md5 i have used

This code uses the MD5 function both with and without padding. It is significant to note how, when and why padding gets used here. The hash found in this code is used as a ping-pong alongside the email to confirm the user is legitimate.

function user_register() {
  global $supersecret_hash_padding;
  // Are all vars present and passwords match?
  if (strlen($_POST['user_name']) <=25 && strlen($_POST['password1']) <= 25 &&
    ($_POST['password1'] == $_POST['password2']) && strlen($_POST['email']) <= 50 &&
    validate_email()) {
    // Validate username and password
    if (account_namevalid() && (strlen($_POST['password1']) >= 6)) {
      $user_name = strtolower($_POST['user_name']);
      $user_name = trim($user_name);
      // Don't need to escape, because single quotes aren't allowed
      $email = $_POST['email'];
      // Don't allow duplicate usernames or emails
      $query = "SELECT id
              FROM user
              WHERE user_name = '$user_name' OR email = '$email'";
      $result = mysql_query($query);
      if ($result && mysql_num_rows($result) > 0) {
        $feedback = 'ERROR -- Username or email address already exists';
        return $feedback;
      } else {
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $password = md5($_POST['password1']);
        $user_ip = $_SERVER['REMOTE_ADDR'];
        // Create a new hash to insert into the db and the confirmation email
        $hash = md5($email.$supersecret_hash_padding);
        $query = "INSERT INTO user (user_name, first_name,
          last_name, password, email, remote_addr, confirm_hash,
          is_confirmed, date_created)
          VALUES ('$user_name', '$first_name', '$last_name',
          '$password', '$email', '$user_ip', '$hash', '0',
          NOW())";
        $result = mysql_query($query);
        if (!$result) {
          $feedback = 'ERROR -- Database error';
          return $feedback;
        } else {
          // Send the confirmation email
          $encoded_email = urlencode($_POST['email']);
          $mail_body = <<<EOMAILBODY
Thank you for registering at www.gxsam11.net. Click this link
to confirm your registration:

http://www.gxsam11.net/web/confirm.php?hash=$hash&email=$encoded_email

Once you see a confirmation message, you will be logged into
www.gxsam11.net
EOMAILBODY;
          mail($email, 'www.gxsam11.net registration confirmation',
            $mail_body, 'From: noreply@gxsam11.net');
          // Give a successful registration message
          $feedback = 'YOU HAVE SUCCESSFULLY REGISTERED.
            You will receive a confirmation email soon';
          return $feedback;
        }
      }
    } else {
      $feedback = 'ERROR -- Username or password is invalid';
      return $feedback;
    }
  } else {
    $feedback = 'ERROR -- Please fill in all fields correctly';
    return $feedback;
  }
}
Advertisements

About samehramzylabib

See About on https://samehramzylabib.wordpress.com
This entry was posted in Coding, PHP Security and tagged , , , . Bookmark the permalink.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s