[RELEASE] Secure PHP Web Registration Script

[JohnHeatz]

what is the specific error that you are getting?

[PrinciCh]

hi,also hab eine register script gemacht und wenn man eine acc im web macht also game acc,kommt bei den user_master,RowID und UserUid NULL,und ich kan nicht im game einlogen, also was mache falsch brauche hilfe komm nicht weiter.


hi, so have made ​​a register script and if one makes the web so acc acc game comes at the user_master, and UserUid RowID is NULL, and I kan not login in the game, so what's wrong need help do not come on.

Also genauer gesagt wen ich mich im web registriere kommen beim User_Master. bei RowID und Bei UserUid beide stecht NULL und ich kom nicht im game,also wie krieg ich die biite hin das es richtig laufen soll danke..


So more precisely, whom do I register myself in the web come in User_Master. If and when RowID UserUid both ***** and I do not NULL in the complex game, so how do I get the Biite out there that will go right thanks ..

[benoli105]

can some1 explain in detail what we have to do plz ? or make a lil quick vid tutorial explaining what to do with THOSE script ;s plz

[JohnHeatz]

Change what it is needed to make them fit with your server (IP, DBUser, DBPw....) and put it into the "www" folder of your wamp/xamp....

[mendi1]

Help for registre scrip

[benoli105]

plz any1 can help me , i get this error : You must have the php_mssql library for Apache installed and enabled to connect to an MSSQL database. Uncomment the line that says extension=php_mssql.dll in your php.ini (XAMPP/WAMP only). This requires a restart of the Apache service to take effect.

[JohnHeatz]

Look for the php_mssql.dll line in your ini file (xamp/wamp) and uncomment it (delete the ; at the beginning of the line) then restart your xamp/wamp

[benoli105]

ok tyvm , when i do that , i restart then im unable to start apache :s

[benoli105]

TYVM abrasive i got it to work <3 D

[mendi1]

Help for ROWID

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<div id="bv_Html1" style="position:absolute;left:0px;top:0px;width:45 0px;height:150px;z-index:0;" align="left">
<!-- *META* -->
<!-- rss_menu meta -->
<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');

$user_ip = $_SERVER['REMOTE_ADDR'];
$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$password2 = isset($_POST['password2']) ? mssql_escape_string(trim($_POST['password2'])) : '';
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
require_once('db.php');

// Validate user name.
$result = @odbc_exec($conn,"SELECT UserID FROM PS_UserData.dbo.Users_Master WHERE UserID = '{$username}'") or die('Failed to verify is the provided user named already exists.');
if(empty($username)){
$errors[] = 'Please provide a user name.';
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = 'User name must be between 3 and 16 characters in length.';
}else if(ctype_alnum($username) === false){
$errors[] = 'User name must consist of numbers and letters only.';
}else if(odbc_num_rows($result)){
$errors[] = 'User name already exists, please choose a different user name.';
}
// Validate user password.
if(empty($password)){
$errors[] = 'Please provide a password.';
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = 'Password must be between 3 and 16 characters in length.';
}else if($password != $password2){
$errors[] = 'Passwords do not match.';
}
// Validate reCAPTCHA. This is to prevent someone botting account creation.
$response = recaptcha_check_answer($recaptcha_private_key,$_SE RVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
if(!$response->is_valid){
if($response->error == 'incorrect-captcha-sol'){
$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
}else{
$errors['recaptcha'] = $response->error;
}
}
// Persist the new account to the database if no previous errors occured.
if(count($errors) == 0){
$sql = "INSERT INTO PS_UserData.dbo.Users_Master
(UserID,Pw,JoinDate,Admin,AdminLevel,UseQueue,Stat us,Leave,LeaveDate,UserType,Point,EnPassword,UserI p)
VALUES ('{$username}','{$password}',GETDATE(),0,0,0,0,0,G ETDATE(),'N',0,'','{$user_ip}')";
// Remove the @ symbol here to see what the SQL error message is when running the above query in $sql.
if($result = @odbc_exec($conn,$sql)){
$success = "Account {$username} successfully created!";
}else{
// This means the insert statement is probably not valid for your database. Fix the query or fix your database, your choice
$errors[] = 'Failed to create a new account, please try again later';
}
}
}
// Determine which view to show.
if($success === false){
require_once('register.view.php');
}else{
require_once('success.view.php');
}
?></div>
</body>

