Check My Registration Script

[Elivmar]

I just finished coding my registration script which I am hoping to use on my website. I was hoping someone could answer one question and also just take a look over the script.

My first question is my use of Regex. I tried to make it so that they can only use letters, numbers, and underscores in their name. So far the most I was able to do is make it so they can't have names like $%^&$^, but the problem i'm having is if they use a combination like Hello!@# it doesn't give the error. How can I fix this?

 

Also if someone can look over my script and tell me if it's secure enough to use on my website that would be appreciated too. Thanks .

NOTE: The script has a lot of notes all over so it's easy to read.

<html>
<?php
//CONNECT TO DB
mysql_connect("****","***","***") or die(mysql_error());
mysql_select_db("***") or die(mysql_error());
//CHECK IF USER HAS SUBMITTED THEIR INFO
if(isset($_POST['submit'])) {
//IF INFO IS SUBMITTED SETS INFO TO VARIABLES
$username = strtolower($_POST['username']);
$displayname = $_POST['displayname'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = strtolower($_POST['email']);
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
$birthdate = $month."-".$day."-".$year;
if (preg_match('/[0-9a-zA-z_]+/', $username)){
if (preg_match('/[0-9a-zA-z_]+/', $displayname)){
//SET QUERIES FOR USE OF CHECKS LATER
$checkusername = mysql_query("SELECT username FROM users WHERE username = '$username'") or die(mysql_error());
$checkdisplayname = mysql_query("SELECT displayname FROM users WHERE displayname = '$displayname'") or die(mysql_error());
$checkemail = mysql_query("SELECT email FROM users WHERE email = '$email'") or die(mysql_error());
//CHECK IF ANY FIELDS ARE NULL
if($username == '' || $displayname == ''|| $password == ''|| $password2 == ''|| $email == '') {
die("One of your fields were not filled out!");
}
//PASSWORDS MATCH
elseif($password != $password2) {
die("Your passwords did not match!");
}
//MAKE SURE FIELDS ARE LONG ENOUGH
elseif($username != strtolower($displayname)) {
die("Your username and display name should be the same! However your display name will be how your name is displayed, like showing capitals.");
}
elseif(strlen($username) < 3 || strlen($displayname) < 3 || strlen($email) < 5 || strlen($password) < 3) {
die("Either your username, displayname, email, or password were to short!");
}
//MAKE SURE USERNAME ISNT TAKEN
elseif(mysql_num_rows($checkusername) !== 0) {
die("That username is already in use!");
}
//MAKE SURE DN ISNT TAKEN
elseif(mysql_num_rows($checkdisplayname) !== 0) {
die("That Display name is already in use!");
}
//MAKE SURE EMAIL ISNT TAKEN
elseif(mysql_num_rows($checkemail) !== 0) {
die("That Email is already in use!");
}
//MAKES SURE INFO IS SECURE. CHECK SECURITY
elseif(htmlentities($email) != $email || mysql_real_escape_string($email) != $email || strip_tags($email) != $email || stripslashes($email) != $email) {
die("Please use proper characters! No HTML, PHP, etc...!");
}
//MAKES SURE THERE IS NO WHITE SPACE
elseif(trim($username) != $username || trim($displayname) != $displayname || trim($email) != $email) {
die("Please do not put any white space in your fields!");
}
else {
//GETS DATE AND ENCRYPTS PASSWORD
$currentdate = date("m/d/y"); 
$password3 = md5($password2);
//INSERTS INTO DB
mysql_query("INSERT INTO users (username, displayname, password, email, birthday, signedup, money, staff) VALUES('$username','$displayname','$password3','$email','$birthdate','$currentdate','100','no')") or die(mysql_error());
echo "Registered!<br><a href = 'index.php'>Home</a>";
}
}
//ERRORS FOR REGEX ABOVE
else {
die("Your display name can only contain Letters, Numbers, and Underscores");
}
}
else {
die("Your username can only contain Letters, Numbers, and Underscores");
}
}
//IF THEY HAVE NOT SUBMITTED THEIR DATA THIS ALLOWS THEM TO ENTER IT
else {
echo "<form action = 'register.php' method = 'post'>
Username:<input type = 'text' name = 'username'><br>
Display Name:<input type = 'text' name = 'displayname'><br>
Password:<input type = 'password' name = 'password'><br>
Re-Enter Password: <input type = 'password' name = 'password2'><br>
Email:<input type = 'text' name = 'email'><br>
Birthday:<select name = 'month'>
<option>January</option>
<option>February</option>
<option>March</option>
<option>April</option>
<option>May</option>
<option>June</option>
<option>July</option>
<option>August</option>
<option>September</option>
<option>October</option>
<option>November</option>
<option>December</option>
</select><select name = 'day'>";
$startday = '1';
while($startday < 32) {
echo "<option>".$startday."</option>";
$startday = $startday + 1;
}
echo "</select><select name = 'year'>";
$startyear = '1920';
while($startyear < 2004) { 
echo "<option>".$startyear."</option>";
$startyear = $startyear + 1;
}
echo "</select><br>
<input type = 'submit' name = 'submit' value = 'register'>
</form>";
}
?>
</html>

And you can test the script at http://mattgib.heliohost.org/register.php.

Also not sure if it will still be there when you look at it but theres some PHP errors at the top but they appear to be part of the ads on top and not my script.

[ShannenName]

This is what I would do to check if passwords are the same

else if($_POST['password'] != $_POST['password2'])

and try this to encrypt the password

md5('{$_POST['password']}')

That's what I would use anyway...If it doesn't work turn it back

[naynesh]

How long did it take you to learn the script.

[ShannenName]

Me or Elivmar, it didn't take me long