1

I've created an mail server with dovecot postfix and mysql. The user should be able to create a new mail adress via a php webpage which will insert the data into the mysql database. It also does insert it into the DB, but the connection to the mail server wont work with that credentials. When I insert the same things myself sirectly into the DB it works, can you please give that code a look and tell me what might be wrong? I think it has something todo with the password hash generation with doveadm.

<?php
    ob_start();
    session_start();
    if( isset($_SESSION['user'])!="" ){
            header("Location: home.php");
    }
    include_once 'dbconnect.php';

    $error = false;

    if ( isset($_POST['btn-signup']) ) {

            // clean user inputs to prevent sql injections
            $name = trim($_POST['name']);
            $name = strip_tags($name);
            $name = htmlspecialchars($name);

            $email = trim($_POST['email']);
            $email = strip_tags($email);
            $email = htmlspecialchars($email);

            $pass = trim($_POST['pass']);
            $pass = strip_tags($pass);
            $pass = htmlspecialchars($pass);

            // basic name validation
            if (empty($name)) {
                    $error = true;
                    $nameError = "Please enter your full name.";
            } else if (strlen($name) < 3) {
                    $error = true;
                    $nameError = "Name must have atleat 3 characters.";
            } else {
                    // check email exist or not
                    $query = "SELECT username FROM accounts WHERE username='$name'";
                    $result = mysql_query($query);
                    $count = mysql_num_rows($result);
                    if($count!=0){
                            $error = true;
                            $nameError = "Benutzeraccount existiert schon.";
                    }
            }

            //basic email validation
            if ( !filter_var($email,FILTER_VALIDATE_EMAIL) ) {
                    $error = true;
                    $emailError = "Please enter valid email address.";
            } else {
                    // check email exist or not
                    $query = "SELECT resetmail FROM accounts WHERE resetmail='$email'";
                    $result = mysql_query($query);
                    $count = mysql_num_rows($result);
                    if($count!=0){
                            $error = true;
                            $emailError = "Kontakt E-Mail Adresse bereits in Verwendung.";
                    }
            }
            // password validation
            if (empty($pass)){
                    $error = true;
                    $passError = "Please enter password.";
            } else if(strlen($pass) < 6) {
                    $error = true;
                    $passError = "Password must have atleast 6 characters.";
            }

            // password encrypt using SHA256();
            $password = shell_exec('/usr/bin/doveadm pw -s SHA512-CRYPT -p '. $pass);


            // if there's no error, continue to signup
            if( !$error ) {

                    $query = "INSERT INTO accounts(username,domain,at,complete,resetmail,password,quota,enabled,sendonly) VALUES('$name','chillihorse.de','@','test','$email','$password','2048','1','0')";

                    $res = mysql_query($query);


                    if ($res) {
                            $errTyp = "success";
                            $errMSG = "Successfully registered, you may login now";
                            unset($name);
                            unset($email);
                            unset($pass);
                    } else {
                            $errTyp = "danger";
                            $errMSG = "Something went wrong, try again later...";
                    }

            }


    }
?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
tso
  • 187
  • 4
  • 13
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Jan 16 '17 at 10:30
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jan 16 '17 at 10:30
  • Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Jan 16 '17 at 10:30
  • Instead of printing a useless error message here `$errMSG = "Something went wrong, try again later...";` change it to `$errMSG = mysql_error();` then you will see if/what is really failing – RiggsFolly Jan 16 '17 at 10:37
  • Changed it to "$errMSG = mysql_error();" But now there are no more error printed out – tso Jan 16 '17 at 11:20
  • What are the advantages of mysqli? – tso Jan 16 '17 at 12:07
  • Mitigation against SQL Injection attacks if you use it correctly by using Parameterised queries with bound variables – RiggsFolly Jan 16 '17 at 12:12
  • `if( isset($_SESSION['user'])!="" )` that for one thing, is failing you since it's a false positive; you need to use 2 separate conditions. – Funk Forty Niner Jan 16 '17 at 12:18

0 Answers0