if ($actnum < 0){$actnum = $actnum + ($actnum*-2)}
no entiendo cual pueda ser el problema,aqui les dejo los archivos para saber si alguien sabe cual puede ser mi problema.
add.php
Cita:
signup.php<?PHP
//retrieve al the variables that had been submited by the from
$username1 = $HTTP_POST_VARS["username"];
$mailadres1 = $HTTP_POST_VARS["mailadres"];
$password1 = $HTTP_POST_VARS["password"];
$confirmpassword1 = $HTTP_POST_VARS["confirmpassword"];
//generate an random number for the user neede to activate there account
$actnum = rand( 1,999999999999);
//make sure that the activation number is positive (YES it can happen that the number is negatief.)
if ($actnum < 0){$actnum = $actnum + ($actnum*-2)}
//set the error variable to an empty string.
$error = "";
//check it the fields are not empty. if they are, append the error to the error variable ($error)
if ($username1 == ""){$error = "$error<li>No username given<BR>\n";}
if ($password1 == ""){$error = "$error<li>No password given<BR>\n";}
if ($mailadres1== ""){$error = "$error<li>No mailadres given<BR>\n";}
//check if the passwords match. if they don't append the error to the error variable ($errir)
if ($password1 <> $confirmpassword1) {$error = "$error<li>Passwords do not match<BR>\n";}
// let the config.php file make an database connection
include("config.php");
//make an query which checks if the username OR the emailadres ar in the database. if they are append an error.
$query = "Select * from signup where username='$username1' or mailadres='$mailadres1'";
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)){
if ($row["username"] == $username1){$error = "$error<li>Your username is already used by another member<br>\n";}
if ($row["mailadres"] == $mailadres1){$error = "$error<li>Your e-mail adres is already registrated in our database<br>\n";}
}
//if ther error variable is still an empty string. The summission was oke and you can start proccesing the submission
if ($error == ""){
//first we check wat the date and time is for the signupdate field
$datetime = date("d-m-Y G:i ");
//then we submit al this to the database
$query = "INSERT INTO signup (username, password, mailadres, actnum, userlevel, signupdate ,lastlogin, lastloginfail, numloginfail) VALUES ('$username1','$password1','$mailadres1','$actnum' , '1', '$datetime','0','0','0')";
$result = mysql_query($query);
//and we make an (e-mail)message which contains the activation numer
//also possible is to put a link in that message like :
//http:// your url /activate.php?username=$username1&actnum=$actnum
//this would allow the user to direcly submit there activation without having to enter
//al the data again in the activation form
$message = "Activation number: $actnum";
// mail the message to the user
mail($mailadres1, "Sign up script user activationcode", $message, "From: Sign-up script");
// and redirect the user to the activation page
header("Location: activate.php");
}
else
//if $error is no longer a empty stirng there must have been error in the submision.
//here we echo an nice line which says there are a coulple of errors and we onpen an
//unorder list (just the <ul> tag) and we prinnt the error. also we include a link back to the
//sign-upform
{echo "You could not be added to the database because of the following reasons<ul>
$error
</ul>Please return to <a href=\"signup.php\">signup form</a> and try again.";
}
?>
//retrieve al the variables that had been submited by the from
$username1 = $HTTP_POST_VARS["username"];
$mailadres1 = $HTTP_POST_VARS["mailadres"];
$password1 = $HTTP_POST_VARS["password"];
$confirmpassword1 = $HTTP_POST_VARS["confirmpassword"];
//generate an random number for the user neede to activate there account
$actnum = rand( 1,999999999999);
//make sure that the activation number is positive (YES it can happen that the number is negatief.)
if ($actnum < 0){$actnum = $actnum + ($actnum*-2)}
//set the error variable to an empty string.
$error = "";
//check it the fields are not empty. if they are, append the error to the error variable ($error)
if ($username1 == ""){$error = "$error<li>No username given<BR>\n";}
if ($password1 == ""){$error = "$error<li>No password given<BR>\n";}
if ($mailadres1== ""){$error = "$error<li>No mailadres given<BR>\n";}
//check if the passwords match. if they don't append the error to the error variable ($errir)
if ($password1 <> $confirmpassword1) {$error = "$error<li>Passwords do not match<BR>\n";}
// let the config.php file make an database connection
include("config.php");
//make an query which checks if the username OR the emailadres ar in the database. if they are append an error.
$query = "Select * from signup where username='$username1' or mailadres='$mailadres1'";
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)){
if ($row["username"] == $username1){$error = "$error<li>Your username is already used by another member<br>\n";}
if ($row["mailadres"] == $mailadres1){$error = "$error<li>Your e-mail adres is already registrated in our database<br>\n";}
}
//if ther error variable is still an empty string. The summission was oke and you can start proccesing the submission
if ($error == ""){
//first we check wat the date and time is for the signupdate field
$datetime = date("d-m-Y G:i ");
//then we submit al this to the database
$query = "INSERT INTO signup (username, password, mailadres, actnum, userlevel, signupdate ,lastlogin, lastloginfail, numloginfail) VALUES ('$username1','$password1','$mailadres1','$actnum' , '1', '$datetime','0','0','0')";
$result = mysql_query($query);
//and we make an (e-mail)message which contains the activation numer
//also possible is to put a link in that message like :
//http:// your url /activate.php?username=$username1&actnum=$actnum
//this would allow the user to direcly submit there activation without having to enter
//al the data again in the activation form
$message = "Activation number: $actnum";
// mail the message to the user
mail($mailadres1, "Sign up script user activationcode", $message, "From: Sign-up script");
// and redirect the user to the activation page
header("Location: activate.php");
}
else
//if $error is no longer a empty stirng there must have been error in the submision.
