { $name = clean($_POST['name']); } if (isset($_POST['email'])) { $email = clean($_POST['email']); } if (isset($_POST['confemail'])) { $confemail = clean($_POST['confemail']); } //Input Validations if($name == '') { $errmsg_arr[] = 'Name missing'; $errflag = true; } if($email == '') { $errmsg_arr[] = 'Email missing'; $errflag = true; } if($confemail == '') { $errmsg_arr[] = 'Confirmation email missing'; $errflag = true; } //THESE AREN'T DELCARED v if($pw == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($confpw == '') { $errmsg_arr[] = 'Confirmation password missing'; $errflag = true; } if ($pw != $confpw) { $errmsg_arr[] = 'Passwords don\'t match.'; $errflag = true; } //THESE AREN'T DELCARED ^ //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); ?> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"> Name: <input type="text" name="name" <?php if ($name != "") { echo "value=\"$name\"";}?> /><br /> Email: <input type="text" name="email" <?php if ($name != "") { echo "value=\"$email\"";}?> /><br /> Confirm Email: <input type="text" name="confemail" <?php if ($name != "") { echo "value=\"$confemail\"";}?> /><br /> Password: <input type="password" name="pw" <?php if ($name != "") { echo "value=\"$pw\"";}?>/><br /> Confirm Password: <input type="password" name="confpw" <?php if ($name != "") { echo "value=\"$confpw\"";}?> /><br /> <input type="submit" /> </form> <?php exit(); } ?>

Thank you so much bluewalrus. I managed to make the script working.

However I still have one question. When there is an error message (for example: name missing) the message is displayed boring in black. I wanted to add a css file so that I could colour it, however it gives the message: cannot modify header information. Does anyone knows how to solve this?

Thanks very much!

This is my script:

PHP Code:

<?php session_start(); include('confform.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values if (isset($_POST['name'])) { $name = clean($_POST['name']); } if (isset($_POST['email'])) { $email = clean($_POST['email']); } if (isset($_POST['confemail'])) { $confemail = clean($_POST['confemail']); } //Input Validations if($name == '') { $errmsg_arr[] = 'Name missing'; $errflag = true; } if($email == '') { $errmsg_arr[] = 'Email missing'; $errflag = true; } if($confemail == '') { $errmsg_arr[] = 'Confirmation email missing'; $errflag = true; } //THESE AREN'T DELCARED v if($pw == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } if($confpw == '') { $errmsg_arr[] = 'Confirmation password missing'; $errflag = true; } if ($pw != $confpw) { $errmsg_arr[] = 'Passwords don\'t match.'; $errflag = true; } //THESE AREN'T DELCARED ^ //If there are input validations, redirect back to the registration form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); ?> <?php if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) { echo '<ul class="err">'; foreach($_SESSION['ERRMSG_ARR'] as $msg) { echo '<li>',$msg,'</li>'; } echo '</ul>'; unset($_SESSION['ERRMSG_ARR']); } ?> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"> Name: <input type="text" name="name" <?php if ($name != "") { echo "value=\"$name\"";}?> /><br /> Email: <input type="text" name="email" <?php if ($email != "") { echo "value=\"$email\"";}?> /><br /> Confirm Email: <input type="text" name="confemail" <?php if ($confemail != "") { echo "value=\"$confemail\"";}?> /><br /> Password: <input type="password" name="pw" <?php if ($pw != "") { echo "value=\"$pw\"";}?>/><br /> Confirm Password: <input type="password" name="confpw" <?php if ($confpw != "") { echo "value=\"$confpw\"";}?> /><br /> <input type="submit" /> </table> </form> <?php exit(); } //test to see if username is alphanumeric $test=$_POST['name']; if(!eregi("[^A-Za-z0-9]",$test)) { $query="SELECT * FROM mfc WHERE name ='$_POST(name)'"; $result=mysql_query($query); $num=mysql_num_rows($result); if($num == 0) { $query2="SELECT * FROM mfc WHERE name ='$_POST(email)'"; $result2=mysql_query($query2); $num2=mysql_num_rows($result2); if ($num2 == 0) { if(($_POST[pw]==$_POST[confpw])&&($_POST[email]==$_POST[confemail])) { $confirm_code=md5(uniqid(rand())); $name=strip_tags($_POST['name']); $email=strip_tags($_POST['email']); $pw=strip_tags($_POST['pw']); $sql="INSERT INTO tmp SET code='$confirm_code', name='$name', email='$email', pw='$pw'"; $result=mysql_query($sql); if($result) { $message="Your Confirmation link \r\n"; $message.="Click on this link to activate your account \r\n"; $message.="http://------------.com/confirmation.php?passkey=$confirm_code"; $sent_mail = mail("$email", "Registration Confirmation", "$message"); header("Location:thankyou.html"); } else { echo "Not found your e-mail in our database"; } if($sentmail) { echo "Your Confirmation link has been sent to your e-mail account"; } else { echo "cannot send confirmation link to your e-mail adress"; } } } else { header("location:badmatch.html"); } } else { header("Location:emailinuse.html"); } } else { header("Location:nameinuse.html"); } ?>

All text output to the browser (anything in the source code, including content, html tags, and even blank lines/spaces) must occur after any "header" functions. Usually this is header(), but it can also happen with functions like start_session() and setcookie() because they use HTTP headers too.
This is because the browser first receives HTTP headers (they tell the browser what to do), then it receives the text data (this is just the content, displayed according to the headers).