</html>

Help for RowID

Quote:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<div id="bv_Html1" style="position:absolute;left:0px;top:0px;width:45 0px;height:150px;z-index:0;" align="left">
<!-- *META* -->
<!-- rss_menu meta -->
<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');

$user_ip = $_SERVER['REMOTE_ADDR'];
$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$password2 = isset($_POST['password2']) ? mssql_escape_string(trim($_POST['password2'])) : '';
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
require_once('db.php');

// Validate user name.
$result = @odbc_exec($conn,"SELECT UserID FROM PS_UserData.dbo.Users_Master WHERE UserID = '{$username}'") or die('Failed to verify is the provided user named already exists.');
if(empty($username)){
$errors[] = 'Please provide a user name.';
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = 'User name must be between 3 and 16 characters in length.';
}else if(ctype_alnum($username) === false){
$errors[] = 'User name must consist of numbers and letters only.';
}else if(odbc_num_rows($result)){
$errors[] = 'User name already exists, please choose a different user name.';
}
// Validate user password.
if(empty($password)){
$errors[] = 'Please provide a password.';
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = 'Password must be between 3 and 16 characters in length.';
}else if($password != $password2){
$errors[] = 'Passwords do not match.';
}
// Validate reCAPTCHA. This is to prevent someone botting account creation.
$response = recaptcha_check_answer($recaptcha_private_key,$_SE RVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
if(!$response->is_valid){
if($response->error == 'incorrect-captcha-sol'){
$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
}else{
$errors['recaptcha'] = $response->error;
}
}
// Persist the new account to the database if no previous errors occured.
if(count($errors) == 0){
$sql = "INSERT INTO PS_UserData.dbo.Users_Master
(UserID,Pw,JoinDate,Admin,AdminLevel,UseQueue,Stat us,Leave,LeaveDate,UserType,Point,EnPassword,UserI p)
VALUES ('{$username}','{$password}',GETDATE(),0,0,0,0,0,G ETDATE(),'N',0,'','{$user_ip}')";
// Remove the @ symbol here to see what the SQL error message is when running the above query in $sql.
if($result = @odbc_exec($conn,$sql)){
$success = "Account {$username} successfully created!";
}else{
// This means the insert statement is probably not valid for your database. Fix the query or fix your database, your choice
$errors[] = 'Failed to create a new account, please try again later';
}
}
}
// Determine which view to show.
if($success === false){
require_once('register.view.php');
}else{
require_once('success.view.php');
}
?></div>
</body>

</html>

[JohnHeatz]

If you, perhaps, give more information about what the problem is, something more explained than "Help for RowID" it would be possible to help

[·Tyler·]

Quote:

Originally Posted by abrasive

Ideally your UserUID column in the table PS_UserData.dbo.Users_Master should be set to auto-increment. If this is not the case, you will need to adjust this script, or ideally fix your database, to accommodate this.

mendi1,

This is most likely the solution to your problem.

Tyler

[Seyyah46]

if you need help and if your problem

Quote:

Failed to create a new account, please try again later

or



1. Right-click on the Users_Master table and select Design.
2. Highlight RowID, and look inside the Column Properties section at the bottom of the interface for Identity Specification.
3. Expand Identity Specification, and change (Is Identity) to Yes. Identity Increment and Identity Seed should change to 1 automatically when you do this.
4. Press Ctrl + S to save.

