Jump to content

Recommended Posts

I have been doing some reading up on security of php forms and mysql insertion and such. As a result i have redesigned a form and below i have posted some of the code. Could some let me know if they think i have done all that is possible to ensure that the form is totally secure?

 

Are their any improvements possible and if so what are they?

 

<?php
include('session.php');

function mres($input) {
    return strip_tags(mysql_real_escape_string($input));
} 

if(isset($_POST['submit'])) 
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{
	$clean = array();
	$email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';

	$clean['username'] = ( isset( $_POST['username'] ) ) ? mres( $_POST['username'] ) : '';
	$clean['password'] = ( isset( $_POST['password'] ) ) ? mres(sha1( $_POST['password'] )) : '';
	$clean['password2'] = ( isset( $_POST['password2'] ) ) ? mres(sha1( $_POST['password2'] )) : '';
	if (preg_match($email_pattern, $_POST['email'])) 
	{ 
		$clean['email'] = mres($_POST['email']); 
	}
	if (preg_match($email_pattern, $_POST['email2'])) 
	{ 
		$clean['email2'] = mres($_POST['email2']); 
	}
	$clean['fname'] = ( isset( $_POST['fname'] ) ) ? mres( $_POST['fname'] ) : '';
	$clean['lname'] = ( isset( $_POST['lname'] ) ) ? mres( $_POST['lname'] ) : '';
	$clean['dobd'] = ( isset( $_POST['dobd'] ) AND ctype_digit( $_POST['dobd'] ) ) ? $_POST['dobd'] : 0;
	$clean['dobm'] = ( isset( $_POST['dobm'] ) ) ? mres( $_POST['dobm'] ) : '';
	$clean['doby'] = ( isset( $_POST['doby'] ) AND ctype_digit( $_POST['doby'] ) ) ? $_POST['doby'] : 0;
	$clean['sex'] = ( isset( $_POST['sex'] ) ) ? mres( $_POST['sex'] ) : '';
	$clean['country'] = ( isset( $_POST['country'] ) ) ? mres( $_POST['country'] ) : '';
	$clean['lordname'] = ( isset( $_POST['lordname'] ) ) ? mres( $_POST['lordname'] ) : '';
	$query = mysql_query("SELECT * FROM members WHERE username ='$clean[username]' ");
	$result = mysql_fetch_row($query);
	$query2 = mysql_query("SELECT * FROM resources WHERE lordname ='$clean[lordname]' ");
	$result2 = mysql_fetch_row($query2);

	if($clean['sex'] == "sexm")
	{
		$clean['sex'] = "male";
	}
	else
	{
		$clean['sex'] = "female";
	}

	if($result != 0)
	{
		$error = "Username taken please choose another";
	}
	else if(!($clean['password'] == $clean['password2']))
	{
		$error = "Your passwords do not match.";
	}
	else if(!($clean['email'] == $clean['email2']))
	{
		$error = "Your emails do not match.";
	}
	else if($result2 != 0)
	{
		$error = "Lordname taken please choose another";
	}
	else
	{		
		mysql_query("INSERT INTO mem 
				(id, username, user_password, fname, 
lname, email, dob, sex) 
		VALUES	('NULL','$clean[username]','$clean[password]','$clean[fname]',
'$clean[lname]','$clean[email]','$clean[dobd]-$clean[dobm]-$clean[doby]',
'$clean[sex]')
		") 
		or die(mysql_error()); 

		mysql_query("INSERT INTO res (lordname) VALUES	('$clean[lordname]')
		")		
		or die(mysql_error());

		echo"<p>Member Added";
	}
}
}

if(isset($error))
{
echo"$error";
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Member Signup</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<form name="login-form" id="login-form" method="post" action="signup.php">
<fieldset>
	<legend>Member Signup</legend>
	<dl>
		<dt>
			<label>Username: <input name="username" type="text" maxlength="20" id="username" /></label>
		</dt>
	</dl>
	<dl>
		<dt>
			<label>Password: <input name="password" type="password" maxlength="20" id="password" /></label>
			<label>Repeat Password: <input name="password2" type="password" maxlength="20" id="password2" /></label>
		</dt>
	</dl>
	<dl>
		<dt>
			<label>E-Mail: <input name="email" type="text" maxlength="100" id="email" /></label> 
			<label>Repeat E-Mail: <input name="email2" type="text" maxlength="100" id="email2" /></label>
		</dt>
	</dl>
	<dl>
		<dt>
			<label>First Name: <input name="fname" type="text" maxlength="100" id="fname" /></label>
			<label>Last Name: <input name="lname" type="text" maxlength="100" id="lname" /></label>
		</dt>
	</dl>
	<dl>
		<dt>
			<label title="Username">Date of Birth: 
			<label for="day">Day</label>

			<select name="dobd" id="day">
				<option value="1" selected="selected">1</option>
				...
			</select>

			<label for="month">Month</label>
			<select name="dobm" id="month">
				<option value="January" selected="selected">January</option>
				....
			</select>

			<label for="year">Year</label>
			<select name="doby" id="year">
			<option value="2008" selected="selected">2008</option>
				....
			</select>
		</label>
		</dt>
	</dl>
	<dl>
		<dt>
			<label>Sex: Male<input name="sex" type="radio" id="sex" value="sexm" />Female<input name="sex" type="radio" id="sex" value="sexf" /></label>
		</dt>
	</dl>
	<dl>
		<dt>  
			<label for="country">Country</label>
				<select name="country" id="country">
				<option value="NONE" selected="selected">Please Choose One</option>
				.....
			</select> 
		</dt>
	</dl>
	<dl>
		<dt>
			<label title="Username">Lord Name: 
			<input name="lordname" type="text" maxlength="25" id="lordname" />
			</label>
		</dt>
	</dl>
	<dl>
		<dt>
			<input type="hidden" name="token" value="<?php echo $token; ?>" />
			<label title="Submit"><input type="submit" name="submit" value="Signup" /></label>
		</dt>
	</dl>
</fieldset>
</form>
</body>
</html>

 

Thanks in Advance

Mike

Link to comment
https://forums.phpfreaks.com/topic/177441-is-this-form-secure/
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.