PHP Registration Form - SQL

Question

I want to make a Registration form from PHP to register their username and password into my SQL Database. Here is what I have:

config.php:

   <?php
$host['naam'] = 'localhost';                // my host
$host['gebruikersnaam'] = 'root';       // my database username
$host['wachtwoord'] = '';   // my database password
$host['databasenaam'] = 'project';       // my database name

$db = mysql_connect($host['naam'], $host['gebruikersnaam'], $host['wachtwoord']) OR die ('Cant connect to the database');
mysql_select_db($host['databasenaam'], $db);
?> 

index.php:

    <head>
    <title>Deltalus Account Registration</title>
    <style>
    *{ FONT-SIZE: 8pt; FONT-FAMILY: verdana; } b { FONT-WEIGHT: bold; } .listtitle { BACKGROUND: #425984; COLOR: #EEEEEE; white-space: nowrap; } td.list { BACKGROUND: #EEEEEE; white-space: nowrap; } </style>
    </head>
    <center><br><br><br><br>
    <h1>Deltalus Database</h1>
    <table cellspacing=1 cellpadding=5>
    <tr>
    <td class=listtitle colspan=2>Register at my server</td></tr>
    <form action="register_do.php" method="POST">
    <tr><td class=list align=right>Username:</td><td class=list><input type=text name=name maxlength="30"></td></tr>
    <tr><td class=list align=right>Password:</td><td class=list><input type=password name=pass maxlength="30"></td></tr>
    </td></tr>
    <tr><td class=listtitle align=right colspan=2><input type=submit name=submit value='Register'></td></tr>
    </form>
    </table>
    <br>

    </center></body></html

>

register_do.php:

   <?php
print '<title>Deltalus Database Server</title>';
$name = $_POST['name'];
$pass = $_POST['pass'];
include('config.php');
$sel = 'SELECT * FROM user WHERE username="'.$_POST['name'].'"';
if($name == ""){
echo 'No username filled in';
exit();
}elseif(mysql_num_rows(mysql_query($sel)) >= 1 ){
echo 'This username does already exists!';
exit();
}elseif($pass == ""){
echo 'No password filled in';
exit();
}else{
$d = 'INSERT INTO users (username, password) VALUES ("'.$name.'", "'.$pass.'")';
mysql_query($d) OR die (mysql_error());
echo 'Your account has been created, you can now login.';
}
?> 

Ok so the problem is when I post this to my website. It gives me this error saying that POST is not available or something. Wait let me back up, when I press register, it says that error. How would I fix this? IS their anything wrong wtih my coding?

Thanks,

Kevin

Answer 1

Um... So many issues I don't know where to start. First off, your code is SQL injection heaven.
You need to totally rethink this if this code is ever going to see the light of day.

Consider what would happen if someone specified a username of:

blah","blah");DELETE TABLE users;

You didn't post your login code for this, but given your current coding style, consider if someone specified a password on login of:

asdf" OR "1" = "1

That would effectively log in any user without a password.

Also passwords should never be stored in plain text. They should at the very least be stored encrypted. In almost all cases they should be hashed. That is to say they should be stored using one way encryption like SHA256. A recent discussion on this.

Then to check if the user provided a valid password, you compare the two hashed versions, and never know what the original was really.

Consider using the mysqli library instead of mysql. mysql in php is old and alot slower than mysqli. Mysqli also offers something called prepared queries that can eliminate the risk of SQL injection if used correctly. A class I've written to simplify it's use.

Beyond these issues, it appears that you are not including config.php in your register_do.php. Your SQL statements will not work without it.

What version of php and mysql are you using?

Answer 2

It sounds like your HTTP server is misconfigured, and/or not accepting POST requests. Do you have this page on-line so that I can take a look and possibly elaborate?