registration.html

<!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Register</title>
<script type='text/javascript'>
function refreshCaptcha()
{
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
</head>

<body>
    <fieldset>
        <legend>Registration</legend>

<form name="register" action="register.php" method="post">
    <table width="510" border="0">
        <tr>
            <td colspan="2"><p><strong>Registration Form</strong></p></td>
        </tr>
        <tr>
            <td>Username:</td>
            <td><input type="text" name="username" maxlength="20" /></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="password" /></td>
        </tr>
        <tr>
            <td>Confirm Password:</td>
            <td><input type="password" name="password2" /></td>
        </tr>
        <tr>
            <td>Email:</td>
            <td><input type="text" name="email" id="email" /></td>
        </tr>
        <tr>
                <td align="right" valign="top"> Validation code:</td>
                <td><img src="captcha_code_file.php?rand=<?php echo rand();?>" id='captchaimg'><br>
                <label for='message'>Enter the code above here :</label>
                <br>
                <input id="6_letters_code" name="6_letters_code" type="text">
        <br>
        Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh
        </p></td>
        </tr>
        <tr>
            <td><input type="hidden" name="formsubmitted" value="true"/> </td>
        </tr>
        tr>
            <td>&nbsp;</td>

            <td><input type="submit" value="Register" /></td>
        </tr>
    </table>
</form>
<div>
if already registered then: 
<a href="login.html"> login</a>   </div>
</fieldset>

</body>
</html>

register.php

<?php
session_start();
 include("DBconnect.php");
 $username =$_POST[ 'username' ];
 $password=$_POST[ 'password' ];
 $con_pass=$_POST['password2'];
 $email =$_POST [ 'email' ] ;
 $status='verify';
 $r1='/[A-Z]/';  //Uppercase
 $r2='/[a-z]/';  //lowercase
 $r3='/[!@#$%^&*()\-_=+{};:,<.>]/';  // whatever you mean by 'special char'
 $r4='/[0-9]/';  //numbers


 if (isset($_POST['formsubmitted']))
 {

    //username validation
        if(empty($_POST['username'])) 
        { 
            die("Please enter a username."); 
        }
    $u="select count(username) from users where username='$username'";
    $result = mysql_query($u);
    // Alwasy verify the result of a mysql query before using it!
         if ($result)
         {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($result);
         $user_count = (int)$row[0];
         // And finally check the number.
          if ($user_count == 1)
      {
            echo "User exists.";

          }

         }
       else {
            // The MySQL query must have failed, so you'd want to stop with an errror.
            // A lot of people would use "die()" for this, but it's an inferior method.
            die("user verification failed ");
       }





     //password validation
        if(empty($_POST['password'])) 
        { 
            die("Please enter a password."); 
        }
    else
     {
        if((preg_match_all($r1,$password, $o)<1))
        die("there should be atleast one Uppercaseletter");
        if(preg_match_all($r2,$password, $o)<1)
        die("there should be atleast one lowercase letter");
        if(preg_match_all($r3,$password, $o)<1)
        die("there should be atleast one special character");
        if(preg_match_all($r4,$password, $o)<1)
        die("there should be atleast one digit");
        if(strlen($password)<8)
         die("length should be greater than 8");


     }

    //password matching validation
    if($_POST['password']!=$_POST['password2'])
    {
         die("password do not match");                 
    }

    //email validation
        if(empty($_POST['email']))
    {
               die("Please Enter your Email");
        }
       if (!preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email']))
       {
               //regular expression for email validation
               //$Email = $_POST['email'];
            die( "Your Email Address is invalid ") ;
       }       
        $e="select count(email) as 'countemail' from users where email='$email'";
        $r = mysql_query($e);
    if ($r)
        {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($r);
         $user_count = (int)$row[0];
         // And finally check the number.
          if ($user_count == 1)
      {
            echo "email exists.";
          }

       }
       else {
            // The MySQL query must have failed, so you'd want to stop with an errror.
            // A lot of people would use "die()" for this, but it's an inferior method.
            die("email verification failed");
       }
       if(empty($_SESSION['6_letters_code'] ) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
       {
    $msg="The Validation code does not match!";
       }

 }

  $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
  $password = hash('sha256', $_POST['password'] . $salt); 
 for($round = 0; $round < 65536; $round++) 
 { 
    $password = hash('sha256', $password . $salt); 
 } 
 $activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

 $qry="insert into users (username,password,salt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
 $register = mysql_query($qry);
 if (!$register)
 {
      echo "error 1";;
 }

echo "successful registration";
?>
<a href="login.html"> login</a>

captcha_code_file.php

<?php
session_start();
//Settings: You can customize the captcha here
$image_width = 120;
$image_height = 40;
$characters_on_image = 6;
$font = './monofont.ttf';

