0
<?php
 include("DBconnect.php");
 //Retrieving data from html form
 $username =$_POST[ 'username' ];
 $email =$_POST [ 'email' ] ;
 $status='verify';
// A salt is randomly generated here to protect again brute force attacks 
 // and rainbow table attacks.  The following statement generates a hex 
  // representation of an 8 byte salt.  Representing this in hex provides 
        // no additional security, but makes it easier for humans to read. 
        // For more information: 
        // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
        // http://en.wikipedia.org/wiki/Brute-force_attack 
        // http://en.wikipedia.org/wiki/Rainbow_table 
        $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
        // This hashes the password with the salt so that it can be stored securely 
        // in your database.  The output of this next statement is a 64 byte hex 
        // string representing the 32 byte sha256 hash of the password.  The original 
        // password cannot be recovered from the hash.  For more information: 
        // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
        $password = hash('sha256', $_POST['pass'] . $salt); 
       // Next we hash the hash value 65536 more times.  The purpose of this is to 
        // protect against brute force attacks.  Now an attacker must compute the hash 65537 
        // times for each guess they make against a password, whereas if the password 
        // were hashed only once the attacker would have been able to make 65537 different  
        // guesses in the same amount of time instead of only one. 
        for($round = 0; $round < 65536; $round++) 
        { 
            $password = hash('sha256', $password . $salt); 
        } 
 //for mysql injection (security reasons)
  //$username = mysql_real_escape_string($username);
  //$email = mysql_real_escape_string($email);
  //$password = mysql_real_escape_string($password);
  if ($_POST['form_submitted'] == '1')
 {
       ##User is registering, insert data until ;we can activate it
   $activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
   // inserting data into database
   $qry="insert into users (username,passwordsalt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
  $register = mysql_query($qry);
if (!mysql_query($register))
  {
  die('Error: '. mysql_error());
  }
echo "An email has been sent to $email with an activation key. Please check your mail to complete registration.";
##Send activation Email
$to = $email;
$subject = "Registration";
$message = "Welcome to our website!\r\rYou, or someone using your email address, has completed registration . You can complete registration by clicking the following link:http://localhost:82/Authentication%20system/register.php?$activationKey\r\rIf this is an error, ignore this email and you will be removed from our mailing list.\r\rRegards,\ YOURWEBSITE.com Team";
$headers = 'From: verma.shikha1991@gmail.com' . "\r\n" .
                     'Reply-To: verma.shikha1991@gmail.com' . "\r\n" .
                     'MIME-Version: 1.0' . "\r\n" .
                      'Content-type: text/html; charset=iso-8859-1' . "\r\n" .
                    'X-Mailer: PHP/' . phpversion();
    if(mail($to, $subject, $message, $headers))
      echo "Email sent";
    else
      echo "Email sending failed";
}
else 
{
  ##User isn't registering, check verify code and change activation code to null, status to activated on success
  $queryString = $_SERVER['QUERY_STRING'];
  $result = mysql_query("SELECT * FROM users");
  while($row = mysql_fetch_array($result))
  {
    if ($queryString == $row["activationkey"])
  {
       echo "Congratulations!" . $row["username"] . " is now the proud new owner of account.";  

       if (!mysql_query("UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])"))
        {
    die('Error: '.mysql_error());
        }
  }
 } 
}
echo "successful registration";
?>
3
Contributors
2
Replies
8
Views
4 Years
Discussion Span
Last Post by pzuurveen
0

line 72
!mysql_query("UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])")
this will not work because of the $row[id]
also You probley want $row['id'])

$query = sprintf("UPDATE users SET activationkey = '', status='activated' WHERE (id = %s)",$row['id']);
If(!mysql_query($query)){
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.