Building Site Registration for Web Application Security

In this article we will be exploring the registration script of our site. This script is responsible for registering new users for the website. We will also be looking at database security; since the registration script also uses a database table, we will implement some of the concepts that we will be discussing. This article is the sixth part of an eight-part series on web application security.

The Registration Script

The registration script is responsible for registering new users to our website. Any user that wants access to our website will have to go through this registration process. The script presents the user with an HTML form that requires a username, a password and an email address. The script takes these credentials and adds them to the database. Below is the code that makes all of this happen:


<?php

$errmsg=””

$error=false;


if(isset($_POST['key'])){

//NEED TO CHECK IF FIELDS ARE FILLED IN

if( empty($_POST['name']) && (empty($_POST['email']))){

echo "Please enter your username and email.";

$comb="Please enter your username and email.";

exit;

}

if( empty($_POST['pw1']) && (empty($_POST['pw2']))){

print "Please enter your password.";

$pw="Please enter your password.";

exit;

}


//check that the username and password is string

if( is_numeric($_POST['name']) && (is_numeric($_POST['pw1']))){

print "Please enter a valid username and password.";

$errmsg=" Please enter a valid username and password.";

$error=true;

}


if( is_numeric($_POST['pw2'])){

print "Please enter a valid confirmation password.";

$errmsg=" Please enter a valid confirmation password.";

$error=true;

}


//Check if email address has correct format

if(!eregi("^[a-z0-9]+[a-z0-9_-]*(.[a-z0-9_-]+)*@[a-z0-9_-]+(.[a-z0-9_-]+)*.(

[a-z]+){2,}$", $_POST['email'])) {

$errmsg=" Please enter a valid email address.";

$error=true;

}




if(!$error){

$name=$_POST['name'];

$email=$_POST['email'];


$pw1=$_POST['pw1'];

$pw2=$_POST['pw2'];


if("$pw1" !== "$pw2" ){

print "your confirmation password has been mistyped or is empty,please try again";

$conf="your confirmation password has been mistyped or is empty,please try again";

exit;

}



//connect to the db server , check if uname exist

include(‘../config.php’);

$query=("Select * from user where uname=’$name’");

$result= mysql_query($query);

$num=mysql_num_rows($result);

if ($num > 0) {//Username already exist

print "The username is already taken,please try again";

$taken="The username is already taken,please try again";

print "<p><a href=http://localhost/loginscript/register.php>Click here to try again.</a></p>";

exit;

}else{

//if username does not exist insert user details

$query=( "INSERT INTO users (uname, pw,email) VALUES (‘$name’,password(‘$pw1′),’$email’)");

if (@mysql_query ($query)) {

//print "Your details have been added";

header("location:login.php?reg=1");

exit;

}

}

}

}

?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!– InstanceBegin template="/primary/Templates/was.dwt.php" codeOutsideHTMLIsLocked="false" –>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!– InstanceBeginEditable name="doctitle" –>

<title>WebSecure::Registration</title>

<!– InstanceEndEditable –>

<!– InstanceBeginEditable name="head" –>

<!– InstanceEndEditable –>

<link href="Templates/was.css" rel="stylesheet" type="text/css" />

<script language="javascript" type="text/javascript">

function checkform(pform1){

if(pform1.uname.value==""){

alert("Please enter a username")

pform1.uname.focus()

return false

}


if(pform1.pw.value==""){

alert("Please enter a password")

pform1.pw.focus()

return false

}


if(pform1.email.value==""){

alert("Please enter a email address")

pform1.email.focus()

return false

}



if(pform1.pw.value=="" && pform1.uname.value==""&& pform1.email.value==""){

alert("Please make sure that you have entered all the information that is required")

return false

}

return true

}


</script>

</head>


<body>

<table width="99%" border="1">

<tr>

<td bgcolor="#333333" class="header">Web Secure</td>

</tr>

 

 

<tr>

<td><!– InstanceBeginEditable name="main" –>

<form name="form1" action=" register.php " method="post" onSubmit="return checkform(this)" >

<table width="657" border="0">

<tr>

<td width="122"><div align="left">Name</div></td>

<td width="525"><input name="name" type="text" size="40"></td>

</tr>

<tr>

<td><div align="left">Email</div></td>

<td><input name="email" type="text" size="40"></td>

</tr>

<tr>

<td><div align="left">Password</div></td>

<td><input name="pw1" type="password" size="40"></td>

</tr>

<tr>

<td ><div align="left">Confirm Password </div></td>

<td><input name="pw2" type="password" size="40">

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td></td>

<td> <input name="submit" type="submit"></td>

</tr>

</table>

</form><!– InstanceEndEditable –></td>

</tr>

<tr>

<td class="copy">&copy;2008</td>

</tr>

</table>

</body>

<!– InstanceEnd –></html>



{mospagebreak title=The Code Explained}

The script first checks to see if the form has been submitted:


if(isset($_POST['key'])){


If the form has been submitted, then the form data is filtered. The process of filtering starts by checking to see if the submitted form data actually contains any values:


//NEED TO CHECK IF FIELDS ARE FILLED IN


if( empty($_POST['name']) && (empty($_POST['email']))){

print "Please enter your username and email.";

