Comments

Missing Data";}} else { // check that username and password are legal to avoid MySQL injection if (ereg("[^a-zA-Z0-9]",$username)||ereg("[^a-zA-Z0-9!]",$password)) { $myemail="jan@stuif.com"; $subject="Login attempt with illegal characters"; $content="Login attempt with $username ($password)"; $headers = "From: webmaster@waterfallsofmalaysia.com.com\r\n"; $headers .= "Return-Path: webmaster@waterfallsofmalaysia.com.com\r\n"; mail($myemail,$subject,$content,$headers); $username= "illegal";$password="illegal"; } // else { } $query="SELECT code_id,name FROM commenters WHERE username='$username' AND password='$password'"; $result=mysql_query($query); $num=mysql_num_rows($result); if ($num) { list($WOMuser_id,$name)=mysql_fetch_row($result); $WOMloginok='1'; setcookie("WOMloginok",$WOMloginok); setcookie("WOMuser_id",$WOMuser_id); setcookie("name",$name); } else {$login=1;$error="Wrong Login Info "; $myemail="jan@stuif.com"; $subject="Wrong Login Info"; $content="Login with $username ($password)"; $headers = "From: webmaster@waterfallsofmalaysia.com.com\r\n"; $headers .= "Return-Path: webmaster@waterfallsofmalaysia.com.com\r\n"; mail($myemail,$subject,$content,$headers); } } } if ($send) { if (!$email) {$forgot=1;$warning="Missing E-mail";} else {$query="SELECT name,username,password FROM commenters WHERE email=\"$email\""; $result=mysql_query($query); $num=mysql_num_rows($result); if ($num) {$login=1; list($name,$username,$password)=mysql_fetch_row($result); $subject="You forgot your login info"; $content="Dear $name,\nYour username is: $username\nYour password is: $password\n"; $headers = "From: webmaster@waterfallsofmalaysia.com\r\n"; $headers .= "Cc: webmaster@waterfallsofmalaysia.com\r\n"; $headers .= "Return-Path: webmaster@waterfallsofmalaysia.com\r\n"; mail($email,$subject,$content,$headers); } else {$forgot=1;$warning="Unknown e-mail address";} } } ?> Comments

Illegal characters in username";} elseif (!ereg('[_a-zA-z0-9\-]+(\.[_a-zA-z0-9\-]+)*\@' . '[_a-zA-z0-9\-]+(\.[a-zA-z]{1,3})+', $newemail)){$newuser=1;$warning="Invalid email address";} elseif ($num) {$newuser=1;$warning="Username exists already";} elseif ($num1) {$newuser=1;$warning="This email address has been registered already";} else { $password=mkpasswd();$code_id=generatecode($length); $query="INSERT INTO commenters (name,email,username,password,mailinglist,code_id) VALUES ('$newname','$newemail','$newusername','$password','$mailinglist','$code_id')"; $result=mysql_query($query); $subject="Welcome to Waterfalls of Malaysia"; $content="Dear $newname,\nYour username is: $newusername\nYour password is: $password\nGo to http://waterfallsofmalaysia.com.com and login\n$listtext"; $headers = "From: webmaster@waterfallsofmalaysia.com.com\r\n"; $headers .= "Cc: webmaster@waterfallsofmalaysia.com.com\r\n"; $headers .= "Return-Path: webmaster@waterfallsofmalaysia.com.com\r\n"; mail($newemail,$subject,$content,$headers); echo"

Waterfalls of Malaysia\n

A confirmation mail with your password has been sent to your e-mail address $newemail\n"; } } else {$newuser=1;$warning="Missing Data";} } elseif ($userupdate) { if ($newname&&$newusername&&$newemail&&$newpassword&&$confirmpassword) { $query="SELECT id FROM commenters WHERE BINARY username='$newusername' AND code_id != '$WOMuser_id'"; $result=mysql_query($query); $num=mysql_num_rows($result); $query="SELECT id FROM commenters WHERE email='$newemail' AND code_id != '$WOMuser_id'"; $result=mysql_query($query); $num1=mysql_num_rows($result); if (ereg("[^a-zA-Z0-9]",$newusername)) {$preferences=1;$warning="Illegal characters in username";} elseif (!ereg('[_a-zA-z0-9\-]+(\.[_a-zA-z0-9\-]+)*\@' . '[_a-zA-z0-9\-]+(\.[a-zA-z]{1,3})+', $newemail)){$preferences=1;$warning="Invalid email address";} elseif ($num) {$preferences=1;$warning="Username exists already";} elseif ($num1) {$preferences=1;$warning="This email address has been registered already";} elseif ($newpassword != $confirmpassword) {$preferences=1;$warning="Passwords don't match";} else { $query="UPDATE commenters SET name='$newname',email='$newemail',username='$newusername',password='$newpassword',mailinglist='$mailinglist' WHERE code_id='$WOMuser_id'"; $result=mysql_query($query); echo"

Your user data have been updated\n"; } } else {$preferences=1;$warning="Missing Data";} } elseif ($submit1) { if ($comment) { $pos = stripos($comment, '