views:

32

answers:

1

I use the following code to register users on my site. The problem is that when a user registers apache doesn't respond and crashes.

Is there a break in my code or something I am doing wrong????

<?php

include ('../includes/db_connect.php');

$firstname = $_POST['firstname'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);

// lets check to see if the username already exists

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    //include 'register.html';
    exit();
}

// lf no errors present with the username
// use a query to insert the data into the database.

$query = "INSERT INTO users (firstname, email, username, password)
VALUES('$firstname', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";

// mail user their information

//$yoursite = ‘www.blahblah.com’;
//$webmaster = ‘yourname’;
//$youremail = ‘youremail’;
//    
//$subject = "You have successfully registered at $yoursite...";
//$message = "Dear $firstname, you are now registered at our web site.  
//    To login, simply go to our web page and enter in the following details in the login form:
//    Username: $username
//    Password: $password
//    
//    Please print this information out and store it for future reference.
//    
//    Thanks,
//    $webmaster";
//    
//mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());
//    
//echo "Your information has been mailed to your email address.";

?>
A: 

this script will NOT cause apache to die. on this side theres nothing wrong with it. however i dont know whats in db_connect.php

the mailing is deactivated, this indeed could take a very long time if the server settings are not correctly. e.g. if the server cant find its fully qualified domain name as your comments suggests.

do you have a session active? this could explain why you cant access any website while the other one is still running and sending the mail and it may look to you like apache crashed. because you didnt call session_write_close and only once session can be active for writing at a time.

whats definately wrong is the vulnerability to mysql injection. you absolutely need to change your variables the following way:

$firstname = mysql_real_escape_string($_POST['firstname']); $email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);

furthermore i would recommend just having a unique que on username and try the insert and see whether you get an error or if you get an mysq_insert_id. let mysql do the job. but your check is fine too.. but you should have a constraint in the database too, just as a precaution. and you should trim your values and maby allow only certain chars, its annoying if a username on a website is &%DTRFG$Ä←↓ff

Joe Hopfgartner