MutantJohn

That's amazing advice O_o Thank you for taking the time to write all of that. That's... really, really awesome! Thank you!

Yeah, it's great to see some code that I can use as a reference. I'm digging some of the approaches and it's changing how I'm coding up my application. I know it's silly to design a login system when there's more sophisticated tools out there but this is a really good learning experience for me.

There's also this : http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Huh, okay. Cool. This is some really helpful stuff! Also, I'm loving all the HTML5 features you included! This website is going to look so modern now! I can't thank you guys enough!

One thing I really like is how you condensed it all down to just one page. One question though, why are you filtering out the underscores from the username? Is it for security reasons or aesthetic?

Holy crap, dude O_o I'm going to have to take my time and really comb through that. And yeah, I finally caught that error with the password_hash() thing XD Edit : Your PHP is a pleasure to read, actually. Very interesting approach. I dig it. I was also going to save the CSS and JS for the end but thank you for taking the time to draft something up.

Are you sure your PHP matches you command-line SQL? Also, I recommend using PHP's PDO instead of the mysql stuff.

Hey all, I'm writing a small user registration page in MySQL and, of course, PHP. I'm wondering if someone would like to take a look and tell me if there's something obvious I'm missing or something I just did completely wrong. Here are the pages : register.html <!DOCTYPE html> <html> <head> <title>ditacms User Registration</title> </head> <body> <p>Complete the registration form below</p> <form method="post" action="register.php" id="registration_form"> <label>Username : </label> <input type="text" name="username" /> <br/> <label>Email : </label> <input type="text" name="email" value="" /> <br/> <label>Password : </label> <input type="text" name="password" value="" /> <br/> <label>Re-Type Password : </label> <input type="text" name="confirm_password" value="" /> <br/> </form> <button type="submit" form="registration_form">Register</button> </body> </html> register.php <!DOCTYPE html> <html> <head> <title>Registration Processing</title> </head> <body> <?php define( "EOL", "<br />\n" ); // data source name define( "DSN", "mysql:host=localhost;dbname=ditacms;charset=utf8" ); define( "USER", "account_creator" ); define( "PASSWORD", "UrsaOwnsRoshan" ); function db_connect() { try { $db = new PDO( DSN, USER, PASSWORD ); } catch( PDOException $ex ) { // echo $ex->getMessage(); // echo $ex->getTraceAsString(); echo "Attempt to connect to database failed!" . EOL; exit(); } return $db; } function verify_post_register_params() { $username = $_POST[ "username" ]; $email = $_POST[ "email" ]; $password = $_POST[ "password" ]; $confirm_password = $_POST[ "confirm_password" ]; // if the user left any field blank... if ( empty( $username ) || empty( $email ) || empty( $password ) || empty( $confirm_password ) ) { echo "Empty field found in form submission!" . EOL; echo "Please complete the form." . EOL; return false; } // if the passwords do not exactly match... if ( strcmp( $password, $confirm_password ) !== 0 ) { echo "Password mismatch!"; return false; } $username = filter_var( $username, FILTER_SANITIZE_STRING ); $email = filter_var( $email, FILTER_SANITIZE_EMAIL ); $password = filter_var( $password, FILTER_SANITIZE_STRING ); if ( $username === false || $email === false || $password === false ) { echo "Sanitization failed! Potential attack!!!" . EOL; return false; } if ( filter_var( $email, FILTER_VALIDATE_EMAIL ) === false ) { echo "Invalid email address!" . EOL; return false; } $register = array( "username" => $username, "email" => $email, "password" => $password ); return $register; } function user_exists( $db, $username ) { $query = $db->prepare( "SELECT username FROM `ditacms`.`members` WHERE username = :username" ); $query->bindValue( ":username", $username, PDO::PARAM_STR ); $query->execute(); $rows = $query->fetchAll( PDO::FETCH_ASSOC ); // if the rows returned are empty, the user // does NOT exist so return false if ( empty( $rows ) === true ) { return false; } // if the rows returned are NOT empty, the // user DOES exist so return true else { echo "A user with that username already exists!" . EOL; return true; } } function create_new_user( $db, $username, $email, $password ) { echo "Creating new user..." . EOL; $insert = $db->prepare( "INSERT INTO `ditacms`.`members` (username, email, password) VALUES(:username, :email, :password)" ); $hash = password_hash( $hash, PASSWORD_DEFAULT ); $insert->bindValue( ":username", $username, PDO::PARAM_STR ); $insert->bindValue( ":email", $email, PDO::PARAM_STR ); $insert->bindValue( ":password", $hash, PDO::PARAM_STR ); if ( $insert->execute() === false ) { echo "Insertion failure..." . EOL; return false; } else { echo "Successfully registered new account!" . EOL; return true; } } /* * main() loop */ echo "<p>Processing user registration request...</p>"; $register = verify_post_register_params(); if ( $register === false ) { echo "Bad POST parameters. Exiting script..." . EOL; } else { $db = db_connect(); // if the user does NOT exist, create one if ( user_exists( $db, $register[ "username" ] ) === false ) { create_new_user( $db, $register[ "username" ], $register[ "email" ], $register[ "password" ] ); } } ?> <a href="/ditacms.com/register.html">Return to registration page</a> <br /> <a href="/ditacms.com/">Return to homepage</a> </body> </html>

I've been doing a lot more research since making this topic and I gotta say, it's scary what people can do O_o I've heard even the MIME type stuff can be faked. I've seen some tips that a good handle on the permission system is a good idea. For example, removing the executable permission. This is for a Linux server, btw. I've also heard that its best to move uploaded files to something not in the web root and that you should also store the files with a randomly generated name and use a database to map the random name to the "real" name and this way, I can create another script that'll serve the files how I specify. Is there any merit to this?

Hey everyone, I'm trying to create a way for users to upload files to the server but I'm kind of a web development noob so I was wondering, does anyone know how to make sure users don't just destroy everything? I've figured I can check the upload extension and use a whitelist to ensure proper extensions (so no PHP file or binary uploads). But aside from basic stuff like checking the file size and extension, what else should I be wary of?

Are you not able to just type the anchor tag out manually in your print/echo statements? Like <a href="...