PDA

View Full Version : The php/mysql/flash username and password thing


althorne
July 8th, 2007, 09:33 AM
Hey,

I was using the tutorial, however I noticed a flaw in the new user script.

It allows duplicate users.

The code is as follows ~


<?PHP


$newUser = $_POST['newUser'];
$passOne = $_POST['passOne'];
$passTwo = $_POST['passTwo'];


if ($passOne == $passTwo) {
$newPass = $passOne;

} else {
print "Passwords mismatched";
}


if (($REQUEST_METHOD=='POST')) {
for(reset($HTTP_POST_VARS);
$key=key($HTTP_POST_VARS);
next($HTTP_POST_VARS)) {
$this = addslashes($HTTP_POST_VARS[$key]);
$this = strtr($this, ">", " ");
$this = strtr($this, "<", " ");
$this = strtr($this, "|", " ");
$$key = $this;
}
if ($newUser && $newPass ) {
$query = "insert into auth (userid,username,userpassword) ";
$query .= "VALUES(0000,'$newUser','$newPass')";
mysql_connect("dbhostname","dbusername","dbpassword)
or die("Unable to connect to SQL server");
mysql_select_db("dbname") or die("Unable to select database");
$result = mysql_query($query) or die("Insert Failed!");
}
}

if ( $result ){
print "You have successfully entered ".$newUser." with the password of ".$newPass." to your database!!";
}
?>

<html>
<head>
<title>Database Insert Form for kirupa</title>
</head>
<body bgcolor="#FFFFFF">
<h1>Insert Into Database • UCS</h1>


<form action="usercheck.php" method="POST">
New User Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" size="20" name="newUser" style="background-color: cyan;"><br>
New User Password: <input type="text" size="20" name="passOne" style="background-color: cyan;"><br>
Verify Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <input type="text" size="20" name="passTwo" style="background-color: cyan;"><br>
<input type="submit" value="Add User" style="background-color: cyan;">
</form>


<br><br>


<hr>
<?
$queryb="SELECT COUNT(*) FROM auth";
mysql_connect("mysql.host.com","username","password")
or die("Unable to connect to SQL server");
mysql_select_db("yourdatabase") or die("Unable to select database");
$numusers=mysql_query($queryb) or die ("Select Failed - count");
$numuser=mysql_fetch_array($numusers);
?>
<h3>Current Users in Database</h3>
<p>
&nbsp;&nbsp;&nbsp;&nbsp;There are <? echo $numuser[0]; ?> current users in database.<br>
&nbsp;&nbsp;&nbsp;&nbsp;Listed in alphabetical order by user's name:<br>
<br>

<?
$queryc="SELECT * FROM auth ORDER BY username";

$userlist=mysql_query($queryc) or die("Select Failed - users");

?>
<center>
<table border="1" bordercolor="#000000">
<tr>
<td width="20%" bgcolor="#000000">
<font size="2" color="#FFFFFF"><center>
USERS
</font></center>
</td>
<td width="20%" bgcolor="#000000">
<font size="2" color="#FFFFFF"><center>
PASSWORDS
</font></center>
</td>
</tr>
<?
while ($userinfo = mysql_fetch_array($userlist)){
?>
<tr>
<td width="20%" bgcolor="#FFCC33">
<center>
<? echo $userinfo['username']; ?>
</center>
</td>
<td width="20%" bgcolor="#FFCC33">
<center>
<? echo $userinfo['userpassword']; ?>
</center>
</td>
</tr>
<? } ?>

</table>
</center>
<p>
With this form, you can submit new users and passwords. However, you are not able to update or erase enteries once
entered. All changes made to your database are updated in real time.
<br><br><br>
</body>
</html>

Can anyone modify the script to not allow duplicate usernames. If possible, display the results in a flash text box called result. But if not, then just the script.

Cheers, Althorne
Esherido
July 8th, 2007, 09:54 AM
Why not just look at the PHP code, read a couple more tutorials and documentation, try doing it yourself, and if it doesn't work ask us. If you want someone to write that code for you, post in the Job Offers forum.
althorne
July 8th, 2007, 10:05 AM
To be honest, I did try it myself.

And it said on the tutorial to post in the appropriate forum with any questions. I have done what it said.
albino
July 8th, 2007, 12:05 PM
ive not had a great look into the script, but I can start you off.

where it inserts the new users, all you have to do it do a check, to see if that user already exists.

so before you INSERT, do a SELECT query. loop through the results to see if the username is already there.
Esherido
July 8th, 2007, 12:12 PM
^ Why loop through the results? Just do "SELECT * FROM auth WHERE username = '$newUser';". Then if returns a row, you know it already exists, if it returns no rows, you know it's available. ;) It's stupid to get everything from the database and then have PHP run through it all, when you can have MySQL do it much faster and more efficiently.
althorne
July 8th, 2007, 12:31 PM
i made a flaw in my database design.

I forgot to make the field username unique. It's all sorted now. Silly error on my part.
Esherido
July 8th, 2007, 01:22 PM
^ Glad you figured it out. I would advise making a good error handling system so that you can use those kinds of errors (Caused by the unique field.) to your advantage. And besides, it's not wise to spit out errors to the visitor, it's ugly and can open up vulnerabilities.
eirche
July 8th, 2007, 02:32 PM
i made a flaw in my database design.

I forgot to make the field username unique. It's all sorted now. Silly error on my part.


you can still make `username` unique. just add a unique index from `username`.



ALTER TABLE `user` ADD UNIQUE (`username` )
nite21
April 15th, 2008, 09:36 AM
anybody know how to validate duplicate username in actionscript without using sql