[In Prod.] Enhanced Registration

[KyleMassacre]

Hello peeps,

I am wrapping up an "Enhanced Registration" module that I have been trying to work on in between work, jury duty, and school. This should be done relatively soon but it is kind of a overhaul of the current system. It is a multi-step system (Its not too much for the player to do) but it does weed out people who are not interested really in playing the game

What this system does:

 

 

 

1. Different password encryption methods
   
   • Admin can change them on the fly
     
   • Will not impact currently registered users on change
     
     • By default it is set up to MD5 because 99% of MCC games are MD5
       

 

 

[*]Email Verification

• At time of registration they supply only email and username
  
  • The email will send a temp password (plain text) to the player
    

   

  [*]They use the temp password to generate their real password

  [*]Then they select their gender since most games still use a gender system

 

[*]Then they get inserted into the game

• They are automatically logged in for ease of use
  

 

 

What this system will do:

 

 

1. For the most part I need to create the entire staff panel
   
   • Everything will be configurable on fly:
     
     • Encryption type
       
     • Min/Max username length
       
     • Min/Max password length
       
     • Flag users when the encryption method changes (Yes/No) to keep their passwords current
       
     • Registration Captcha Length/Color (ehhhh, why not)
       
     • Default Password (one sent in email) Length
       
     • Email Template
       

 

 

 

The current email template looks like this:

It is nothing fancy but I figure it is a bit better than a plain text email. And what I am thinking about doing is going one step further with the user password change is possibly making it so they SHOULD change their password every "X" months for enhanced security?

So I am looking for potential buyers (of course) and if you have any ideas before I do finish it up I can maybe add in real quick, inquiries, comments, etc feel free to post below.

If your question is about the price, I will answer that right now. IDK yet!!! Maybe I will take reasonable offers for this system.

[Zettieee]

This looks great. :O

[Magictallguy]

Ugh, MD5..

Other than the obvious flaw with using MD5, your system is decent. I like it :)

To battle the MD5 flaw, I'd do something like this:

ALTER TABLE `users` 
ADD `newpass` ENUM('yes','no') NOT NULL DEFAULT 'no',
CHANGE `userpass` `userpass` TEXT NOT NULL;

Then run a select upon the authenticate (which it does, you'll just need to add in `newpass`)

function mtgCrypt($pass) {
return crypt($pass, '$6$rounds=5000$someSaltHard_CodedIn$');
}
if((md5($_POST['password']) == $r['userpass'] AND $r['newpass'] == 'no') OR (mtgCrypt($_POST['password']) == $r['userpass'] AND $r['newpass'] == 'yes')) {
// Correct details entered. Update the user's password to the new system.
if($r['newpass'] == 'no')
	$db->query("UPDATE `users` SET `userpass` = '".mtgCrypt($_POST['password'])."', `newpass` = 'yes' WHERE `userid` = ".$r['userid']);
// Handle the rest of the login
$_SESSION['userid'] = $r['userid'];
$_SESSION['loggedin'] = true;
header("Location: loggedin.php");
exit;
} else {
// Login failed. Send them back to login.php with details as to why or handle it here
}

 

Using something like this system is how I've managed to convert multiple games using MD5 into something (currently) irreversible.

Try it, and see what happens ;)

[Script47]

Very nice Kyle, good job. :)

[rockwood]

looks good but not enough

[Guest]

looks good but not enough

Care to explain?

[rockwood]

you didn't mentioned the db connection type & php version you will use for this enhanced version of user registration page.

[Guest]

you didn't mentioned the db connection type & php version you will use for this enhanced version of user registration page.

Assume the same as the default MCCodes v2... Not sure how saying "not enough" is constructive nor needed.

[rockwood]

there is no word 'assumption' in programming. he has not explained there session hacking prevention feature is available or not. How would you say if he is correct.

[Guest]

there is no word 'assumption' in programming. he has not explained there session hacking prevention feature is available or not. How would you say if he is correct.

Why would you hack a session in which the user hasn't even got an account at that point? Your being an ass, this is a register module not an engine or anything of the sort.

[Script47]

Don't mind him, he just comes on every so often writing things even though he has no idea whats going on.

[KyleMassacre]

you didn't mentioned the db connection type & php version you will use for this enhanced version of user registration page.

We'll let me answer your questions here. What is needed is MCC V2

.0.5B, PHP >= 5.1.2. This uses the $db connection wrapper/class so if you think I'm going to write this using PDO you have another thing coming. So by default this uses mysql* so if you have a clone for lack of a better term of of the said classes/wrappers you should be in good shape.

I know you <3 your PDO so much and all but would you care to explain to me why I would need to re-invent the wheel when modules for the most part should be plug and play to the best of the developers ability to do so? I will "assume" you have a PDO class set up already so if you did it right it should work just fine for you.

[rockwood]

why you guys producing smoke form your <3. i was just asking back there, so there is no need for unnecessary argument.

[KyleMassacre]

I'm not producing and argument here I'm just stating that this is for MCC and that this doesn't come with an extra or custom mysql extension. It uses $db with query, fetch_row, fetch_single, and close. So there is nothing fancy here so query security with binded parameters isn't there but I did secure as I went along. As for session hijacking, that shouldn't be an issue because the important sessions are not started until you are logged in after registration. And this should working pretty much any host that rarely updates their systems so there shouldn't be a problem about that.

