Jump to content

Form Security Question

herghost

By herghost
in PHP Coding Help

 Share

Recommended Posts

herghost Advanced Member

herghost

Posted
Posted

 

Hi all,

 

I have a multipage form that saves the input into sessions before being written to a mysql database in the final step.

 

My question (I hope!) is quite simple!

 

The first page of my form looks like this:

 

 

<?php
session_start();?>
    
    <?php include('include/header.php');?>
<link href="stylesheet.css" rel="stylesheet" type="text/css">

<body class="twoColElsLt">
<div id="container">
<div id="leftblock1">
  <h3>Please Enter Your Required Registration Details</h3>
  <h3><br>
    The registration process will take roughly 20 minutes to complete. Once this has been completed you will be taken to your member area which will display your current details and show how many times prospective employers have viewed your details. </h3>
    <p>
     
  </p>
</div>
  <p><br />
  <br />
  <br />
  Registration Step 1 - Personal Details</p>
  <p>You Are <span class="redtext">0%</span> Complete<br />
    <br />
    <br />
    
    
  </p>
  <form action="registration_step2.php" method="post" class="twoColElsLt">
    <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
   
    <tr>
      <th bgcolor="#0000FF">First Name </th>
        
      <td bgcolor="#0000FF" class="tdback"><input name="firstname" type="text" class="redtext" id="firstname" /></td>
    </tr>
    <tr bgcolor="#0000FF">
      <th bgcolor="#0000FF">Last Name </th>
      <td class="tdback"><input name="lastname" type="text" class="redtext" id="lastname" /></td>
    </tr>
    <tr bgcolor="#0000FF">
      <th width="124" align="center" bgcolor="#0000FF">Desired User Name</th>
      <td class="tdback"><input name="login" type="text" class="redtext" id="login" /></td>
    </tr>
    <tr bgcolor="#0000FF">
      <th bgcolor="#0000FF">Password</th>
      <td class="tdback"><input name="passwd" type="password" class="redtext" id="passwd" /></td>
    </tr>
  
    
     <tr bgcolor="#0000FF">
      <th>Email Address </th>
      <td class="tdback"><input name="email" type="text" class="redtext" id="email" /></td>
    </tr>
        <tr>
      <td> </td>
      <td class="tdback"><input type="submit" name="Submit" value="Continue Registration" /></td>
    </tr>
    
  </table>
<p> </p>
       </form>
      
     
</div>
</body>

 

How would I include some form of security into this? Mainly I want to check that all the fields have been filled in and that the username and email have not been used before.

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/148963-form-security-question/
Share on other sites
herghost Advanced Member

herghost

Posted
  • Author
Posted

Thanks, I have got the validation sorted for checking the fields have been filled in using jave, however I have a bit of a question regarding checking the database.

 

All my information is stored in sessions until the final page of the form, it is then entered into the database. However I want to check this on the 1st page so the user doesnt get all the way through the form then have to come back to page one.

 

Could I put a button next to the email address etc which would check the database? would it be possible to store the information as a temp variable to check the database before the new one is inserted? And most importantly, where the hell do i start!!

redarrow Advanced Member

redarrow

Posted
Posted

This is a example how to no, if there a email in the database the same as,

a user trying to enter to the database.

<?php session_start();

//database connection.

$sql="SELECT $email FROM $wat_ever WHERE id='{$_SESSION['id']}' ";

if(myslq_num_rows($sql)==1){

$warning=" Sorry the email address is in use!";

}else{

$warning="Good news the email is ok!";
}

echo $warning;
?>

Maq Prolific Member

Maq

Posted
Posted

redarrow,

mysql_num_rows() takes a resource not a string...  AND you spelled mysql wrong when you called that function...

 

$sql="SELECT $email FROM $wat_ever WHERE id='{$_SESSION['id']}' ";
$result = mysql_query($sql) or die(mysql_error());
if(myslq_num_rows($result)==1){

redarrow Advanced Member

redarrow

Posted
Posted

so sorry sir lol.

 

<?php session_start();

//database connection.

$sql="SELECT $email FROM $wat_ever WHERE id='{$_SESSION['id']}' ";

$res=mysql_query($sql)or die(mysql_error());

if(mysql_num_rows($res)==1){
   
   $warning=" Sorry the email address is in use!";

}else{
   
   $warning="Good news the email is ok!";
}

echo $warning;
?>

redarrow Advanced Member

redarrow

Posted
Posted

so sorry now cheeks all the email address in the database.

 

corrected

<?php session_start();

//database connection.

$sql="SELECT $email FROM $wat_ever";

$res=mysql_query($sql)or die(mysql_error());

if(mysql_num_rows($res)==1){
   
   $warning=" Sorry the email address is in use!";

}else{
   
   $warning="Good news the email is ok!";
}

echo $warning;
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.