MutantJohn

That's amazing advice O_o Thank you for taking the time to write all of that. That's... really, really awesome! Thank you!

Yeah, it's great to see some code that I can use as a reference. I'm digging some of the approaches and it's changing how I'm coding up my application. I know it's silly to design a login system when there's more sophisticated tools out there but this is a really good learning experience for me.

There's also this : http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Huh, okay. Cool. This is some really helpful stuff! Also, I'm loving all the HTML5 features you included! This website is going to look so modern now! I can't thank you guys enough!

One thing I really like is how you condensed it all down to just one page. One question though, why are you filtering out the underscores from the username? Is it for security reasons or aesthetic?

Holy crap, dude O_o I'm going to have to take my time and really comb through that. And yeah, I finally caught that error with the password_hash() thing XD Edit : Your PHP is a pleasure to read, actually. Very interesting approach. I dig it. I was also going to save the CSS and JS for the end but thank you for taking the time to draft something up.

Are you sure your PHP matches you command-line SQL? Also, I recommend using PHP's PDO instead of the mysql stuff.

Hey all, I'm writing a small user registration page in MySQL and, of course, PHP. I'm wondering if someone would like to take a look and tell me if there's something obvious I'm missing or something I just did completely wrong. Here are the pages : register.html <!DOCTYPE html> <html> <head> <title>ditacms User Registration</title> </head> <body> <p>Complete the registration form below</p> <form method="post" action="register.php" id="registration_form"> <label>Username : </label> <input type="text" name="username" /> <br/> <label>Email : </label> <input type="text" name="email" value="" /> <br/> <label>Password : </label> <input type="text" name="password" value="" /> <br/> <label>Re-Type Password : </label> <input type="text" name="confirm_password" value="" /> <br/> </form> <button type="submit" form="registration_form">Register</button> </body> </html> register.php <!DOCTYPE html> <html> <head> <title>Registration Processing</title> </head> <body> <?php define( "EOL", "<br />\n" ); // data source name define( "DSN", "mysql:host=localhost;dbname=ditacms;charset=utf8" ); define( "USER", "account_creator" ); define( "PASSWORD", "UrsaOwnsRoshan" ); function db_connect() { try { $db = new PDO( DSN, USER, PASSWORD ); } catch( PDOException $ex ) { // echo $ex->getMessage(); // echo $ex->getTraceAsString(); echo "Attempt to connect to database failed!" . EOL; exit(); } return $db; } function verify_post_register_params() { $username = $_POST[ "username" ]; $email = $_POST[ "email" ]; $password = $_POST[ "password" ]; $confirm_password = $_POST[ "confirm_password" ]; // if the user left any field blank... if ( empty( $username ) || empty( $email ) || empty( $password ) || empty( $confirm_password ) ) { echo "Empty field found in form submission!" . EOL; echo "Please complete the form." . EOL; return false; } // if the passwords do not exactly match... if ( strcmp( $password, $confirm_password ) !== 0 ) { echo "Password mismatch!"; return false; } $username = filter_var( $username, FILTER_SANITIZE_STRING ); $email = filter_var( $email, FILTER_SANITIZE_EMAIL ); $password = filter_var( $password, FILTER_SANITIZE_STRING ); if ( $username === false || $email === false || $password === false ) { echo "Sanitization failed! Potential attack!!!" . EOL; return false; } if ( filter_var( $email, FILTER_VALIDATE_EMAIL ) === false ) { echo "Invalid email address!" . EOL; return false; } $register = array( "username" => $username, "email" => $email, "password" => $password ); return $register; } function user_exists( $db, $username ) { $query = $db->prepare( "SELECT username FROM `ditacms`.`members` WHERE username = :username" ); $query->bindValue( ":username", $username, PDO::PARAM_STR ); $query->execute(); $rows = $query->fetchAll( PDO::FETCH_ASSOC ); // if the rows returned are empty, the user // does NOT exist so return false if ( empty( $rows ) === true ) { return false; } // if the rows returned are NOT empty, the // user DOES exist so return true else { echo "A user with that username already exists!" . EOL; return true; } } function create_new_user( $db, $username, $email, $password ) { echo "Creating new user..." . EOL; $insert = $db->prepare( "INSERT INTO `ditacms`.`members` (username, email, password) VALUES(:username, :email, :password)" ); $hash = password_hash( $hash, PASSWORD_DEFAULT ); $insert->bindValue( ":username", $username, PDO::PARAM_STR ); $insert->bindValue( ":email", $email, PDO::PARAM_STR ); $insert->bindValue( ":password", $hash, PDO::PARAM_STR ); if ( $insert->execute() === false ) { echo "Insertion failure..." . EOL; return false; } else { echo "Successfully registered new account!" . EOL; return true; } } /* * main() loop */ echo "<p>Processing user registration request...</p>"; $register = verify_post_register_params(); if ( $register === false ) { echo "Bad POST parameters. Exiting script..." . EOL; } else { $db = db_connect(); // if the user does NOT exist, create one if ( user_exists( $db, $register[ "username" ] ) === false ) { create_new_user( $db, $register[ "username" ], $register[ "email" ], $register[ "password" ] ); } } ?> <a href="/ditacms.com/register.html">Return to registration page</a> <br /> <a href="/ditacms.com/">Return to homepage</a> </body> </html>

