ArcEmu: [php] Encrypted And Secure Signup Page - ArcEmu

Jump to content

Toggle shoutbox Lastest Announcements

dfighter  : (07 December 2014 - 12:06 PM) Arcemu is in hibernation mode, please read http://arcemu.org/fo...showtopic=26903
dfighter  : (01 January 2013 - 05:56 PM) Arcemu wishes you all a happy new year!
Hasbro  : (12 September 2012 - 10:01 AM) Please excuse our outage from the web! Our web host had a major malfunction!
dfighter  : (01 September 2012 - 04:05 PM) Since the spam bots just don't want to stop, I've enabled admin verification when registering.
dfighter  : (23 January 2012 - 09:56 PM) Please note that from now on you will need to confirm your email on the wiki in order to edit it!
Hasbro  : (31 December 2011 - 12:50 PM) Happy New Years all!
Navid  : (26 December 2011 - 04:09 AM) Merry Christmas !!!!!! Happy holidays all :)
WAmadeus  : (24 December 2011 - 03:54 PM) Merry Christmas to all!
dfighter  : (24 December 2011 - 11:05 AM) The Arcemu team wishes y'all a Merry Christmukkah!
Hasbro  : (05 October 2011 - 12:53 PM) Looking for web designers for upcoming web related project. If you're interested in designing user interfaces contact me
dfighter  : (02 September 2011 - 03:47 PM) So who here wants vehicles in Arcemu? :P http://arcemu.org/fo...showtopic=25440
Hasbro  : (14 August 2011 - 03:25 PM) Join us on irc, grab an irc client and connect to irc.freenode.net join channel #arcemu /server irc.freenode.net:6667 /join #arcemu
jackpoz  : (03 August 2011 - 05:33 AM) to all Lua Engine (old one) users: please check http://arcemu.org/fo...showtopic=25274
Hasbro  : (20 May 2011 - 05:27 PM) Looking for people experienced with CMake configuration and setup! Contact me asap
Hasbro  : (15 May 2011 - 05:03 PM) ArcEmu is recruiting C++ programmers, contact Hasbro if interested.
paroxysm  : (03 May 2011 - 06:26 PM) Updated luabridge gossip example to describe the whole gossip creation process rather than just how to create menu. Gossip tutorial
paroxysm  : (23 April 2011 - 11:35 AM) Lua writers can refer to the Luabridge Tutorials section in the Wiki to learn how to write gossip code correctly.
Hasbro  : (20 April 2011 - 05:22 PM) Thank you for your continuous contribution of bug reports, we are working on them.
Hasbro  : (17 April 2011 - 03:20 AM) Please consider donating to support our bills. Donations can be sent using PayPal to donations@arcemu.org - Thank you for your support.
paroxysm  : (10 April 2011 - 12:43 AM) Refer to the Luabridge Tutorials section in the Wiki to learn the new syntax of luabridge.
Resize Shouts Area

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

[php] Encrypted And Secure Signup Page Thanks to YennZo for original

#1 User is offline   Senkin 

  • Member
  • Pip
  • Group: Members
  • Posts: 18
  • Joined: 20-November 08

Posted 04 June 2010 - 03:31 AM

This is a very simple, but very secure signup page. The only thing it is missing is a captcha thing. I basically re-wrote the signup page from YennZo and made it work with the latest PHP and MySQL of today (5.3.x). I also removed the sessions, if you want it, add it yourself since I find it rather useless. Use the $cfg["ok"] to add a link to go back to your home page for account creation successful if you feel it is needed.

Note: This is a work in progress. I do find it mostly done, but times do change and I might not have found every way to make it as secure as possible. I sure did try though.

Required Fields:
- Account name is A-Z, a-z, numbers only
- Account name, password, email is not blank
- Account name and password is over 5 characters long
- Email field actually contains a full email address (local@host.com is an example)

Optional Settings
- Prevent the same email as on another account to be used
- Prevent the same IP as on another account to create account

CLICK HERE FOR SOURCE
0

#2 User is offline   iEzri 

  • < Ace of spades >
  • Group: Contributor
  • Posts: 1,692
  • Joined: 22-December 08
  • Gender:Female
  • Interests:I'm likely to cause mischief
  • Server OS:Linux

Posted 04 June 2010 - 05:43 AM

Erm, nice script but the $_REQUEST variable is a combination of key and values of $_POST, $_GET and $_COOKIE variables. This is a 'superglobal', or automatic global, variable meaning that it's available in all scopes!