$comb="Please enter your username and email.";

}

First the username and email is checked to see if they contain any values, then the passwords are tested to see if they contain any values:

if( empty($_POST['pw1']) && (empty($_POST['pw2']))){

print "Please enter your password.";

$pw="Please enter your password.";

}


Next, the type of data is tested. We expect only string values for the name, password and email values:


//check that the username and password is string

if( is_numeric($_POST['name']) && (is_numeric($_POST['pw1']))){

print "Please enter a valid username and password.";

$errmsg=" Please enter a valid username and password.";

$error=true;

}

We test the confirmation password to see if it contains a string or integer:  

if( is_numeric($_POST['pw2'])){

print "Please enter a valid confirmation password.";

$errmsg=" Please enter a valid confirmation password.";

$error=true;

}

We then test the email address to see if it has the correct format, and then set the error values accordingly:

//Check if email address has correct format

if(!eregi("^[a-z0-9]+[a-z0-9_-]*(.[a-z0-9_-]+)*@[a-z0-9_-]+(.[a-z0-9_-]+)*.(

[a-z]+){2,}$", $_POST['email'])) {

$errmsg=" Please enter a valid email address.";

$error=true;

}

Using the $error variable, we check to see if everything checks out okay:

if(!$error){

Then we transfer the form variables to shorter variable names:

$name=$_POST['name'];

$email=$_POST['email'];


$pw1=$_POST['pw1'];

$pw2=$_POST['pw2'];

{mospagebreak title=Username and Password}

We then compare the two passwords that the user provided in the form. This is just to make sure that the passwords match before we insert it into the database:


if("$pw1" !== "$pw2" ){

print "your confirmation password has been mistyped or is empty,please try again";

$conf="your confirmation password has been mistyped or is empty,please try again";

exit;

}

The next step is to check that the user name which the new user provided does not already exist in the database. To do this we need to connect to the database server, and then run a query to see if the username is found:

//connect to the db server , check if uname exist

include(‘../config.inc’);

$query="Select name from user where uname=’$name’";

$result= mysql_query($query);

We use the $num variable to see if the query returned any results. If there are results, then it means that there already is a name that is the same as the one provided by the user, in which case an appropriate error message is sent:

$num=mysql_num_rows($result);

if ($num > 0) {//Username already exist

print "The username is already taken,please try again";

$taken="The username is already taken,please try again";

print "<p><a href=http://localhost/loginscript/register.php>Click here to try again.</a></p>";

exit;

Otherwise, the name provided by the user does not exists in the database, so the new details of the user are inserted in the database, the appropriate query string value is set, and the user is directed to the login page:

}else{

//if username does not exist insert user details

$query="INSERT INTO users (uname, pw,email) VALUES (‘$name’,password(‘$pw1′),’$email’)"

if (@mysql_query ($query)) {

//print "Your details have been added";

header("location:login.php?reg=1");

exit;

}

}

}

}

The HTML form is responsible for collecting the registration information from the user. The actual form code is detailed and explained below. 

The first line in the code declares the form header, which includes the name of the form, the method that the form uses to send information, onsubmit and finally the name of the script that processes the form data:

<form name="form1" action="register.php" method="post" onSubmit="return checkform(this)" >


A table is then created that will contain the actual form elements:


<table width="657" border="0">

<tr>

<td width="122"><div align="left">Name</div></td>


The first element of the form takes the name of the user:


<td width="525"><input name="name" type="text" size="40"></td>

</tr>

<tr>

{mospagebreak title=The HTML Form continued}

The second, third and fourth elements take the email, password and confirmation password respectively:


<td><div align="left">Email</div></td>

<td><input name="email" type="text" size="40"></td>

</tr>

<tr>

<td><div align="left">Password</div></td>

<td><input name="pw1" type="password" size="40"></td>

</tr>

<tr>

<td ><div align="left">Confirm Password </div></td>

<td><input name="pw2" type="password" size="40">

Notice the hidden input; that has the name as the key. This element will act as the check point when form data is processed later on. We are using this element instead of the usual submit button because it provides a more portable way of submitting form values:

<input type="hidden" name="key" /></td>

</tr>

<tr>

<td></td>

<td> <input name="submit" type="submit"></td>

</tr>

</table>

As an added layer of security and for the convenience of the user, JavaScript code is made available to ensure that all form fields are filled in:

function checkform(pform1){

if(pform1.uname.value==""){

alert("Please enter a username")

pform1.uname.focus()

return false

}


if(pform1.email.value==""){

alert("Please enter a email address")

pform1.email.focus()

return false

}



if(pform1.pw.value==""){

alert("Please enter a password")

pform1.pw.focus()

return false

}


if(pform1.pw.value=="" && pform1.uname.value==""&& pform1.email.value==""){

alert("Please make sure that you have entered all the information that is required")

return false

}

return true

}

</script>

In the code above, the pform1 refers to the form name and the pw refers to the form field name. The same applies to the uname.value and email.value lines. The alert message is what the user will see if the form fields are empty.

Conclusion

In this article we looked in detail at the user registration script. In the next article we will discuss database security and also look at password management.

[gp-comments width="770" linklove="off" ]
antalya escort bayan antalya escort bayan