Member Avatar for Shikha_1

registration.html

<!<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Register</title>
<script type='text/javascript'>
function refreshCaptcha()
{
var img = document.images['captchaimg'];
img.src = img.src.substring(0,img.src.lastIndexOf("?"))+"?rand="+Math.random()*1000;
}
</script>
</head>

<body>
    <fieldset>
        <legend>Registration</legend>

<form name="register" action="register.php" method="post">
    <table width="510" border="0">
        <tr>
            <td colspan="2"><p><strong>Registration Form</strong></p></td>
        </tr>
        <tr>
            <td>Username:</td>
            <td><input type="text" name="username" maxlength="20" /></td>
        </tr>
        <tr>
            <td>Password:</td>
            <td><input type="password" name="password" /></td>
        </tr>
        <tr>
            <td>Confirm Password:</td>
            <td><input type="password" name="password2" /></td>
        </tr>
        <tr>
            <td>Email:</td>
            <td><input type="text" name="email" id="email" /></td>
        </tr>
        <tr>
                <td align="right" valign="top"> Validation code:</td>
                <td><img src="captcha_code_file.php?rand=<?php echo rand();?>" id='captchaimg'><br>
                <label for='message'>Enter the code above here :</label>
                <br>
                <input id="6_letters_code" name="6_letters_code" type="text">
        <br>
        Can't read the image? click <a href='javascript: refreshCaptcha();'>here</a> to refresh
        </p></td>
        </tr>
        <tr>
            <td><input type="hidden" name="formsubmitted" value="true"/> </td>
        </tr>
        tr>
            <td>&nbsp;</td>

            <td><input type="submit" value="Register" /></td>
        </tr>
    </table>
</form>
<div>
if already registered then: 
<a href="login.html"> login</a>   </div>
</fieldset>

</body>
</html>

register.php

<?php
session_start();
 include("DBconnect.php");
 $username =$_POST[ 'username' ];
 $password=$_POST[ 'password' ];
 $con_pass=$_POST['password2'];
 $email =$_POST [ 'email' ] ;
 $status='verify';
 $r1='/[A-Z]/';  //Uppercase
 $r2='/[a-z]/';  //lowercase
 $r3='/[!@#$%^&*()\-_=+{};:,<.>]/';  // whatever you mean by 'special char'
 $r4='/[0-9]/';  //numbers


 if (isset($_POST['formsubmitted']))
 {

    //username validation
        if(empty($_POST['username'])) 
        { 
            die("Please enter a username."); 
        }
    $u="select count(username) from users where username='$username'";
    $result = mysql_query($u);
    // Alwasy verify the result of a mysql query before using it!
         if ($result)
         {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($result);
         $user_count = (int)$row[0];
         // And finally check the number.
          if ($user_count == 1)
      {
            echo "User exists.";

          }

         }
       else {
            // The MySQL query must have failed, so you'd want to stop with an errror.
            // A lot of people would use "die()" for this, but it's an inferior method.
            die("user verification failed ");
       }





     //password validation
        if(empty($_POST['password'])) 
        { 
            die("Please enter a password."); 
        }
    else
     {
        if((preg_match_all($r1,$password, $o)<1))
        die("there should be atleast one Uppercaseletter");
        if(preg_match_all($r2,$password, $o)<1)
        die("there should be atleast one lowercase letter");
        if(preg_match_all($r3,$password, $o)<1)
        die("there should be atleast one special character");
        if(preg_match_all($r4,$password, $o)<1)
        die("there should be atleast one digit");
        if(strlen($password)<8)
         die("length should be greater than 8");


     }

    //password matching validation
    if($_POST['password']!=$_POST['password2'])
    {
         die("password do not match");                 
    }

    //email validation
        if(empty($_POST['email']))
    {
               die("Please Enter your Email");
        }
       if (!preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email']))
       {
               //regular expression for email validation
               //$Email = $_POST['email'];
            die( "Your Email Address is invalid ") ;
       }       
        $e="select count(email) as 'countemail' from users where email='$email'";
        $r = mysql_query($e);
    if ($r)
        {
         // Fetch the number in the first column of the only row in 
         // the result set.
         $row = mysql_fetch_row($r);
         $user_count = (int)$row[0];
         // And finally check the number.
          if ($user_count == 1)
      {
            echo "email exists.";
          }

       }
       else {
            // The MySQL query must have failed, so you'd want to stop with an errror.
            // A lot of people would use "die()" for this, but it's an inferior method.
            die("email verification failed");
       }
       if(empty($_SESSION['6_letters_code'] ) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
       {
    $msg="The Validation code does not match!";
       }

 }

  $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
  $password = hash('sha256', $_POST['password'] . $salt); 
 for($round = 0; $round < 65536; $round++) 
 { 
    $password = hash('sha256', $password . $salt); 
 } 
 $activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

 $qry="insert into users (username,password,salt,email,activationkey,status) values ('$username','$password','$salt','$email','$activationKey','$status')";
 $register = mysql_query($qry);
 if (!$register)
 {
      echo "error 1";;
 }

echo "successful registration";
?>
<a href="login.html"> login</a>

captcha_code_file.php

<?php
session_start();
//Settings: You can customize the captcha here
$image_width = 120;
$image_height = 40;
$characters_on_image = 6;
$font = './monofont.ttf';

