Hey mensen!
Ik heb laast begonnen met PHP/SQL progammeren.
Het lukt me al aardig, en ik wil gaan beginnen aan een forum.(Heb al een login, registratie systeem, onlinebar, en usermanagement)
Nou vroeg ik me af of alles veilig is, en ik aan een forum kan beginnen/afmaken.
Zou iemand mijn registratie systeem willen nakijken?
Ik gebruik al real_escape_string, en query's in een if statement.
Hartelijk dank
Gelieve niet te reageren op mijn script style ect, maar puur of het veilig is of efficient geschreven is.
(Captcha heb ik er even uitgehaald)
Hier is mijn code:
PHP
<?php
// PHP SYSTEEM
if($user == false){
} elseif ($user == true){
echo "<script> window.location.href = '?page=home';</script>";
}
if($_SERVER['REQUEST_METHOD'] == 'POST'){
if(isset($_POST['username']) && !empty($_POST['username']) AND isset($_POST['email']) && !empty($_POST['email']) AND isset($_POST['password']) && !empty($_POST['password']) AND isset($_POST['password2']) && !empty($_POST['password2'])){
//Check of passworden overeen komen
if($_POST['password'] == $_POST['password2']){
// Beveiliging
$password = hash('SHA512', $salt.$_POST['password']);
$password2 = hash('SHA512', $salt.$_POST['password2']);
$username = $connect->real_escape_string($_POST['username']);
$email = $connect->real_escape_string($_POST['email']);
$key = $connect->real_escape_string($_POST['key']);
if($checkkey = $connect->query("SELECT * FROM `codes` WHERE code='$key' && used='0'")){
$workskey = $checkkey->num_rows;
if($workskey == 0){
echo "<h3>Key not valid, or already used!</h3>";
} else {
if($updatekeys = $connect->query("UPDATE `codes` SET used='1' WHERE code='$key'")){
if($update2keys = $connect->query("UPDATE `codes` SET used_by='$username' WHERE code='$key'")){
if($update3keys = $connect->query("UPDATE `codes` SET used_date=NOW() WHERE code='$key'")){
//Username Check
if($checkusername = $connect->query("SELECT * FROM users WHERE username='$username'")){
$checkusername2 = $checkusername->num_rows;
if($checkusername2 > 0){
echo "Username already used!!";
} else {
//Email check
if($checkemail = $connect->query("SELECT * FROM users WHERE email='$email'")){
$checkemail2 = $checkemail->num_rows;
if($checkemail2 > 0){
echo "Email already used in database!";
} else {
//INSERT INFORMATION Query
$query = "INSERT INTO users(username, password, email, rank, last_move, ipadress, agent, banned, ban_reason)
VALUES ('$username','$password','$email', '1', NOW(), '$user_ip','$user_agent', '0', '-1')";
if($insertinfo = $connect->query($query)){
echo "<p>You successfully registered a account. Now you can login!</p>";
echo "<script type='text/javascript'>
window.setTimeout(function() {
window.location.href = '?page=home';
}, 5000);
</script>
";
}//Insert Query end
}// End mail test (Of hij al in de database staat)
} else { // End en Else in Emailcheck
echo "<h3>ERROR</h3>";
}
}// End Username check(Of hij al in de database staat)
} // END username check
} // Key update 3 END
} // Key update 2 END
} // Key update 1 END
} // End key (Als hij fout is)
} // END checkkey
} else {// Passworden komen niet overheen
echo '<h3>Passwords are not the same!</h3>';
}
} //Check passwords
} else {
//HTML FORM
?>
<h1>Register</h1>
<form action="" method="post">
<table style="color:black;">
<tr>
<td>Username*:</td>
<td><input type="username" name="username" maxlength="16" ></td>
<td>Will be shown on the site.</td>
</tr>
<tr>
<td>Password*:</br></td>
<td><input type="password" name="password"></td>
<td>Your password*.</td>
</tr>
<tr>
<td>Password check*:</br></td>
<td><input type="password" name="password2"></td>
<td>Repeat password.</td>
</tr>
<tr>
<td>E-mail*:</br></td>
<td><input type="email" name="email"></td>
<td>Your emailadress</td>
</tr>
<tr>
<td>Key*:</br></td>
<td><input type="text" name="key"></td>
<td>I need to register(If you dont got one, read the homepage.</td>
</tr>
<tr>
<td>
<input type="submit" class="button-success pure-button" value="Register">
</td>
</tr>
</table>
</form>
<?php } ?>