I have a php script which is supposed to register a user. It was working fine two weeks ago but it stopped working today after making minor changes to an unrelated part of the site. Here is the code:
<?php
$salt="mysecretsalt";
$activationkey = md5(uniqid(rand(), true));
$Firstname = $_POST['firstname'];
$Lastname = $_POST['lastname'];
$Email = $_POST['email'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
function asc2hex ($temp) {
$data = "";
$len = strlen($temp);
for ($i=0; $i<$len; $i++) $data.=sprintf("%02x",ord(substr($temp,$i,1)));
return $data;
}
$Email = stripslashes($Email);
$password = stripslashes($password);
$password2 = stripslashes($password2);
$Firstname = stripslashes($Firstname);
$Lastname = stripslashes($Lastname);
$Email = mysql_real_escape_string($Email);
$password = mysql_real_escape_string($password);
$Lastname = mysql_real_escape_string($Lastname);
$password2 = mysql_real_escape_string($password2);
$Firstname = mysql_real_escape_string($Firstname);
$password_length = strlen($password);
if($password_length > 5)
{
$password = sha1(md5($salt.$password));
$password2 = sha1(md5($salt.$password2));
$Firstname = strtolower($Firstname);
$Firstname = ucfirst($Firstname);
$Lastname = strtolower($Lastname);
$Lastname = ucfirst($Lastname);
$Email = strtolower($Email);
if ($password == $password2){
$con = mysql_connect("localhost","root","password");
if (!$con)
{
die('Could not connect. Please Contact Us: ' . mysql_error());
}
mysql_select_db("members", $con);
$email_check = mysql_query("SELECT Email FROM users WHERE Email='$Email'");
$email_count = mysql_num_rows($email_check);
if(preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $Email)) {
if ($email_count == '0') {
$Email = mysql_real_escape_string($Email);
$password = mysql_real_escape_string($password);
$Lastname = mysql_real_escape_string($Lastname);
$password2 = mysql_real_escape_string($password2);
$Firstname = mysql_real_escape_string($Firstname);
setcookie("Friendsplash", $activationkey, time()+3600);
mysql_query("INSERT INTO users (Firstname, Lastname, Email, password, activationkey) VALUES ('$Firstname', '$Lastname', '$Email', '$password', '$activationkey' )");
//$to = $Email;
//$subject = "Confirmation of Friendsplash.com Membership.";
//$message = "Welcome to our website! $Firstname $Lastname\r\rThis is a confirmation email regarding your recent request for a membership at Friendsplash.com\r\r
//To activate your account follow this confirmation link:\rhttp://localhost/html/activate.php?$activationkey
//\r\rIf you do not wish to activate this account please disregard this email.";
//$from = "postmaster@localhost";
//$headers = "From:" . $from;
//mail($to,$subject,$message,$headers);
mkdir("./usr/$Email", 0755);
echo "<meta http-equiv='REFRESH' content='0;url=confirmation.html'>";
}
else {
echo "<meta http-equiv='REFRESH' content='0;url=existing_email.html'>";
}
}
else {
echo "Please enter a valid email.<meta http-equiv='REFRESH' content='2;url=register.html'>";
}
}
else {
echo "<meta http-equiv='REFRESH' content='0;url=non-matching_passwords.html'>";
}
}
else {
echo "<meta http-equiv='REFRESH' content='15;url=short_password.html'>"; \\ Always taken here
}
}
}
}
?>
I have tried commenting out this if but it then just takes me to the if above it.
Your problem lies in the fact that you
mysql_real_escape_stringyour data before you connect to the database.mysql_real_escape_stringneeds an existing database connection to do its job, if there is none, it’ll returnfalse. So all your data isfalse, hence your checks are failing. Read the manual page for details.You should enable error reporting to catch such problems earlier.
Also, you shouldn’t check the password length against the escaped value, since this may be significantly different from the value the user has entered.
Also, fail early. Don’t have thousands of nested levels of
if–elsestatements, it’s unmaintainable. Rather, do something like: