Mysidia Adoptables Support Forum

Mysidia Adoptables Support Forum (http://www.mysidiaadoptables.com/forum/index.php)
-   Questions and Supports (http://www.mysidiaadoptables.com/forum/forumdisplay.php?f=18)
-   -   Register with no password? (http://www.mysidiaadoptables.com/forum/showthread.php?t=2250)

Slix 07-17-2011 04:24 PM
Register with no password?
 
Here's the deal. I added a few lines to the register.php page to help prevent bots and spammers from joining, and I don't know if this caused it, but now you're able to register with no password entered into either password blank.

Any ideas? It's really bad because you could register, be auto logged in, and if you log out, you'll have no password (or a blank one maybe).


Here's my register.php code:
Code:
<?php

// **********************************************************************
// Rusnak PHP Adoptables Script
// Copyright 2009 Brandon Rusnak
// For help and support: http://www.rusnakweb.com/forum/
//
// Redistribution prohibited without written permission
// **********************************************************************

// Wake the sleeping giant

// **********************************************************************
// Basic Configuration Info
// **********************************************************************

include("inc/functions.php");
include("inc/config.php");
include("lang/lang.php");

$themeurl = grabanysetting("themeurl");

// **********************************************************************
// Define our top links by calling getlinks()
// **********************************************************************

$links = getlinks();

// **********************************************************************
// Define our ads by calling getads()
// **********************************************************************

$ads = getads("register");

// **********************************************************************
// Grab any dynamic article content from the content table
// **********************************************************************

$pagecontent = getsitecontent("index");
$article_title = $pagecontent[title];
$article_content = $pagecontent[content];
$article_content = nl2br($article_content);

// **********************************************************************
// Grab any settings that we will need for the current page from the DB
// **********************************************************************

$browsertitle = grabanysetting("browsertitle");
$sitename = grabanysetting("sitename");
$slogan = grabanysetting("slogan");

// **********************************************************************
// Check and see if the user is logged in to the site
// **********************************************************************

$loginstatus = logincheck();
$isloggedin = $loginstatus[loginstatus];
$loggedinname = $loginstatus[username];

// **********************************************************************
// End Prepwork - Output the page to the user
// **********************************************************************

if($isloggedin == "yes"){

$article_title = "You already have an account";
$article_content = "You already have an account, thus there is no need for you to register a new one.";

}
else{

//Grab the post data from the form

$username = $_POST["username"];
$pass1 = $_POST["pass1"];
$pass2 = $_POST["pass2"];
$email = $_POST["email"];
$tos = $_POST["tos"];
$hidden = $_POST["hidden"];
$spam = $_POST["spam"];

//Protect the database
$username = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $username);
$username = secure($username);
$pass1 = secure($pass1);
$pass2 = secure($pass2);
$email = preg_replace("/[^a-zA-Z0-9@._-]/", "", $email);
$email = secure($email);
$tos = preg_replace("/[^a-zA-Z0-9s]/", "", $tos);
$hidden = preg_replace("/[^a-zA-Z0-9s]/", "", $hidden);
$spam = secure($spam);

        if($hidden != "goregister"){

        //The form was not submitted, so we are showing the signup page...

        $article_title = $regnew;
        $article_content = $regnewexplain."<br><form name='form1' method='post' action='register.php'>
          <p>Username: <input name='username' type='text' id='username' maxlength='20'></p>
          <p>Your username may be up to 20 characters long and may only contain letters, numbers and spaces. </p>
          <p>Password: <input name='pass1' type='password' id='pass1' maxlength='20'></p>
          <p>Your password may be up to 20 characters long and may contain letters, numbers, spaces and special characters. The use of a special character, such as * or ! is recommended for increased security. </p>
          <p>Confirm Password: <input name='pass2' type='password' id='pass2' maxlength='20'></p>
          <p>Email Address: <input name='email' type='text' id='email'></p>
          <p><input name='tos' type='checkbox' id='tos' value='yes'> I agree to the <a href='tos.php' target='_blank'>Terms of Service</a>.
          <input name='hidden' type='hidden' id='hidden' value='goregister'></p>
<p>Please enter the number after fifteen. <input name='spam' type='text' id='spam' value='I am a spammer!'></p>
          <p><input type='submit' name='Submit' value='Register'>
          </p></form>";


        }
        else{

        //We are attempting to register the user...

        //First MD5 hash the passwords:

        $pass1 = md5($pass1);
        $pass2 = md5($pass2);


    //Next check that the email does not already exist...



    $flag1 = 0;
    $query = "SELECT * FROM ".$prefix."users WHERE email = '$email'";
    $result = @mysql_query($query);
    $num1 = @mysql_numrows($result);

    if($num1 > 0){

    $flag1 = 1;

    }
       
        //Next check that the username does not already exist...

        $flag = 0;
        $query = "SELECT * FROM ".$prefix."users WHERE username = '$username'";
        $result = @mysql_query($query);
        $num = @mysql_numrows($result);

        if($num > 0){
        $flag = 1;
        }

        //Now we verify that the email address is a valid email address...
        $emailisvalid = "no";


        if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
       
        $emailisvalid = "yes";
       
        }
       
        //First check that something required was not left blank...

        if($username == "" or $pass1 == "" or $pass2 == "" or $email == ""){
        $article_title = "Error";
        $article_content = $regblank;
        }
        else if($pass1 != $pass2){
       
        //Passwords do not match

        $article_title = "Your passwords do not match";
        $article_content = $passnomatch;

        }
        else if($tos != "yes"){

        //User did not agree to TOS
        $article_title = "Terms of Service Error";
        $article_content = $notos;

        }
       
        else if($flag1 > 0){

    //email already exists
    $article_title = "Multiple Accounts is not permitted on this website.";
    $article_content = $emailexists;

    }
        else if($flag > 0){

        //Username already exists
        $article_title = "Your username already exists";
        $article_content = $userexists;       

        }
        else if($emailisvalid != "yes"){

        //Email address is not valid or is a fake

        $article_title = "Email address is not valid";
        $article_content = $emailinvalid;

        }

        else if($spam != "16"){

        $article_title = "You entered the wrong number";
        $article_content = "Please correct it and try again.";

        }
        else{

        //All checks are done, actually create the user's account on the database

        $date = date('Y-m-d');

        mysql_query("INSERT INTO ".$prefix."users VALUES ('', '$username', '$pass1','$email','3','1', '$date', '0','','','','','')");

        //Now that we have created the user, let's log them in...

        $status = dologin($username, $pass1);

        if($status != "success"){
       
        $article_title = "Something is Wrong!";
        $article_content = "Something is very, very wrong.  Please contact Slix about this error.";

        }
        else{

        //We are registered and logged in...

        $article_title = $titleregsuccess;
        $article_content = $regsuccess."".$username."".$regsuccess2;

        //Reflect our changes in the sidebar...
        $sidebar = "<b><u>Welcome ".$username."</u></b>:<br><a href='account.php'>Go to My Account</a><br><a href='adopt.php'>Adopt Some Pets</a>";

        }


        }
       


        }

}

// **********************************************************************
// Begin Template Definition
// **********************************************************************

//Define our current theme
$file = $themeurl;

// Do the template changes and echo the ready template
$template = file_get_contents($file);

$template = replace(':ARTICLETITLE:',$article_title,$template);
$template = replace(':ARTICLECONTENT:',$article_content,$template);
$template = replace(':ARTICLEDATE:',$article_date,$template);

$template = replace(':BROWSERTITLE:',$browsertitle,$template);
$template = replace(':SITENAME:',$sitename,$template);

//Define our links
$template = replace(':LINKSBAR:',$links,$template);

//Get the content for the side bar...

if($sidebar == ""){

$sidebar = getsidebar();
}

$template = replace(':SIDEFEED:',$sidebar,$template);

//Get the ad content...
$template = replace(':ADS:',$ads,$template);

//Get the slogan info
$template = replace(':SLOGAN:',$slogan,$template);


echo $template;

// **********************************************************************
// End Template Definition
// **********************************************************************



?>

Kaeliah 07-24-2011 02:08 PM
Slix, that's the Rusnak code, not the Mysidia. Rusnak is the base for Mysidia, but we're not supporting the much older versions. Try upgrading to the Mysidia script or instead talk to a coder who can help you out.

Hall of Famer 07-24-2011 09:38 PM
Well I believe Slix was using the old RA script since he had it way before I took the script over from BMR? Anyway ditto to what Kaeliah said, please do not post obsoleted scripts or tutorials without stating the versions you are using.

Slix 07-31-2011 02:36 PM
Yes, I was using the script since before it was changed over, but I never wanted to upgrade it all because of different mods I had made. I'll see if the newer register script works better. Thanks.

EDIT: Wait, I got it. The hashing of the passwords comes before the check to see if it's blank, therefor letting you do that, so all I had to do was move that down to the bottom right before the INSERT line.

Inf3rnal 08-01-2011 10:57 AM
I tried this with the latest Mysidia and it worked.

You can register with no password but when you try to login with no password it fails.

Plague 08-01-2011 11:28 AM
What Inf3rnal said. I'm running MA not Rusnak and I ran into this issue at one point as well. I honestly forget what in the world I did to fix it, so I'm useless in that regards, but I can confirm that this is an issue with MA as well.

Slix 08-01-2011 12:26 PM
Like I stated above, this:
Code:
//We are attempting to register the user...

        //First MD5 hash the passwords:

        $pass1 = md5($pass1);
        $pass2 = md5($pass2);
Needs to be moved down below here, where it says $date.
Code:
        //All checks are done, actually create the user's account on the database

        $date = date('Y-m-d');

        mysql_query("INSERT INTO ".$prefix."users VALUES ('', '$username', '$pass1','$email','3','1', '$date', '0','','','','','')");
That fixed the issue.


All times are GMT -5. The time now is 03:52 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.