//here we echo an nice line which says there are a coulple of errors and we onpen an
//unorder list (just the <ul> tag) and we prinnt the error. also we include a link back to the
//sign-upform
{echo "You could not be added to the database because of the following reasons<ul>
$error
</ul>Please return to <a href=\"signup.php\">signup form</a> and try again.";
}
?>
Cita:
login.php<?PHP
// this page doesn't has any php code to explain.
?>
<html>
<head>
<title>Sign-up</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form name="form1" method="post" action="add.php">
<h1> Sign-up</h1>
<p> Username:
<input name="username" type="text" id="Username">
<br>
Password:
<input name="password" type="password" id="password">
Password (confirm):
<input name="confirmpassword" type="password" id="confirmpassword">
<br>
E-mail adres
<input name="mailadres" type="text" id="mailadres">
<br>
<input type="submit" value="Sign-up">
<br>
If you already have an account you can login <a href="login.php">here</a>.</p>
</form>
</body>
</html>
// this page doesn't has any php code to explain.
?>
<html>
<head>
<title>Sign-up</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form name="form1" method="post" action="add.php">
<h1> Sign-up</h1>
<p> Username:
<input name="username" type="text" id="Username">
<br>
Password:
<input name="password" type="password" id="password">
Password (confirm):
<input name="confirmpassword" type="password" id="confirmpassword">
<br>
E-mail adres
<input name="mailadres" type="text" id="mailadres">
<br>
<input type="submit" value="Sign-up">
<br>
If you already have an account you can login <a href="login.php">here</a>.</p>
</form>
</body>
</html>
Cita:
<?PHP
//retrieve the submitted values
$username1 = $HTTP_POST_VARS["username"];
$password1 = $HTTP_POST_VARS["password"];
//let the config.php file connect to the database
include("config.php");
//check it the username exist/
$query = "Select * from signup where username='$username1'";
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)){
//check if his account is activated
if ($row[actnum] == 0){
//and check if his account is not loccked.
if ($row[numloginfail] <= 5){
//finally we check the database to see if the password is correct.
if ($row[password] == $password1){
//we determin the date for the lastlogin - field.
$datetime = date("d-m-Y G:i ");
//and we update that field
$query = "UPDATE signup Set lastlogin = '$datetime' where username='$username1'";
$result = mysql_query($query);
//now that the correct password is used to log-in, reset the numloginfail-field to 0
$query = "UPDATE signup Set numloginfail = '0' where username='$username1'";
$result = mysql_query($query);
//create an session
session_start();
//put the password in the session
$pass = $password1;
session_register("pass");
//put the username in the session
$id = $username1;
session_register("id");
//go to the secured page.
header("Location: members/index.php");
}
else{
//else the password is incorrect. Therofore we have to update the numloginfield and lastloginfail field
//first we set $datetime to the current time in a format that we can use to calculate with.
$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
//then we check if the last log-in fail was less than 5 minutes ago.
if ($row[lastloginfail] >= ($datetime-5)){
//if it is we update both the numloginfail & the lastloginfail fields.
$query = "UPDATE signup Set numloginfail = numloginfail + 1 where username='$username1'";
$result = mysql_query($query);
$query = "UPDATE signup Set lastloginfail = '$datetime' where username='$username1'";
$result = mysql_query($query);
}
else{
//if it is more than 5 minutes ago, just set the lastloginfail field.
$query = "UPDATE signup Set lastloginfail = '$datetime' where username='$username1'";
$result = mysql_query($query);
}
//and ofcourse we tell the user that his log-in failed.
makeform("Incorrect login");}
}
//if the numloginfail value is larger than 5 that means there someone tryed to break the password by brute force
//we will now check how long ago the lock was engaged. it is is more than half an hour ago is, then we will unlock the account
//and ask the user to login 1 more time to validate it is really him.
else {
$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
if ($row[lastloginfail] <= ($datetime-30)){
//set the numloginfail value to 5 so the user has 1 change to enter his password.
$query = "UPDATE signup Set numloginfail = '5' where username='$username1'";
$result = mysql_query($query);
//ask the user to enter his username/password once again.
makeform("This account was attackted. Therefore it was locked. To terminate the lock log-in with you correct loginname and password. After this log-in the lock will be terminated and you can you use our account as normal<BR> NOTE: make sure you do not make any type errors. This would activate the lock again.");
}
else{
//if it is less than 30 minutes ago ask the user to wait untill the lock is released again.
echo "This account is under attack. Please wait an until the account is released again.";
}
}
}
//if the actnum is other than 0 that means the account has not been activated yet.
