Hey Leute,
als Fortsetzung auf den Thread "Sicherer Login" folgt jetzt natürlich "Sichere Registrierung Erstmal möchte ich ganz ohne Code wissen, was ihr denkt, was man beachten sollte? Das können zum
Beispiel Angaben zum Passwort sein oder so was...
Der Code ist natürlich auch wichtig. Falls es jemanden interessiert: Für diesen Code habe ich 15 Minuten gebraucht.
<span class="syntaxhtml"><br /><span class="syntaxdefault"><?php<br /> include</span><span class="syntaxkeyword">(</span><span class="syntaxstring">"oben.php"</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> if</span><span class="syntaxkeyword">(isset(</span><span class="syntaxdefault">$_SESSION</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"c1l2o3u4d-userid"</span><span class="syntaxkeyword">]))</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> header</span><span class="syntaxkeyword">(</span><span class="syntaxstring">"Location:index.php"</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> elseif</span><span class="syntaxkeyword">(isset(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"submit-register"</span><span class="syntaxkeyword">]))</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> if</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"nickname"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxdefault"> AND $_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"password"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxdefault"> AND $_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"password2"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxdefault"> AND $_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"firstname"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxdefault"> AND $_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"surname"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> <br /><br /></span><span class="syntaxstring">""</span><span class="syntaxdefault"> AND $_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"purpose"</span><span class="syntaxkeyword">]</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">!==</span><span class="syntaxdefault"> </span><span class="syntaxstring">""</span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $connection </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_connect</span><span class="syntaxkeyword">(</span><span class="syntaxstring">"localhost"</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> </span><span class="syntaxstring">"yamram-dev"</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> </span><span class="syntaxstring">"********"</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> if </span><span class="syntaxkeyword">(!</span><span class="syntaxdefault">mysql_select_db </span><span class="syntaxkeyword">(</span><span class="syntaxstring">"yamram-dev"</span><span class="syntaxkeyword">,</span><span class="syntaxdefault"> $connection</span><span class="syntaxkeyword">))</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{</span><span class="syntaxdefault"> <br /> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> $string</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"<p class='error'>Ein Datenbankfehler ist aufgetreten. Wir werden uns schnellstmöglichst darum kümmern.<span class='result'>Bitte <br /><br />haben Sie Verständnis.</span></p>"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> $nickname </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"nickname"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $password </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"password"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $password2 </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"password2"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $firstname </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"firstname"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $surname </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"surname"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $purpose </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_real_escape_string</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"purpose"</span><span class="syntaxkeyword">]);<br /></span><span class="syntaxdefault"> $sql </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"SELECT * FROM `user` WHERE `nickname` = '"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$nickname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"';"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> $result </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_query</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$sql</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> if</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">mysql_fetch_assoc</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$result</span><span class="syntaxkeyword">))</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> $string</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"<p class='error'>Der Username ist schon vorhanden.<span class='result'>Bitte wählen Sie einen anderen <br /><br />Usernamen.</span></p>"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> elseif</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$password </span><span class="syntaxkeyword">==</span><span class="syntaxdefault"> $password2</span><span class="syntaxkeyword">)</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $sql </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"INSERT INTO `user` (`nickname`, `password`, `regdate`, `surname`, `firstname`) VALUES ('"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$nickname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"', '"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">md5</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$password</span><span class="syntaxkeyword">).