Secure
Simple
Page
Of
Registration
(of)
Accounts

Credits:
Myself
Gachl


Based off of Yaart
Inspired by SPORA
Modified to support WotLK
CAPTCHA Image Verification - No more spammers
Password Verification - No more users creating 2nd accounts because of typos!
Drop down menu expansion chooser - No check-boxes that only allow TBC and WotLK
Securest account page available prevents:

SQL Injection
HTML Injection
Code Injection
Bots
Spammers
Remotefileview
Remoteinclude
Does not ask for e-mail - Who actually e-mails their users anyway ;)
Only 2 files required, no extra images needed for CAPTCHA's


Notes:

To change background image rename the image you want to use to bg.jpg

Changelog:

V2 - Added SPORA Background Support

http://img43.imageshack.us/img43/9339/hghygnhyghgnv.png


Demo (http://www.wow-pvp.org/SSPORA.php)

Download v1 (http://sspora.googlecode.com/files/SSPORA.php)
Download v2 (http://sspora.googlecode.com/files/SSPORAv2.zip)

Bump

Added V2

In the demo your Buttons are off, they need to be fixed or use a style sheet to create absolute values.

Also the Captcha image and the box next to it are slightly off.

Good enough for me, if people don't like it they can use V1, it took me forever just to get that centered that close :P

works it on mangos?

# Securest account page available prevents:

SQL Injection
HTML Injection
Code Injection
Bots
Spammers
Remotefileview
Remoteinclude

Except it prevents nothing, I don't think you have the consept of this creation script ye. It prevents: Password typos, Spambots. Thats it, HTML injection? your using php functions, if anything it will be a sql injection and its not even 100% secure because i could get a XSS exploit into that easy.. Oh wait i belive i already have :o

1 more think your retarded, people use the email function. Forgotten passwords etc script, to verify account details and much more, Go over your script and make a new thread with things that make sense.

STFU, I just copied the description Gachl posted.. If they want password recovery they should make a new DB for e-mails and it could look up the password and send it to them. You'd also need an auto-mailing system which barely any servers even have setup.

Except it prevents nothing, I don't think you have the consept of this creation script ye. It prevents: Password typos, Spambots. Thats it, HTML injection? your using php functions, if anything it will be a sql injection and its not even 100% secure because i could get a XSS exploit into that easy.. Oh wait i belive i already have :o

1 more think your retarded, people use the email function. Forgotten passwords etc script, to verify account details and much more, Go over your script and make a new thread with things that make sense.

Your a dumbass.

You think your o-so-good? You say you hacked WoW-Pwnage's site? Tell us then, what did you all do to it, If you can, show us, modify the site news.


You don't release anything, you only leech. GTFO!

Your a dumbass.

You think your o-so-good? You say you hacked WoW-Pwnage's site? Tell us then, what did you all do to it, If you can, show us, modify the site news.


You don't release anything, you only leech. GTFO!

Um, Actually he's quite correct. And he never claimed to release anything, I don't know how ethical hacking is leeching but okay.
I'm not trying to flame anyone, just stating quite obvious facts that you seem to be oblivious to.

Are you talking to me or him? I never said I hacked WoW-Pwnage, I posted a thread joking that my site got hacked that used the source code of the hacked page with a funny youtube video on it

Thank god ive been looking for this!

At least someone likes it

A little constructive feedback, if you want to make it even more secure - then strip off "Die . mysql_error();" everywhere, showing errors can always prove to be fatal, as it tells the hacker something about the system of your application structures / databases etc.

A quick Find and Replace shouldn't be to hard to remove them :P

A little constructive feedback, if you want to make it even more secure - then strip off "Die . mysql_error();" everywhere, showing errors can always prove to be fatal, as it tells the hacker something about the system of your application structures / databases etc.

Or just turn of display_errors and log it.

I think most people would want to see their errors though

Then wouldn't it make sense to output those mysql errors with a die statement?

Warning the above question is rhetorical.

I don't know much about how Gachl wrote the page, all I did was modify the Drop down menu for Wotlk, and remove some text boxes

I don't know much about how Gachl wrote the page, all I did was modify the Drop down menu for Wotlk, and remove some text boxes

Wow, so you had to act like you made it so much better. Must have been so difficult with minimal effort.

It's a lot better in my opinion, I didn't see anyone else updating Yaart

Very Nice.

Ty ;)

It's a lot better in my opinion, I didn't see anyone else updating Yaart

Meh, it just seems like very little was done for it.

EDIT: i was wrong didnt read the credits :>

its nice but .. not secure..

im not saying its bad but.. a tip for the next version (if there will be)
make it much more secure then it now is, a hacker can easily delete the whole database..

well Gl in the future

and ppl dont flame hes script, EVERY1 made some wrong things and be happy he did it wrong if you do it wrong you can make it always better in the future


sorry for my bad english but yeah.. im dutch :p

Can you explain how this could be done? I know with every account page there is always some type of bug, but I didn't know that anything severe as that could be done.