//
else{
makeform("This account has not been activated yet.");
}
}
//if the username does not exist we check it is filled in.
else{
//if it isn't filled we assum that this is the page load and we show the form without an error.
if ($username1 == ""){
makeform("");
}
else {
//if the form is filled it that means that the username does not exist. Therefore we show the form
//with an error. We can not change the numloginfail or lastloginfail fields for the brute forece attack
//because the attack isn't pointed at a user.
makeform("Incorrect login");
}
}
//this function shows the form.
function makeform($errormessage){
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>LOG-IN</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<h1>log-in</h1>
<?PHP
//print the error message
echo "<font color=\"#FF0000\"><strong>$errormessage</strong></font><br>"; ?>
<form name="form1" method="post" action="login.php">
<p>username:
<input name="username" type="text" id="username">
<br>
password:
<input name="password" type="password" id="password">
<br>
<input type="submit" value="LOG IN">
</p>
</form>
<a href="forgot.php">forgot password</a> <br>
<a href="signup.php">get an account</a>
</body>
</html>
<?php } ?>
//retrieve the submitted values
$username1 = $HTTP_POST_VARS["username"];
$password1 = $HTTP_POST_VARS["password"];
//let the config.php file connect to the database
include("config.php");
//check it the username exist/
$query = "Select * from signup where username='$username1'";
$result = mysql_query($query);
if ($row = mysql_fetch_array($result)){
//check if his account is activated
if ($row[actnum] == 0){
//and check if his account is not loccked.
if ($row[numloginfail] <= 5){
//finally we check the database to see if the password is correct.
if ($row[password] == $password1){
//we determin the date for the lastlogin - field.
$datetime = date("d-m-Y G:i ");
//and we update that field
$query = "UPDATE signup Set lastlogin = '$datetime' where username='$username1'";
$result = mysql_query($query);
//now that the correct password is used to log-in, reset the numloginfail-field to 0
$query = "UPDATE signup Set numloginfail = '0' where username='$username1'";
$result = mysql_query($query);
//create an session
session_start();
//put the password in the session
$pass = $password1;
session_register("pass");
//put the username in the session
$id = $username1;
session_register("id");
//go to the secured page.
header("Location: members/index.php");
}
else{
//else the password is incorrect. Therofore we have to update the numloginfield and lastloginfail field
//first we set $datetime to the current time in a format that we can use to calculate with.
$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
//then we check if the last log-in fail was less than 5 minutes ago.
if ($row[lastloginfail] >= ($datetime-5)){
//if it is we update both the numloginfail & the lastloginfail fields.
$query = "UPDATE signup Set numloginfail = numloginfail + 1 where username='$username1'";
$result = mysql_query($query);
$query = "UPDATE signup Set lastloginfail = '$datetime' where username='$username1'";
$result = mysql_query($query);
}
else{
//if it is more than 5 minutes ago, just set the lastloginfail field.
$query = "UPDATE signup Set lastloginfail = '$datetime' where username='$username1'";
$result = mysql_query($query);
}
//and ofcourse we tell the user that his log-in failed.
makeform("Incorrect login");}
}
//if the numloginfail value is larger than 5 that means there someone tryed to break the password by brute force
//we will now check how long ago the lock was engaged. it is is more than half an hour ago is, then we will unlock the account
//and ask the user to login 1 more time to validate it is really him.
else {
$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");
if ($row[lastloginfail] <= ($datetime-30)){
//set the numloginfail value to 5 so the user has 1 change to enter his password.
$query = "UPDATE signup Set numloginfail = '5' where username='$username1'";
$result = mysql_query($query);
//ask the user to enter his username/password once again.
makeform("This account was attackted. Therefore it was locked. To terminate the lock log-in with you correct loginname and password. After this log-in the lock will be terminated and you can you use our account as normal<BR> NOTE: make sure you do not make any type errors. This would activate the lock again.");
}
else{
//if it is less than 30 minutes ago ask the user to wait untill the lock is released again.
echo "This account is under attack. Please wait an until the account is released again.";
}
}
}
//if the actnum is other than 0 that means the account has not been activated yet.
//
else{
makeform("This account has not been activated yet.");
}
}
//if the username does not exist we check it is filled in.
else{
//if it isn't filled we assum that this is the page load and we show the form without an error.
if ($username1 == ""){
makeform("");
}
else {
//if the form is filled it that means that the username does not exist. Therefore we show the form
//with an error. We can not change the numloginfail or lastloginfail fields for the brute forece attack
//because the attack isn't pointed at a user.
makeform("Incorrect login");
}
}
//this function shows the form.
function makeform($errormessage){
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>LOG-IN</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<h1>log-in</h1>
<?PHP
//print the error message
echo "<font color=\"#FF0000\"><strong>$errormessage</strong></font><br>"; ?>
<form name="form1" method="post" action="login.php">
<p>username:
<input name="username" type="text" id="username">
<br>
password:
<input name="password" type="password" id="password">
<br>
<input type="submit" value="LOG IN">
</p>
</form>
<a href="forgot.php">forgot password</a> <br>
<a href="signup.php">get an account</a>
</body>
</html>
<?php } ?>
