Registration + Mysql

Hi there, I have started learning mysql recently and just as an exercise i thought i would try my hand at building a basic registration system using javascript, php and mysql. its going pretty well but i have come to the point where i will require some help, when i click register it should send the imputed data to the php script with then inserts the data into the mysql table if it is not already there, but it will do none of this and i am out of idea’s as to why this is happening! Note i am using wamp but that shouldn’t make a difference?

mysql table

Javascript file - register.js

//	Public variables.
public static var username : String = "";
public static var email : String = "";
public static var password : String = "";

//Private variables.
private var message : String = "";
private var URL : String = "http://localhost/Games/Project_x/register.php";
private var windowRect : Rect = Rect(0, 0, 250, 180);

function OnGUI ()
{
	//	Draw the Register window.
	windowRect = GUI.Window(0, windowRect, RegisterWindow, "Register Account");
}

function RegisterWindow (windowID : int) 
{
	//	Username
	username = GUI.TextField (Rect (80, 20, 160, 20), username, 32);
	GUI.Label(Rect(10, 20, 200, 30), "Username ");
	
	//	Email
	email = GUI.TextField (Rect (80, 50, 160, 20), email, 32);
	GUI.Label(Rect(10, 50, 200, 30), "Email ");
	
	//	Password
	password = GUI.PasswordField (Rect (80, 80, 160, 20), password, "*"[0], 32);
	GUI.Label(Rect(10, 80, 200, 30), "Password ");
	
	//	Messages
	GUI.Label(Rect(10, 150, 200, 30), message);
	
	if(GUI.Button(Rect(80, 110, 100, 30), "Register" ))
	{
		if(username == "" || email == "" || password == "")
		{
			message = "Error : Please complete all fields.";
		}
		

		if(username == username  email == email  password == password)
		{
			var form = new WWWForm();
			
			form.AddField( "username", username );
			form.AddField( "email", email );
			form.AddField( "password", password );
			
			var upload = new WWW(URL, form );
			
			username = "";
			email = "";
			password = "";
		}
	}
	
	GUI.DragWindow (Rect (0,0, 10000, 20));
}

and the php script called register.php

<?php
	mysql_connect("localhost", "root", "") or die(mysql_error());
	mysql_select_db("unity") or die(mysql_error());
	
	$Username = $_POST['username'];
	$Email = $_POST['email'];
	$Password = $_POST['password'];
	
	$check = mysql_query("SELECT * FROM members WHERE username='$Username'");
	$rows = mysql_num_rows($check);
	
	if($rows == 0)
	{
		mysql_query("INSERT INTO members (username, email, password) 
							VALUES ('$Username', '$Email', '$Password')
							");
	}
?>

I figured this out! i forgot to make and add a crossdomain.xml

OMG phpMyAdmin /facepalm

get the right tools

few hints for you:

  1. Never store plain password text in DB, you have to cache it by using MD5, so your insert queary would looks like:
mysql_query("INSERT INTO members (username, email, password) VALUES ('$Username', '$Email', MD5('$Password'))");
  1. however if you would store just password as MD5 in case of similar word the output hash would be the same so you can make it even more complex, store password as combination of username and password together:
    example:
    Username: john
    Pass: secret
    than in DB you would insert “john” and “johnsecret”
    or combine it better with mail as mail has “@” wiled char which will make it very hard to break.

  2. on login verification you ARE NOT sending plain password to the server side to check it, you have to hash it to MD5 at client side and then send hash to server to compare with a hash in DB.
    in case if you combine pass with login or mail, you have to do the same at the client side to get right hash and compare it with one stored in DB.

  3. You didn’t did anything against MySQL injection.
    Take down your DB would be a matter of seconds :smile:

to implement this i would suggest you to do the fallowing:

<?php

        function sqlSafe($string)
	{
		$newCleanData;
		$prohibitedChars = array('/\//', '/\//', '/\;/', '/\"/', '/\'/', '/\=/', '/\/', '/\#/', '/\>/', '/\</', '/\%/', '/\{/', '/\}/', '/\./', '/\(/', '/\)/', '/\`/', '/\~/', '/\*/', '/\^/' );
		$newCleanData=preg_replace($prohibitedChars,'',$string);

		return $newCleanData;
	}
?>

and then when you going to call your insert or select statement you would have to check all user input! always do it, never let raw user input go to your DB

example of your code:

<?php 
    mysql_connect("localhost", "root", "") or die(mysql_error()); 
    mysql_select_db("unity") or die(mysql_error()); 
     
    $Username = $_POST['username']; 
    $Email = $_POST['email']; 
    $Password = $_POST['password']; 
     
    $check = mysql_query('SELECT * FROM members WHERE username="'.sqlSafe($Username).'"); 
    $rows = mysql_num_rows($check); 
     
    if($rows == 0) 
    { 
        mysql_query('INSERT INTO members (username, email, password)  
                            VALUES ("'.sqlSafe($Username).'", "'.sqlSafe($Email).'", "'.sqlSafe($Password).'") 
                            '); 
    } 
?>
1 Like