Therefore, if you send a header after you send text, it will not work and PHP will display an error message.

The solution may not be easy because you must entirely re-order your script: any header functions MUST go first, and any text output must go after that.

In other words, you may not display your errors before you have done the header redirects.

Depending on how this changes your system, it may require using a different method for the errors or the redirects, or both...

Hey!
I managed to make the script working by putting: ob_start();
I don't know why.. but it works :)

Quote:

Originally Posted by djr33

All text output to the browser (anything in the source code, including content, html tags, and even blank lines/spaces) must occur after any "header" functions. Usually this is header(), but it can also happen with functions like start_session() and setcookie() because they use HTTP headers too.
This is because the browser first receives HTTP headers (they tell the browser what to do), then it receives the text data (this is just the content, displayed according to the headers).

Therefore, if you send a header after you send text, it will not work and PHP will display an error message.

The solution may not be easy because you must entirely re-order your script: any header functions MUST go first, and any text output must go after that.

In other words, you may not display your errors before you have done the header redirects.

Depending on how this changes your system, it may require using a different method for the errors or the redirects, or both...

Everyone was of great help and I managed to make my registration script exactly how I wanted it.
However, I again got a little problem, this time with md5. The script works totally fine when I doesn't encrypt the password with md5. However when I do encrypt it.. I am redirected all the time to my login failed page. I tried to make changes over and over again but it's not working :S

This is my final login script:

PHP Code:

<?php //Start session session_start(); //Include database connection details require_once('config.php'); //Array to store validation errors $errmsg_arr = array(); //Validation error flag $errflag = false; //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $name = clean($_POST['name']); //Input Validations if($name == '') { $errmsg_arr[] = 'Username missing'; $errflag = true; } if($pw == '') { $errmsg_arr[] = 'Password missing'; $errflag = true; } //If there are input validations, redirect back to the login form if($errflag) { $_SESSION['ERRMSG_ARR'] = $errmsg_arr; session_write_close(); header("location: login-form.php"); exit(); } //Create query $qry="SELECT * FROM mfc WHERE name='$name' AND pw='".md5($_POST['pw'])."'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['member_id']; $_SESSION['SESS_FIRST_NAME'] = $member['firstname']; $_SESSION['SESS_LAST_NAME'] = $member['lastname']; session_write_close(); header("location: member-index.php"); exit(); }else { //Login failed header("location: login-failed.php"); exit(); } }else { die("Query failed"); } ?>

1. Output buffers: usually they are a bad idea because they make the page run slower. However, since this is a limited page (not much text, and it will only be seen once in a while), that is probably ok. Usually there is a better way to rewrite the page to avoid using an output buffer, but the problem with header() vs. text is actually one of the cases where this can be very difficult, so it's not a really bad idea. Now that it's working, I think that's fine, though I wouldn't recommend usually using that. Instead, try to write scripts with header() content first, then text output, if possible. Of course an output buffer can fix this if you can't find another way...

2. md5: My guess is that the script already uses md5 somewhere else, maybe? I don't see this, but that would explain it. Alternatively, you might need to rewrite the system to allow for using md5. Perhaps it's another hash generator, like sha1? There are a few like that. Also, sometimes various scripts use "salt", which means that they don't use only the password, but also the username. For example, one method I have seen is: md5($username.md5($password))
If it works now, though, I am guessing that it's the correct method. Look at your database directly (using phpmyadmin, perhaps) and check to see if you are storing the passwords as md5 (as a "hash string") or in their original form. For security, it's a little better to use md5 or a similar algorithm, so maybe that could be a next step if you are not doing that already.

Thanks for the reply! Yes, it is indeed true that I use md5 also on a different place. Namely, to encrypt the confirmation code the users receive when they register. Do you think it is not necessary to encrypt the password because I already use this confirmation email system?

Quote:

Originally Posted by djr33

1. Output buffers: usually they are a bad idea because they make the page run slower. However, since this is a limited page (not much text, and it will only be seen once in a while), that is probably ok. Usually there is a better way to rewrite the page to avoid using an output buffer, but the problem with header() vs. text is actually one of the cases where this can be very difficult, so it's not a really bad idea. Now that it's working, I think that's fine, though I wouldn't recommend usually using that. Instead, try to write scripts with header() content first, then text output, if possible. Of course an output buffer can fix this if you can't find another way...

2. md5: My guess is that the script already uses md5 somewhere else, maybe? I don't see this, but that would explain it. Alternatively, you might need to rewrite the system to allow for using md5. Perhaps it's another hash generator, like sha1? There are a few like that. Also, sometimes various scripts use "salt", which means that they don't use only the password, but also the username. For example, one method I have seen is: md5($username.md5($password))
If it works now, though, I am guessing that it's the correct method. Look at your database directly (using phpmyadmin, perhaps) and check to see if you are storing the passwords as md5 (as a "hash string") or in their original form. For security, it's a little better to use md5 or a similar algorithm, so maybe that could be a next step if you are not doing that already.

It's for a different reason. Basically using md5 on a password means that if your server or database is hacked, the passwords are still hidden (encrypted). And as administrator you can't view them so it is a little more privacy for the users. Generally it isn't a problem though.