The problem is that you never know where it came from. It might be a cookie, a GET header request, it could also be POST data. So if you use $_REQUEST you have absolutely no guarantee that the data came from the post data, which leads to security holes in your script, we mostly call it a "sticky variable" or "funvar!" ;)

In detail: If you were to expect POST data with var name "blah", someone uses cURL, puts POST data in there and then injects GET data with the name "blah" as well.

But really, people must learn to think of these horrible outcomes before acting selfishly or else... i fear ... web-programming will be forever doomed to a life of only semi-luxury ^^

lol
Posted Image I do not join. I lead.
0

#3 User is offline   Kekers 

  • I have no life
  • Group: Contributor
  • Posts: 9,023
  • Joined: 25-May 10
  • Gender:Male
  • Location:Awwstrayleyer

Posted 04 June 2010 - 06:17 AM

The only thing that's going to go wrong with using $_REQUEST in this script is someone will end up overriding the POST variable with a get or cookie variable (depends on your EGPCS order however). There are no security holes since any invalid strings will be picked up by the regex.
You should probably save the preg/ereg tests until after the basic logic tests (like strlen, empty etc) since they're fairly slow.

PS: It's safer to use mysql_real_escape_string instead of addslashes
if(!this)
0

#4 User is offline   Senkin 

  • Member
  • Pip
  • Group: Members
  • Posts: 18
  • Joined: 20-November 08

Posted 04 June 2010 - 11:18 AM

Guys I never said it was intended to be used in other pages where there are more variables being used. This is just meant to be used as is. If you want to take the code and use it on your site with the needed modifications then go for it.

Since I had two of you though who just had to mention it I just replaced them with POST. Oh and you are right about the mysql_real_escape_string part, I forgot about it ;).
0

#5 User is offline   iEzri 

  • < Ace of spades >
  • Group: Contributor
  • Posts: 1,692
  • Joined: 22-December 08
  • Gender:Female
  • Interests:I'm likely to cause mischief
  • Server OS:Linux

Posted 04 June 2010 - 11:32 AM

View PostSenkin, on 04 June 2010 - 11:18 AM, said:

Guys I never said it was intended to be used in other pages where there are more variables being used. This is just meant to be used as is. If you want to take the code and use it on your site with the needed modifications then go for it. Also I can provide a portable version too.


hey, don't misunderstand me on this, i was just thinking a little more about the script and thought i should share this info with you as obviously if you had known about this issue i mentioned you wouldnt have used request... i don't want to ridicule you or so, it was just meant as some kind of telling you something you might not have known... and OFC to absolutely show-off how good i am! ;) :lol:
Posted Image I do not join. I lead.
0

#6 User is offline   Senkin 

  • Member
  • Pip
  • Group: Members
  • Posts: 18
  • Joined: 20-November 08

Posted 04 June 2010 - 08:00 PM

Hehe sometimes I get a tiny defensive. Thanks for your input and I would like your opinion on it now that I fixed the two mentioned. I am going to be removing the css stuff to allow people to choose what they want theirs to look like. Most already have their own css style they like to use for tables and forms anyhow.

-edit-
Updated script a bit to be a little more clean and use better email verification as well as fixed allow multi email and IP.
0

#7 User is offline   snake87401 

  • Member
  • Pip
  • Group: Members
  • Posts: 81
  • Joined: 21-December 08
  • Gender:Male
  • Interests:im interested in computer programming/gfx

Posted 16 December 2010 - 01:18 AM

this tut is pretty confusing perhaps theirs someone out there that can tell me how to get one working for my server
Posted Image
0

#8 User is offline   iEzri 

  • < Ace of spades >
  • Group: Contributor
  • Posts: 1,692
  • Joined: 22-December 08
  • Gender:Female
  • Interests:I'm likely to cause mischief
  • Server OS:Linux