//The characters that can be used in the CAPTCHA code.
//avoid confusing characters (l 1 and i for example)
$possible_letters = '23456789bcdfghjkmnpqrstvwxyz';
$random_dots = 10;
$random_lines = 30;
$captcha_text_color="0x142864";
$captcha_noice_color = "0x142864";

$code = '';

$i = 0;
while ($i < $characters_on_image) {
$code .= substr($possible_letters, mt_rand(0, strlen($possible_letters)-1), 1);
$i++;
}

$font_size = $image_height * 0.75;
$image = @imagecreate($image_width, $image_height);

/* setting the background, text and noise colours here */
$background_color = imagecolorallocate($image, 255, 255, 255);

$arr_text_color = hexrgb($captcha_text_color);
$text_color = imagecolorallocate($image, $arr_text_color['red'],
$arr_text_color['green'], $arr_text_color['blue']);

$arr_noice_color = hexrgb($captcha_noice_color);
$image_noise_color = imagecolorallocate($image, $arr_noice_color['red'],
$arr_noice_color['green'], $arr_noice_color['blue']);

/* generating the dots randomly in background */
for( $i=0; $i<$random_dots; $i++ ) {
imagefilledellipse($image, mt_rand(0,$image_width),
mt_rand(0,$image_height), 2, 3, $image_noise_color);
}

/* generating lines randomly in background of image */
for( $i=0; $i<$random_lines; $i++ ) {
imageline($image, mt_rand(0,$image_width), mt_rand(0,$image_height),
mt_rand(0,$image_width), mt_rand(0,$image_height), $image_noise_color);
}

/* create a text box and add 6 letters code in it */
$textbox = imagettfbbox($font_size, 0, $font, $code);
$x = ($image_width - $textbox[4])/2;
$y = ($image_height - $textbox[5])/2;
imagettftext($image, $font_size, 0, $x, $y, $text_color, $font , $code);

/* Show captcha image in the page html page */
header('Content-Type: image/jpeg');// defining the image type to be shown in browser window
imagejpeg($image);//showing the image
imagedestroy($image);//destroying the image instance
$_SESSION['6_letters_code'] = $code;

function hexrgb ($hexstr)
{
$int = hexdec($hexstr);

return array( "red" => 0xFF & ($int >> 0x10),
"green" => 0xFF & ($int >> 0x8),
"blue" => 0xFF & $int);
}
?>

i think there is session problem due to which captcha is not vlidating how to correct it

  • 2 Contributors
  • 5 Replies
  • 720 Views
  • 23 Hours Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for cereal

Works fine for me, what error you get? Here's my test, based on your scripts:

<?php

session_start();

?>

<form method="post">
Validation code:
<img src="captcha.php?rand=<?php echo rand();?>" id='captchaimg'><br />
<label for='6_letters_code'>Enter the code above here:</label>
<input type="text" name="6_letters_code" />
</form>

<?php
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    echo 'POST: ';
    print_r($_POST);
    echo '<br />SESSION: ';
    print_r($_SESSION);
    echo '<br />Result: ';
    if(empty($_SESSION['6_letters_code']) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
    {
        echo 'false';
    }
    else
    {
        echo 'true';
    }
}

By the way: an ID cannot start by number, so id="6_letters_code" is wrong and will not work if you use JQuery & other javascript frameworks, also it's not a good idea to send an error message declaring that the user does or doesn't exits, it's better to return a generic message as user/password wrong, otherwise an attacker can understand if an account exists and try to find his specific password.

Edited by cereal because: adding note
Member Avatar for Shikha_1

you have written all the code in one php file
but i wrote it in 3 files so i am tinking there is a session error

Member Avatar for cereal

Ok, then move this to the top of register.php file:

echo 'POST: ';
print_r($_POST);
echo '<br />SESSION: ';
print_r($_SESSION);
die();

place it right after <?php session_start(); and check if the values sent by $_POST and saved in $_SESSION are the same.

commented: i think so too +14
Member Avatar for Shikha_1

i tried it and it is returning the values the vlues on this page but if i am entering different captcha still it is not validating

Member Avatar for cereal

Ok, so the problem is that your script doesn't stop if you send a wrong captcha? In your conditional statment you are not stopping the action, just setting $msg variable, if you want to stop the execution the most immediate solution is to use die() as in the other statments:

if(empty($_SESSION['6_letters_code']) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
{
    die("The Validation code does not match!");
}

This will stop the script but it is not the best user experience. Also when you check if user already exists you should stop the execution:

if($user_count > 0)
{
    die("User exists.");
}

A better solution for handling the errors is to use an array and to check if it is populated, for example:

$errors = array();

$username = 'Shikha_1';
$password = 'p4ss';

if( ! ctype_alpha($username))
{
    $errors['username'] = 'Only alphanumeric characters are allowed for the username.';
}

if(count($password) < 8)
{
    $errors['password'] = 'Password too short';
}

if(count($errors) > 0)
{
    # redirect to form with error messages:
    $_SESSION['errors'] = $errors;
    header('Location: register.html');
}
else
{
    # insert query & other stuff
}
Edited by cereal
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.