ajayrandhawa / user-management-php-mysql Goto Github PK

AFTER SIGNUP THERE IS NOTHING SHOWN IN ADMIN USER LIST FOR APPROVAL

No Date and time for the registartion

i have problems whit "Invalid Details Or Account Not Confirmed"

Hallo, i try to use this script but in case of forgot password there is not possible for me to find send password script.
Can someone help me please

Selami Ersoy ([email protected])

Nice code. You omitted the images folder in the core code. This echo few error on sign up and rendered picture upload ineffective . Simply creating images folder solves the issue

Hi has anyone implemented user groups with this platform. ?

when every single page you have a header of its own
while you can use child sections and various includes to keep your code streamlined and well documented

I have run it successfully and register new user, but when running admin panel it refuse to

Users cannot login to the dashboard. It doesn't send confirmation message to their mail.

Check it and update it please.

Nice work.

Ever hosted this project in Linux Cpanel with GoDaddy?

Hi, i have one request for you.. it's possible add other authorization? and the pozzibility for change autorizzation in the pannel admin?now we have admin and general user, can you insert other user and cookie? thank you for help me

I wouldn't recommend using this script without taking a good look at the source code. t]The passwords are hashed using SHA-1 and to top it all off the registration page has a vulnerability for anyone to register as admin.
<input type="hidden" name="roleid" value="3" class="form-control">

The roleid value attribute can be changed with dev tools and it submits the form with that id I was able to register as an admin.

When attempting to create a new account via the signup link it fails to create the user in the mysql database. The Admin gets the message via notification

Login issue Please Help me i need This

Synopsis

I have discovered multiple remote code execution vulnerabilities in the following files.

register.php
profile.php
admin/edit-user.php
feedback.php

These vulnerabilities would allow an attacker to gain a foothold shell as www-data.

Proof of concept

Exploitation walkthrough can be found here:
https://palioxss.com/projects/exploit1.html

Technical summary

/register.php fails to properly handle file extension sanitization, allowing an attacker to upload a php file.

    <script type="text/javascript">

        function validate()
        {
            var extensions = new Array("jpg","jpeg");
            var image_file = document.regform.image.value;
            var image_length = document.regform.image.value.length;
            var pos = image_file.lastIndexOf('.') + 1;
            var ext = image_file.substring(pos, image_length);
            var final_ext = ext.toLowerCase();
            for (i = 0; i < extensions.length; i++)
            {
                if(extensions[i] == final_ext)
                {
                return true;
                
                }
            }
            alert("Image Extension Not Valid (Use Jpg,jpeg)");
            return false;
        }

The above code is run client-side, so it can be bypassed by editing the request manually.

profile.php, admin/edit-user.php and feedback.php do not implement any form of file sanitization at all. This would allow an attacker to simply click "upload" and select their php file.

Hey,

thx for this. This is awesome! I want to ask if there is any License on it, or do i have to leave your footer on it?

sry for my bad english, i am not a native speaker O_O

Yours

Julian

Hi there,

You are saving the passwords as a plain md5 hash. That used to be "OK", but people have been building giant rainbowtables it isn't anymore.
I could simply revert the admin password hash using this website.

If there are any users for your lib - and it seems there are -, it would be nice if they weren't using this unsafe form of password storage.
Use a hash, and use a better hashing algorithm.

Further reading: https://www.php.net/manual/en/faq.passwords.php

Thanks for creating this, it looks pretty good!

Koen

After starting my Mamp server, i created new database and imported the database.sql file successfully and i put the work on htdots folder. when running on chrome browser , it gives me this error "Error: SQLSTATE[HY000] [2002] Connection refused"

Invalid details or Account not confirmed

Notification part is registering perfect.
$sqlnoti="insert into notification (notiuser,notireciver,notitype) values (:notiuser,:notireciver,:notitype)";
$querynoti = $dbh->prepare($sqlnoti);
$querynoti-> bindParam(':notiuser', $sender, PDO::PARAM_STR);
$querynoti-> bindParam(':notireciver',$reciver, PDO::PARAM_STR);
$querynoti-> bindParam(':notitype', $notitype, PDO::PARAM_STR);
$querynoti->execute();

User part is not registering.
$sql ="INSERT INTO users(name,email, password, gender, mobile, designation, image, status) VALUES(:name, :email, :password, :gender, :mobileno, :designation, :image, 1)";
$query= $dbh -> prepare($sql);
$query-> bindParam(':name', $name, PDO::PARAM_STR);
$query-> bindParam(':email', $email, PDO::PARAM_STR);
$query-> bindParam(':password', $password, PDO::PARAM_STR);
$query-> bindParam(':gender', $gender, PDO::PARAM_STR);
$query-> bindParam(':mobileno', $mobileno, PDO::PARAM_STR);
$query-> bindParam(':designation', $designation, PDO::PARAM_STR);
$query-> bindParam(':image', $image, PDO::PARAM_STR);
$query->execute();
$lastInsertId = $dbh->lastInsertId();
if($lastInsertId)

after signup it giving Registration Sucessfull!
but user database remains empty