[reckst4r]

Hello. I'm currently in progress with a roleplay gamemode, and I want to make it possible for people to
make an in-game character/account through my website, which isn't hard at all.
Though, I want it to be hashed into whirlpool when it gets putten into the database.

This is my php script that inserts the character/account name, password and email.

PHP код:

<?php
$con = mysql_connect("-Private-","-Private-","-Private");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("ThomasRdb", $con);
$sql="INSERT INTO accounts (id, Username, Key, Email)
VALUES
('','$_POST[charactername]','$_POST[password]','$_POST[email]')";
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "Your account has been made!";
mysql_close($con);
?>

And this is my index.html

Код HTML:

<html>
<body>

<form action="insert.php" method="post">
Character name (i.e John_Smith):<input type="text" name="charactername" />
Password: <input type="text" name="password" />
Email: <input type="text" name="email" />
<input type="submit" />
</form>

</body>
</html>

Thanks in advance!

[FalconX]

PHP код:

<?php
echo hash('whirlpool', 'The quick brown fox jumped over the lazy dog.'); // put password in the second param
// DON'T ECHO - THIS IS JUST AN EXAMPLE
?>

[reckst4r]

I started working with php a few days ago, and I'm not really sure where to place this in my files

[FalconX]

Quote:

Originally Posted by reckst4r I started working with php a few days ago, and I'm not really sure where to place this in my files

PHP код:

<?php 
$con = mysql_connect("-Private-","-Private-","-Private"); 
if (!$con) 
  { 
  die('Could not connect: ' . mysql_error()); 
  } 
mysql_select_db("ThomasRdb", $con); 
$pwhash = $_POST[password];
$pwhash = hash('whirlpool', $pwhash);
$sql="INSERT INTO accounts (id, Username, Key, Email) 
VALUES 
('','$_POST[charactername]',$pwhash,'$_POST[email]')"; 
if (!mysql_query($sql,$con)) 
  { 
  die('Error: ' . mysql_error()); 
  } 
echo "Your account has been made!"; 
mysql_close($con); 
?>

[reckst4r]

Thanks alot.

[Calgon]

You should also use mysql_real_escape_string when you're dealing with custom inputs.

PHP код:

<?php  
$con = mysql_connect("-Private-","-Private-","-Private");  
if (!$con)  
  {  
  die('Could not connect: ' . mysql_error());  
  }  
mysql_select_db("ThomasRdb", $con);  
$pwhash = hash('whirlpool', $_POST[password]); 
$sql="INSERT INTO accounts (id, Username, Key, Email)  
VALUES  
('','" . mysql_real_escape_string($_POST[charactername]) . "', " . $pwhash . ",'" . mysql_real_escape_string($_POST[email]) . "')";  
if (!mysql_query($sql,$con))  
  {  
  die('Error: ' . mysql_error());  
  }  
echo "Your account has been made!";  
mysql_close($con);  
?>

Sorry to be picky but you'll thank me when someone tries to wipe your database with SQL injection.

Also, you can use $_POST straight away, you don't need to load it in to another string, see the difference:

PHP код:

$pwhash = hash('whirlpool', $_POST[password]); 


in comparison to what you had before:

PHP код:

$pwhash = $_POST[password]; 
$pwhash = hash('whirlpool', $pwhash); 


And also you don't really need to make a string for your mysql query, but I'll stop there.