0

I use the following code to register users on my site. The problem is that when a user registers apache doesn't respond and crashes.

Is there a break in my code or something I am doing wrong????

<?php

include ('../includes/db_connect.php');

$firstname = $_POST['firstname'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);

// lets check to see if the username already exists

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    //include 'register.html';
    exit();
}

// lf no errors present with the username
// use a query to insert the data into the database.

$query = "INSERT INTO users (firstname, email, username, password)
VALUES('$firstname', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";

// mail user their information

//$yoursite = ‘www.blahblah.com’;
//$webmaster = ‘yourname’;
//$youremail = ‘youremail’;
//    
//$subject = "You have successfully registered at $yoursite...";
//$message = "Dear $firstname, you are now registered at our web site.  
//    To login, simply go to our web page and enter in the following details in the login form:
//    Username: $username
//    Password: $password
//    
//    Please print this information out and store it for future reference.
//    
//    Thanks,
//    $webmaster";
//    
//mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());
//    
//echo "Your information has been mailed to your email address.";

?>
user342391
  • 7,569
  • 23
  • 66
  • 88
  • Anything in Apache's `error.log`? What does the crash look like exactly? – Pekka Aug 22 '10 at 19:32
  • 2
    By the way, your script is extremely vulnerable to SQL injection. See e.g. http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php or http://stackoverflow.com/questions/47087/how-do-you-prevent-sql-injection-in-lamp-applications – Pekka Aug 22 '10 at 19:33
  • Starting the Apache2.2 service The Apache2.2 service is running. rmine the server's fully qualified domain name, using 192.168.1.106 for ServerName [Mon Dec 01 11:00:22 2008] [notice] Apache/2.2.10 (Win32) configured -- resuming normal operations [Mon Dec 01 11:00:22 2008] [notice] Server built: Oct 10 2008 12:39:04 [Mon Dec 01 11:00:22 2008] [notice] Parent: Created child process 1844 httpd.exe: Could not reliably determine the server's fully qualified domain name, using 192.168.1.106 for ServerName – user342391 Aug 22 '10 at 20:01

1 Answers1

0

this script will NOT cause apache to die. on this side theres nothing wrong with it. however i dont know whats in db_connect.php

the mailing is deactivated, this indeed could take a very long time if the server settings are not correctly. e.g. if the server cant find its fully qualified domain name as your comments suggests.

do you have a session active? this could explain why you cant access any website while the other one is still running and sending the mail and it may look to you like apache crashed. because you didnt call session_write_close and only once session can be active for writing at a time.

whats definately wrong is the vulnerability to mysql injection. you absolutely need to change your variables the following way:

$firstname = mysql_real_escape_string($_POST['firstname']); $email = mysql_real_escape_string($_POST['email']);
$username = mysql_real_escape_string($_POST['username']);

furthermore i would recommend just having a unique que on username and try the insert and see whether you get an error or if you get an mysq_insert_id. let mysql do the job. but your check is fine too.. but you should have a constraint in the database too, just as a precaution. and you should trim your values and maby allow only certain chars, its annoying if a username on a website is &%DTRFG$Ä←↓ff

The Surrican
  • 29,118
  • 24
  • 122
  • 168