[Newbie]

looking good kyle :) have you got a estimated time for completion?

[Barrikor]

no need for unnecessary argument.

Then why do you post short little messages that people have to reply to in order to find out what you mean?

 

If you weren't looking for an argument then you could have put your objections/questions in your first post. I don't think you had a point, you just ride the conversation as it goes.

 

You started with:

looks good but not enough

And in your last post you put:

i was just asking back there, so there is no need for unnecessary argument.

 

No, you weren't just asking.

[Magictallguy]

Then why do you post short little messages that people have to reply to in order to find out what you mean?

 

If you weren't looking for an argument then you could have put your objections/questions in your first post. I don't think you had a point, you just ride the conversation as it goes.

 

You started with:

 

And in your last post you put:

 

No, you weren't just asking.

+1 for that sir! Well said

[KyleMassacre]

looking good kyle :) have you got a estimated time for completion?

No, not yet. I'm trying to crack down on a class that I am taking because I'm a tad bit behind right now but after I finish that then it shouldn't be too long now.

All that hat is left really is the staff panel and a bug I encountered for some reason and can't find the definite root cause so I can't effectively troubleshoot it

[sniko]

No, not yet. I'm trying to crack down on a class that I am taking because I'm a tad bit behind right now but after I finish that then it shouldn't be too long now.

All that hat is left really is the staff panel and a bug I encountered for some reason and can't find the definite root cause so I can't effectively troubleshoot it

 

• Does using try/catch give you any indicators?
  
• Is error_reporting on?
  
• Is it a logic flaw?
  
  • debug_print_backtrace();
    
    • Get ready for data. Lots of it.
      

    [*]Create process flow diagrams to give you visual aid, then profile the code

   

[KyleMassacre]

So I spotted my "bug" a bit after I wrote about it which was an error on my part I did a manual insert for a player and messed it up some how so that's all taken care of.

I am am possibly going to make some changes since I pretty much have the staff panel completed for it. I mentioned before that everything will be done via the panel but I'm not too comfy with the fact of inserting raw HTML into the database for security reasons. For that I would need to write tons more code or use a pre written library for it but it seems like too much over kill just for one module and one little part of the module.

So what I was thinking was, to make it still relatively easy to change the template I can make just a template file that people can use. And with that option it would actually allow me to expand on that even more by allowing the person to have multiple templates of their choice and select which one if they do decide to have more than one.

[The Coder]

Meh, seen better.

[KyleMassacre]

Meh, seen better.

Can you show me so I can maybe get some pointers

[The Coder]

Can't remember specifically any game off the top of my head, but I've definitely seen better. You'll get $10 at best from this modification.

[KyleMassacre]

Can't remember specifically any game off the top of my head, but I've definitely seen better. You'll get $10 at best from this modification.

Well if it's for MCC games then most likely it's Cronus' player verification module which at the time was good but now quite outdated. My whole goal is to make the registration process a little bit more secure in regards to password protection. Albeit that MCC started using a salt to hash their passwords but it still uses an algorithm that no one should be using anymore to store passwords.

Now, has my system for that been done? I can't say for sure but MTG stated he does something similar but it's not exactly the same. And since I really don't know what algo game owners go with its hard to say but this will let you change from one to the other without messing up current users when logging in. Which if you think about it would be safer because an exploiter won't really know what bit them if they do decide to get a hold of the users password string because one can be sha* one can be md5, etc.

Now just because you get an email saying to click this link to continue your registration or to activate your account doesn't necessarily mean they are using the same system as I am creating either, and I have even come across ones that let you login even if your account is not activated which completely defeats the purpose.

What this does is when a user registers they don't get inserted into the game until they are verified so this can help out with your game getting spammed or weeding out people that for some reason just sign up and never even log in.

I have showed owed a few people so far of what I have and have gotten pretty positive feedback from them. Though, they are friends so they could just be being nice to me :p

So I hope this shed a bit more light on what this module is suppose to accomplish and I still don't have a set price but I will take that $10 into strong consideration. So if anyone has anymore feedback it is welcome and also if you have any ideas as well.

[gagansan1]

Well if it's for MCC games then most likely it's Cronus' player verification module which at the time was good but now quite outdated. My whole goal is to make the registration process a little bit more secure in regards to password protection. Albeit that MCC started using a salt to hash their passwords but it still uses an algorithm that no one should be using anymore to store passwords.

Now, has my system for that been done? I can't say for sure but MTG stated he does something similar but it's not exactly the same. And since I really don't know what algo game owners go with its hard to say but this will let you change from one to the other without messing up current users when logging in. Which if you think about it would be safer because an exploiter won't really know what bit them if they do decide to get a hold of the users password string because one can be sha* one can be md5, etc.

Now just because you get an email saying to click this link to continue your registration or to activate your account doesn't necessarily mean they are using the same system as I am creating either, and I have even come across ones that let you login even if your account is not activated which completely defeats the purpose.

What this does is when a user registers they don't get inserted into the game until they are verified so this can help out with your game getting spammed or weeding out people that for some reason just sign up and never even log in.

I have showed owed a few people so far of what I have and have gotten pretty positive feedback from them. Though, they are friends so they could just be being nice to me :p

So I hope this shed a bit more light on what this module is suppose to accomplish and I still don't have a set price but I will take that $10 into strong consideration. So if anyone has anymore feedback it is welcome and also if you have any ideas as well.

 

as per me it should be more than $40