Posted 16 December 2010 - 02:54 AM

View Postsnake87401, on 16 December 2010 - 01:18 AM, said:

this tut is pretty confusing perhaps theirs someone out there that can tell me how to get one working for my server


confusing?

hm, i guess you just would have to fill in those values:
$dbhost = "127.0.0.1";
$dbuser = "root";
$dbpassword = "P@ssw0rd";
$db = "arcemu_logon";


i didn't test this script tbh
Posted Image I do not join. I lead.
0

#9 User is offline   Ravend 

  • Member
  • Pip
  • Group: Members
  • Posts: 12
  • Joined: 14-February 11
  • Gender:Male
  • Server OS:Windows

Posted 16 February 2011 - 05:42 AM

how to do that at least for the login (3 chars min) ???
// check if login and password is over 5 characters long
if (strlen($login) <= 2 || strlen($password) <= 2) {
echo "<div style='background-color:red; color:white; font-weight:bold;'>Login or password was under 6 characters long !</div>".form();
return false;
}
0

#10 User is offline   dfighter 

  • Titles are overrated
  • PipPipPipPipPipPipPipPipPipPip
  • Group: Administrator
  • Posts: 5,189
  • Joined: 14-June 08
  • IRC:dfighter
  • Gender:Male
  • Server OS:Linux

Posted 16 February 2011 - 07:13 AM

View PostRavend, on 16 February 2011 - 05:42 AM, said:

how to do that at least for the login (3 chars min) ???
// check if login and password is over 5 characters long
if (strlen($login) <= 2 || strlen($password) <= 2) {
echo "<div style='background-color:red; color:white; font-weight:bold;'>Login or password was under 6 characters long !</div>".form();
return false;
}

http://php.net/docs.php
"The demand for free goods is infinite."
0

#11 User is offline   avatarscape 

  • Member
  • Pip
  • Group: Members
  • Posts: 18
  • Joined: 30-September 08

Posted 12 July 2011 - 01:48 AM

No SSL? No pre-post encryption? How is this 'encrypted' or 'secure' if theres no method of stopping attackers from packet sniffing browser-server?
0

#12 User is offline   iEzri 

  • < Ace of spades >
  • Group: Contributor
  • Posts: 1,692
  • Joined: 22-December 08
  • Gender:Female
  • Interests:I'm likely to cause mischief
  • Server OS:Linux

Posted 12 July 2011 - 12:35 PM

like i said, it's not that safe imo... but then, who would have an interest on wow databases... ;)
Posted Image I do not join. I lead.
0

#13 User is offline   salamanda 

  • Enthusiast
  • PipPipPip
  • Group: Members
  • Posts: 161
  • Joined: 10-July 08

Posted 23 July 2011 - 03:41 PM

View PostiEzri, on 12 July 2011 - 12:35 PM, said:

like i said, it's not that safe imo... but then, who would have an interest on wow databases... :(


Maybe I'm replying to an old thread, can't see post dates (though I might be blind), but there are people out there who like to cause damage to whatever they can just because they can. If you leave it insecure, someone will eventually exploit it.
0

#14 User is offline   iEzri 

  • < Ace of spades >
  • Group: Contributor
  • Posts: 1,692
  • Joined: 22-December 08
  • Gender:Female
  • Interests:I'm likely to cause mischief
  • Server OS:Linux

Posted 24 July 2011 - 09:49 AM

but but but...

View PostiEzri, on 04 June 2010 - 05:43 AM, said:

people must learn to think of these horrible outcomes before acting selfishly or else... i fear ... web-programming will be forever doomed to a life of only semi-luxury ^^


:(
Posted Image I do not join. I lead.
0

#15 User is offline   Nixxous 

  • Member
  • Pip
  • Group: Members
  • Posts: 14
  • Joined: 15-February 11
  • Gender:Male
  • Server OS:Linux

Posted 20 July 2012 - 05:18 AM

.....Mysql Error : 1364
0

#16 User is offline   MoltenX 

  • Newbie
  • Group: Members
  • Posts: 1
  • Joined: 02-March 13
  • Gender:Male
  • Server OS:Windows

Posted 03 March 2013 - 03:57 AM

Try this one: http://paste2.org/p/3029582
Preview here (No DB Connection): http://ask.flex-net.org/
MoltenX
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users