</span><span class="syntaxstring">"', <br /><br />CURRENT_TIMESTAMP , '"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$firstname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"', '"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$surname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"');"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> if</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">mysql_query</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$sql</span><span class="syntaxkeyword">))</span><span class="syntaxdefault"> </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> $string</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"<p class='error'>Ein Problem mit der Datenbank ist aufgetreten.<span class='result'>Bitte haben Sie <br /><br />Verständnis.</span></p>"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> else </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $sql </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"SELECT * FROM `user` WHERE `nickname` = '"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$nickname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"';"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> $result </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> mysql_query</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$sql</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> $sql </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> </span><span class="syntaxstring">"INSERT INTO `logs` (`nickname`, `class`, `logdate`, `ip`) VALUES ('"</span><span class="syntaxkeyword">.</span><span class="syntaxdefault">$nickname</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"', 'register', CURRENT_TIMESTAMP, '"</span><span class="syntaxkeyword">.<br /><br /></span><span class="syntaxdefault">$_SERVER</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"REMOTE_ADDR"</span><span class="syntaxkeyword">].</span><span class="syntaxstring">"')"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> header</span><span class="syntaxkeyword">(</span><span class="syntaxstring">"Location:index.php?error=7"</span><span class="syntaxkeyword">);<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> else </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> $string</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"<p class='error'>Die Passwortbestätigung entspricht nicht dem Passwort.<span class='result'>Bitte versuchen Sie es noch <br /><br />einmal.</span>"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> else </span><span class="syntaxkeyword">{<br /></span><span class="syntaxdefault"> $string </span><span class="syntaxkeyword">=</span><span class="syntaxdefault"> $string</span><span class="syntaxkeyword">.</span><span class="syntaxstring">"<p class='error'>Sie konnten nicht registriert werden, weil Sie nicht alle Daten eingegeben haben.<span class='result'>Bitte versuchen Sie es <br /><br />noch einmal.</span></p>"</span><span class="syntaxkeyword">;<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault"> </span><span class="syntaxkeyword">}<br /></span><span class="syntaxdefault">?><br /></span><h2>Registrieren</h2><br /><span class="syntaxdefault"><?php echo $string</span><span class="syntaxkeyword">;</span><span class="syntaxdefault"> ?><br /></span><p>Hier können Sich registrieren. Dafür müssen Sie einfach alle Felder ausfüllen:</p><br /><form method="post" action=""><br /> <label for="nickname">Username</label> <input type="text" name="nickname" value="<span class="syntaxdefault"><?php echo </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"nickname"</span><span class="syntaxkeyword">];</span><span class="syntaxdefault"> ?></span>" /><br /> <label for="password">Passwort</label> <input type="password" name="password" value="" /><br /> <label for="password2">Password bestätigen</label> <input type="password" name="password2" value="" /><br /> <label for="firstname">Vorname</label> <input type="text" name="firstname" value="<span class="syntaxdefault"><?php echo </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"firstname"</span><span class="syntaxkeyword">];</span><span class="syntaxdefault"> ?></span>" /><br /> <label for="surname">Nachname</label> <input type="text" name="surname" value="<span class="syntaxdefault"><?php echo </span><span class="syntaxkeyword">@</span><span class="syntaxdefault">$_POST</span><span class="syntaxkeyword">[</span><span class="syntaxstring">"surname"</span><span class="syntaxkeyword">];</span><span class="syntaxdefault"> ?></span>" /><br /> <label for="purpose">Zweck</label><br /> <select name="purpose"><br /> <option value="business">geschäftlich</option><br /> <option value="private">privat</option><br /> </select><br /> <input type="submit" value="registrieren" name="submit-register" /><br /></form><br /><span class="syntaxdefault"><?php include</span><span class="syntaxkeyword">(</span><span class="syntaxstring">"unten.php"</span><span class="syntaxkeyword">);</span><span class="syntaxdefault"> ?><br /></span></span>
So, was kann ich an diesem Code besser machen? Auf Empfehlung von drPHIP132 habe ich jetzt direkt mysql_real_escape_string() eingebaut. Das schützt vor SQL Injection habe ich erfahren. Wie
ihr vielleicht schon gesehen habt, braucht der User nicht mal eine eMail Adresse angeben. Wer sagt, dass das eine doofe bzw. schlechte Idee ist, der soll direkt Bescheid sagen und natürlich auch
warum.
Mit freundlichen Grüßen,
Philipp E.
PS: Das Projekt macht echt Fortschritte. Bald habe ich das komplette Usersystem fertig und fange mit dem Uploadsystem an O.o