I was gonna try to SQL inject it, but I didn't feel like it. At a glance the only thing I saw making the sql secure was trim().

im TOTALLY noob to this
and been trying to get acc creation page
for like a week now,
instructions would be excellent!
+rep to whoever helps me

im TOTALLY noob to this
and been trying to get acc creation page
for like a week now,
instructions would be excellent!
+rep to whoever helps me

First, do you have apache running?

If so, have you configured SSPORA?

If so, I can take a look on TeamViewer.

Just let me know who you are on AC-Web.

configured SSPORA?
is it an actual program?
the download only came with a .php and a .jpg file

configured SSPORA?
is it an actual program?
the download only came with a .php and a .jpg file

And inside the PHP file you have to change some of the top variables.

yeah, done all that.
edit localhost or whateer it was
to my dynDNS

err edit $server to my dynDNS

You have a webserver right? Like XAMPP?

and make sure it's configured similar to this:

$dburl = "127.0.0.1";
$dbuser = "root";
$dbpass = "ascent";
$dbwname = "logon";
$dbiname = "info";
$enableic = "false";
$itable = "info";
$atable = "accounts";
$usernamefield = "login";
$emailfield = "email";

does it support mangos?

Not yet, but support for MaNGOS may be added in the future

nice and simple i love it!

This looks realy good! :) +rep

Not yet, but support for MaNGOS may be added in the future

Here's the PHP code for a Mangos registration script, I was going to try converting your registration page to Mangos but yours is quite complicated and I'm just learning PHP still.

<?php
/*Config*/

$realmd = array(
'db_host'=> 'localhost', //ip of db realm
'db_username' => 'mangos',//realm user
'db_password' => '',//realm password
'db_name'=> 'realmd',//realm db name
);


///////////////Start script//////////////////

/*
Function name: CHECK FOR SYMBOLS
Description: return TRUE if matches. ( True = OK ) ( False = NOT OK)
*/
function check_for_symbols($string){
$len=strlen($string);
$alowed_chars="abcdefghijklmnopqrstuvwxyzæøåABCDEFGHIJKL MNOPQRSTUVWXYZÆØÅ";
for($i=0;$i<$len;$i++)if(!strstr($alowed_chars,$string[$i]))return TRUE;
return FALSE;

}
/*
Function name: OUTPUT USERNAME:PASSWORD AS SHA1 crypt
Description: obious.
*/
function sha_password($user,$pass){
$user = strtoupper($user);
$pass = strtoupper($pass);

return SHA1($user.':'.$pass);
}

if ($_POST['registration']){
/*Connect and Select*/
$realmd_bc_new_connect = mysql_connect($realmd[db_host],$realmd[db_username],$realmd[db_password]);
$selectdb = mysql_select_db($realmd[db_name],$realmd_bc_new_connect);
if (!$realmd_bc_new_connect || !$selectdb){
echo "Could NOT connect to db, please check the config part of the file!";
die;
}

/*Checks*/
$username = $_POST['username'];
$password = sha_password($username,$_POST['password']);

$qry_check_username = mysql_query("SELECT username FROM `account` WHERE username='$username'");

if (check_for_symbols($_POST[password]) == TRUE || check_for_symbols($username) == TRUE || mysql_num_rows($qry_check_username) != 0){
echo "Error with creating account, might already be in use or your username / password has invalid symbols in it.";
}else{
mysql_query("INSERT INTO account (username,sha_pass_hash) VALUES
('$username','$password')");// Insert into database.
echo "Account created.";
}


}else{
///////////////Stop script, Start HTML//////////////////
?>


<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="POST">
Username <input type="text" name="username">

Password <input type="password" name="password">

<input type="submit" name="registration">
</form>


<?php
// Do not remove this;)
}
?>

Warning: session_start() [function.session-start]: open(..\Server\tmp\sess_73ae6a6c2aaf4dbd880a744145 a266b8, O_RDWR) failed: No such file or directory (2) in C:\WRMZ-EMU V2\Server\htdocs\SSPORA.php on line 281

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\WRMZ-EMU V2\Server\htdocs\SSPORA.php:281) in C:\WRMZ-EMU V2\Server\htdocs\SSPORA.php on line 281

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\WRMZ-EMU V2\Server\htdocs\SSPORA.php:281) in C:\WRMZ-EMU V2\Server\htdocs\SSPORA.php on line 281

any ideas???? btw it doesnt show any images.

Bumper

http://www.have-fun-in-the-southwest.com/images/BoondocksBumperBoat.gif

well i think it looks good keep up the work magic i agree simple looking but hey simple works some shit i have seen here looks so fuking complicated to use you would need to be a rocket scientist lol.

The whole thing looks extremly messed up for me?

You have to have a MySQL server running and have it stored on a Webserver

is this arcemu?

Nice!
bUMp!