Registration Submit shows code

[wtvelocity]

I'm trying to program a PHP registration script, but when I click submit, it ends up DISPLAYING register.php instead of processing it.

Register.htm

Code:

<?php include('vdaemon.php'); ?>
<HTML>
<BODY>
<form name="login" method="post" action="register.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="282" align="center">
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Name:</span></td>
                        <td width="156"><input type="text" name="name" maxlength="100"></td>
                    </tr>
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Email:</span></td>
                        <td width="156"><input type="text" name="email" maxlength="100"></td>
                    </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Username:</span></td>
                    <td width="156"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Password:</span></td>
                    <td width="156"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="116">&nbsp;</td>
                        <td width="156">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999">&nbsp;</td>
    </tr>
</table>
</form>
</BODY>
</HTML>

Register.php

Code:

$dbhost = "localhost";
$dbname = "wilddog_members";
$dbuser = "wilddog";
$dbpass = "(password)";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());


$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = $_POST['password'];



$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);


$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include 'register.html';
    exit();
}


$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";

$yoursite = ‘ConquestOfAges.elementfx.com’;
$webmaster = ‘Christian Darwin’;
$youremail = ‘admin@conquestofages.exofire.com’;

$subject = "You have successfully registered at $yoursite...";
$message = "Dear $name, you are now registered at our web site.  
    To login, simply go to our web page and enter in the following details in the login form:
    Username: $username
    Password: $password
    
    Please print this information out and store it for future reference.
    
    Thanks,
    $webmaster";
    
mail($email, $subject, $message, "From: $yoursite <$youremail>\nX-Mailer:PHP/" . phpversion());
    
echo "Your information has been mailed to your email address.";
?>

Thanks for your time!

[descalzo]

Well, I now know your DB password by viewing that code.

[wtvelocity]

DO'OH!

Thanks for pointing that out, editing my post

[descalzo]

Forget the opening <?php ??

[wtvelocity]

Thanks, but now I got this error:


Parse error: syntax error, unexpected '=' in /home/wilddog/public_html/register.php on line 46

I don't see it X(

[descalzo]

PHP Code:

$yoursite = ‘ConquestOfAges.elementfx.com’;
$webmaster = ‘Christian Darwin’;
$youremail = ‘admin@conquestofages.exofire.com’; 


You used funky quotes. ' or " only.

[misson]

Register.php

PHP Code:

$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = $_POST['password'];
...
$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
...
$query = "INSERT INTO users (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error()); 


This is vulnerable to SQL injection. You can escape the input values to prevent this, but the more modern and simpler approach is to use prepared statements (note: only parameters in prepared statements are invulnerable to SQL injection). Read "Writing MySQL Scripts with PHP and PDO" for more information on using the PDO driver (which has better support for prepared statements than mysqli).

Displaying the output of mysql_error() to users discloses too much information; it's both a security risk and doesn't offer users anything useful.