md5 i have used

This code uses the MD5 function both with and without padding. It is significant to note how, when and why padding gets used here. The hash found in this code is used as a ping-pong alongside the email to confirm the user is legitimate.

function user_register() {
  global $supersecret_hash_padding;
  // Are all vars present and passwords match?
  if (strlen($_POST['user_name']) <=25 && strlen($_POST['password1']) <= 25 &&
    ($_POST['password1'] == $_POST['password2']) && strlen($_POST['email']) <= 50 &&
    validate_email()) {
    // Validate username and password
    if (account_namevalid() && (strlen($_POST['password1']) >= 6)) {
      $user_name = strtolower($_POST['user_name']);
      $user_name = trim($user_name);
      // Don't need to escape, because single quotes aren't allowed
      $email = $_POST['email'];
      // Don't allow duplicate usernames or emails
      $query = "SELECT id
              FROM user
              WHERE user_name = '$user_name' OR email = '$email'";
      $result = mysql_query($query);
      if ($result && mysql_num_rows($result) > 0) {
        $feedback = 'ERROR -- Username or email address already exists';
        return $feedback;
      } else {
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $password = md5($_POST['password1']);
        $user_ip = $_SERVER['REMOTE_ADDR'];
        // Create a new hash to insert into the db and the confirmation email
        $hash = md5($email.$supersecret_hash_padding);
        $query = "INSERT INTO user (user_name, first_name,
          last_name, password, email, remote_addr, confirm_hash,
          is_confirmed, date_created)
          VALUES ('$user_name', '$first_name', '$last_name',
          '$password', '$email', '$user_ip', '$hash', '0',
        $result = mysql_query($query);
        if (!$result) {
          $feedback = 'ERROR -- Database error';
          return $feedback;
        } else {
          // Send the confirmation email
          $encoded_email = urlencode($_POST['email']);
          $mail_body = <<<EOMAILBODY
Thank you for registering at Click this link
to confirm your registration:$hash&email=$encoded_email

Once you see a confirmation message, you will be logged into
          mail($email, ' registration confirmation',
            $mail_body, 'From:');
          // Give a successful registration message
            You will receive a confirmation email soon';
          return $feedback;
    } else {
      $feedback = 'ERROR -- Username or password is invalid';
      return $feedback;
  } else {
    $feedback = 'ERROR -- Please fill in all fields correctly';
    return $feedback;

About samehramzylabib

See About on
This entry was posted in Coding, PHP Security and tagged , , , . Bookmark the permalink.


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s