I've been doing a lot more research since making this topic and I gotta say, it's scary what people can do O_o I've heard even the MIME type stuff can be faked. I've seen some tips that a good handle on the permission system is a good idea. For example, removing the executable permission. This is for a Linux server, btw. I've also heard that its best to move uploaded files to something not in the web root and that you should also store the files with a randomly generated name and use a database to map the random name to the "real" name and this way, I can create another script that'll serve the files how I specify. Is there any merit to this?

Hey everyone, I'm trying to create a way for users to upload files to the server but I'm kind of a web development noob so I was wondering, does anyone know how to make sure users don't just destroy everything? I've figured I can check the upload extension and use a whitelist to ensure proper extensions (so no PHP file or binary uploads). But aside from basic stuff like checking the file size and extension, what else should I be wary of?

Are you not able to just type the anchor tag out manually in your print/echo statements? Like <a href="...

Okay one thing, every time I put "../" anywhere in the URL, the PHP script doesn't seem to get called. For example, if I try /ditacms.com/users/christian/.., the PHP script seems to be ignored and I'm brought back the /ditacms.com/users/christian Is there a way to prevent that? Because I tried the code you posted and it doesn't seem to be working... It's like the path is resolved by the server before the PHP script is even invoked.

Holy poop, I'm so sorry I didn't see your reply! I'm going to read it very carefully and try to absorb all that info because it looks really legit. Seriously, thank you. I'm such a baby web developer it hurts sometimes.

Ah, yes. I think I just suck at Apache XD Okay, here's the whole shebang : I'm using the basic LAMP stack because I'm stuck in 1974. I have a site in my web server directory. The root folder is ditacms.com. In ditacms.com, I have my-awesome-php-script.php and a .htaccess file that looks like this: DirectoryIndex index.html my-awesome-php-script.php ditacms.com also contains a "users" directory which, guess what, contains a list of user directories and files therein. No other sub-folder of ditacms.com contains an index.html file so instead, the PHP script is called. I'm trying to use this PHP script to generate the index listing. I want one awesome PHP script to handle all the building of the indexes and I only want this file to exist in one place. So I was using REQUEST_URI but it kept giving me this if I were to click a link to the users directory from the home index.html page from the site's root directory : /ditacms.com/users/ (I can't remember if there was a slash at the end or not) PHP kept telling me this directory didn't exist. I think this is because the script is seeing everything from where it's located. So I suck at the rewire module for Apache so I decided to re-write the URI using PHP and the explode() function. That's why there's 3 items, because it's split twice (the first slash and then second). Using this, I just rewrite the URI to be this instead : ./users This works. And it also works for further nested directories because I've limited the number of explosions. I think this isn't the most elegant but it works.

Oh... Omg. Do I literally fix this with a urldecode() call?