//The characters that can be used in the CAPTCHA code.
//avoid confusing characters (l 1 and i for example)
$possible_letters = '23456789bcdfghjkmnpqrstvwxyz';
$random_dots = 10;
$random_lines = 30;
$captcha_text_color="0x142864";
$captcha_noice_color = "0x142864";

$code = '';

$i = 0;
while ($i < $characters_on_image) {
$code .= substr($possible_letters, mt_rand(0, strlen($possible_letters)-1), 1);
$i++;
}

$font_size = $image_height * 0.75;
$image = @imagecreate($image_width, $image_height);

/* setting the background, text and noise colours here */
$background_color = imagecolorallocate($image, 255, 255, 255);

$arr_text_color = hexrgb($captcha_text_color);
$text_color = imagecolorallocate($image, $arr_text_color['red'],
$arr_text_color['green'], $arr_text_color['blue']);

$arr_noice_color = hexrgb($captcha_noice_color);
$image_noise_color = imagecolorallocate($image, $arr_noice_color['red'],
$arr_noice_color['green'], $arr_noice_color['blue']);

/* generating the dots randomly in background */
for( $i=0; $i<$random_dots; $i++ ) {
imagefilledellipse($image, mt_rand(0,$image_width),
mt_rand(0,$image_height), 2, 3, $image_noise_color);
}

/* generating lines randomly in background of image */
for( $i=0; $i<$random_lines; $i++ ) {
imageline($image, mt_rand(0,$image_width), mt_rand(0,$image_height),
mt_rand(0,$image_width), mt_rand(0,$image_height), $image_noise_color);
}

/* create a text box and add 6 letters code in it */
$textbox = imagettfbbox($font_size, 0, $font, $code);
$x = ($image_width - $textbox[4])/2;
$y = ($image_height - $textbox[5])/2;
imagettftext($image, $font_size, 0, $x, $y, $text_color, $font , $code);

/* Show captcha image in the page html page */
header('Content-Type: image/jpeg');// defining the image type to be shown in browser window
imagejpeg($image);//showing the image
imagedestroy($image);//destroying the image instance
$_SESSION['6_letters_code'] = $code;

function hexrgb ($hexstr)
{
$int = hexdec($hexstr);

return array( "red" => 0xFF & ($int >> 0x10),
"green" => 0xFF & ($int >> 0x8),
"blue" => 0xFF & $int);
}
?>

i think there is session problem due to which captcha is not vlidating how to correct it

Works fine for me, what error you get? Here's my test, based on your scripts:

<?php

session_start();

?>

<form method="post">
Validation code:
<img src="captcha.php?rand=<?php echo rand();?>" id='captchaimg'><br />
<label for='6_letters_code'>Enter the code above here:</label>
<input type="text" name="6_letters_code" />
</form>

<?php
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    echo 'POST: ';
    print_r($_POST);
    echo '<br />SESSION: ';
    print_r($_SESSION);
    echo '<br />Result: ';
    if(empty($_SESSION['6_letters_code']) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
    {
        echo 'false';
    }
    else
    {
        echo 'true';
    }
}

By the way: an ID cannot start by number, so id="6_letters_code" is wrong and will not work if you use JQuery & other javascript frameworks, also it's not a good idea to send an error message declaring that the user does or doesn't exits, it's better to return a generic message as user/password wrong, otherwise an attacker can understand if an account exists and try to find his specific password.

you have written all the code in one php file
but i wrote it in 3 files so i am tinking there is a session error

Ok, then move this to the top of register.php file:

echo 'POST: ';
print_r($_POST);
echo '<br />SESSION: ';
print_r($_SESSION);
die();

place it right after <?php session_start(); and check if the values sent by $_POST and saved in $_SESSION are the same.

commented: i think so too +14

i tried it and it is returning the values the vlues on this page but if i am entering different captcha still it is not validating

Ok, so the problem is that your script doesn't stop if you send a wrong captcha? In your conditional statment you are not stopping the action, just setting $msg variable, if you want to stop the execution the most immediate solution is to use die() as in the other statments:

if(empty($_SESSION['6_letters_code']) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
{
    die("The Validation code does not match!");
}

This will stop the script but it is not the best user experience. Also when you check if user already exists you should stop the execution:

if($user_count > 0)
{
    die("User exists.");
}

A better solution for handling the errors is to use an array and to check if it is populated, for example:

$errors = array();

$username = 'Shikha_1';
$password = 'p4ss';

if( ! ctype_alpha($username))
{
    $errors['username'] = 'Only alphanumeric characters are allowed for the username.';
}

if(count($password) < 8)
{
    $errors['password'] = 'Password too short';
}

if(count($errors) > 0)
{
    # redirect to form with error messages:
    $_SESSION['errors'] = $errors;
    header('Location: register.html');
}
else
{
    # insert query & other stuff
}