0

Been working with this script for quite some time now but no matter what I do it will not add the IP Address into the database at all. It instead adds it as a NULL value and I cannot figure out why. I do not want to use IP2Long or long2ip as the IP Address needs to match the incoming connection to even sign into the site. The code I'm using to grab the IP Is Below.

if (!empty($_SERVER['HTTP_CLIENT_IP'])){
      $IP = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $IP = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
        $IP = $_SERVER['REMOTE_ADDR'];
}

Which works great. When viewing it in just an echo it shows the correct IP Address that I wanted, so the code is not the issue. The next function is how it inserts the code into the database upon registering.

function Register()
{
    $con = mysqli_connect("removed","removed","removed","removed");
    if(!empty($_POST['Key']) AND !empty($_POST['Username']))
    {   
        $errors="";
        $query="SELECT `Key` FROM `Keys` 
                WHERE `Key`= '".mysqli_real_escape_string($con,$_POST['Key'])."'";
        $result = mysqli_query($con,$query);
        $row = mysqli_fetch_array($result);
        if($row['Key'])
        {
            $query="SELECT `Activated` FROM `Keys` WHERE `Key`= '".mysqli_real_escape_string($con,$_POST['Key'])."'";
            $result = mysqli_query($con,$query);
            $row = mysqli_fetch_array($result);
            if($row['Activated']){
                $errors= "This key has already been activated. You cannot create an account with this key.";
            }
        }
        else{
            $errors= "Key not found. Please contact us for assistance!";   
        }
        if($errors){
            echo $errors;
        }else{
            //ip insert update
            $query="UPDATE `Keys` 
                      SET `IP` = '$IP', 
                      `Activated` = '1', `Username` = '".mysqli_real_escape_string($con,$_POST['Username'])."' 
                     WHERE `Key`= '".mysqli_real_escape_string($con,$_POST['Key'])."'";

            $result = mysqli_query($con,$query);

            if($result){
                $query="UPDATE `Keys` SET `Timestamp` = NOW(), `IP` = '$IP', `DATE` = NOW() WHERE `Keys`= '".mysqli_real_escape_string($con,$_POST['Key'])."'";
                $result=mysqli_query($con,$query);
            }else{
                $errors.="Could not sign up. Please contact us for assistance.";
            }
            //email check 
            $query = "SELECT*FROM `Users` WHERE email='".mysqli_real_escape_string($con,$_POST['Email'])."'";
            $result = mysqli_query($con,$query);
            $results = mysqli_num_rows($result);
            if($results>0){
                $errors.="The email provided is already registered. </br>";
            }
        //username check
            $query = "SELECT*FROM `Users` WHERE username='".mysqli_real_escape_string($con,$_POST['Username'])."'";
            $result = mysqli_query($con,$query);
            $results = mysqli_num_rows($result);
            if($results>0){
                $errors.= "The username provided is already registered. </nr>";
            }

            if($errors){
              echo $errors;
            }else{
                $query = "INSERT INTO `Users` (`username`,`name`,`email`, `password`) VALUES ('".mysqli_real_escape_string($con, $_POST['Username'])."','".mysqli_real_escape_string($con, $_POST['Name'])."','".mysqli_real_escape_string($con, $_POST['Email'])."', '".md5(md5($_POST['Email']).$_POST['password'])."')";
                $result = mysqli_query($con,$query);
                if($result){
                    echo '<script type="text/javascript"> window.onload = function () { alert("Registration and activation was successful."); } </script>';

                }else{
                    echo '<script type="text/javascript"> window.onload = function () { alert("An error occurred. Please contact us for assistance."); } </script>';
                }
            }
        }
    }
}

This code just will not add the IP Address into the system and I can't figure out why. It works fine in other sites, just not this one.

Any ideas?

Wouldn't be an issue except it's for a Client's system and I want it perfect. Thanks

LightningMods
  • 1
  • 2
  • You do know you can select more than one column at a time dont you `SELECT Key,Activated FROM Keys WHERE ....` – RiggsFolly Aug 27 '16 at 15:27
  • ERROR: So where do you set `$ip` to anything? – RiggsFolly Aug 27 '16 at 15:28
  • _Wouldn't be an issue except it's for a Client's system and I want it perfect_ Lots of work to do then! – RiggsFolly Aug 27 '16 at 15:29
  • I know I can select more than one column at once yeah. $ip is set in the first function Riggs, as it should be seen in the first bit of code I posted. Also, I know there's a lot of work to do. This is literally just the basis of the register script. – LightningMods Aug 27 '16 at 15:31
  • oh... Whoops. I realised I didn't capitalize the $ip inside the actual mysql function. Let me fix that and test it. Lol EDIT: Capitalizing also did nothing for inserting the IP. – LightningMods Aug 27 '16 at 15:31
  • _I know I can select more than one column at once yeah_ Then why do you use 2 selerate queries in this function to get 2 columns from the same table with the same where clause – RiggsFolly Aug 27 '16 at 15:35
  • Like I said **YOU DONT SET** `$ip` anywhere in this function **SCOPE Scope scope** – RiggsFolly Aug 27 '16 at 15:36
  • I guess you should pass it as a parameter to this function – RiggsFolly Aug 27 '16 at 15:36
  • As I have said, it's just the basis. I only did it this was because at the time it was a lot easier for me to manage. Plus it executes 2 completely different queries and outputs 2 different results for each query. It's all going to be tidied up after I've fixed a couple more issues I have, IP Being one of them. – LightningMods Aug 27 '16 at 15:37
  • You also UPDATE the same row twice, slightly different columns get updated but the same row. – RiggsFolly Aug 27 '16 at 15:39
  • Alright, I see what you mean. It was a personal screw up. Fixed now. I missed where you pointed out it needed to be defined in the function (Personally thought it being defined at the top of the PHP file was enough.), Thanks. – LightningMods Aug 27 '16 at 15:40
  • ALSO `SELECT*FROM` will not work, a space or 2 might help – RiggsFolly Aug 27 '16 at 15:40
  • Also Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 27 '16 at 15:41
  • Sorry for not getting back sooner. I had a look and saw what you meant about being Vulnerable. The entire MySQL database queries and insertion has been converted over to PDO. Thanks again bud :) – LightningMods Sep 22 '16 at 12:13

0 Answers0