Edit:


and use this Register.php (Edit this file with your personal database credentials) ( sql id (ex. YENSH-S89HRGF or ip), sql user id (ex. Shaiya), sql user password (ex. Shaiya123)

Quote:

<?php
require_once('recaptchalib.config.php');
require_once('recaptchalib.php');
require_once('db.config.php');

$user_ip = $_SERVER['REMOTE_ADDR'];
$username = isset($_POST['username']) ? mssql_escape_string(trim($_POST['username'])) : '';
$password = isset($_POST['password']) ? mssql_escape_string(trim($_POST['password'])) : '';
$password2 = isset($_POST['password2']) ? mssql_escape_string(trim($_POST['password2'])) : '';
$conn=mssql_connect('sql id','sql user id','sql user password');
$db = mssql_select_db('PS_UserData',$conn) or die("MSSQL Conection Error!");
$errors = array();
$success = false;
if(isset($_POST) && !empty($_POST)){
require_once('db.php');

// Validate user name.
$result = @mssql_query("SELECT UserID FROM PS_UserData.dbo.Users_Master WHERE UserID = '{$username}'") or die('Failed to verify is the provided user named already exists.');
if(empty($username)){
$errors[] = 'Please provide a user name.';
}else if(strlen($username) < 3 || strlen($username) > 16){
$errors[] = 'User name must be between 3 and 16 characters in length.';
}else if(ctype_alnum($username) === false){
$errors[] = 'User name must consist of numbers and letters only.';
}else if(mssql_num_rows($result)){
$errors[] = 'User name already exists, please choose a different user name.';
}
// Validate user password.
if(empty($password)){
$errors[] = 'Please provide a password.';
}else if(strlen($password) < 3 || strlen($password) > 16){
$errors[] = 'Password must be between 3 and 16 characters in length.';
}else if($password != $password2){
$errors[] = 'Passwords do not match.';
}
// Validate reCAPTCHA. This is to prevent someone botting account creation.
$response = recaptcha_check_answer($recaptcha_private_key,$_SE RVER['REMOTE_ADDR'],$_POST['recaptcha_challenge_field'],$_POST['recaptcha_response_field']);
if(!$response->is_valid){
if($response->error == 'incorrect-captcha-sol'){
$errors['recaptcha'] = 'Incorrect answer to reCAPTCHA';
}else{
$errors['recaptcha'] = $response->error;
}
}
// Persist the new account to the database if no previous errors occured.
if(count($errors) == 0){
$checkuseruid = "SELECT Max(UserUID) AS max FROM PS_UserData.dbo.Users_Master";
$resultado = mssql_query($checkuseruid);
$captura = mssql_fetch_array($resultado);
$UserUID = $captura["max"]+1;
$sql = "INSERT INTO PS_UserData.dbo.Users_Master
(UserUID,UserID,Pw,JoinDate,Admin,AdminLevel,UseQu eue,Status,Leave,LeaveDate,UserType,Point,EnPasswo rd,UserIp)
VALUES ('{$UserUID}','{$username}','{$password}',GETDATE( ),0,0,0,0,0,GETDATE(),'N',0,'','{$user_ip}')";
// Remove the @ symbol here to see what the SQL error message is when running the above query in $sql.
if($result = @mssql_query($sql)){
$success = "Account {$username} successfully created!";
}else{
// This means the insert statement is probably not valid for your database. Fix the query or fix your database, your choice
$errors[] = 'Failed to create a new account, please try again later';
}
}
}
// Determine which view to show.
if($success === false){
require_once('register.view.php');
}else{
require_once('success.view.php');
}
?>

[firexware]

This is vulnerable to XSS where the form is filled with the user's data when the query fails. Use htmlentities or htmlspecialchars on all user data before outputting it.

P0c:

Put:

"><script>alert('xss nuuuuu');</script><div id="

into the username then click 'create account'

[Domina1990]

geht viel einfacher mit nichtmal 10 zeilen. mfg