jumpenjuhosaphat Posted November 6, 2006 Share Posted November 6, 2006 There are 2 input fields, user name and password. This is my validation, to ensure that everything is in place. How does it look? Did I forget anything important?[code]function clear_error($error); { unset($_POST); include("refresh.php"); echo $error; }if(isset($_POST["signin"])) { if(!isset($_POST["username"])&&(!isset($_POST["password"])) { clear_error("Please enter a username and a password in the fields provided"); } if(!isset($_POST["username"])) { clear_error("Please enter a user name in the field provided"); } if(!isset($_POST["password"])) { clear_error("Please enter a password in the field provided"); } $result = mysql_query('SELECT * FROM user WHERE username=$_POST["username"]'); if(!$result) { clear_error("There is no user by that username"); } else { $row=mysql_fetch_array($result); if($row["password"]!=$_POST["password"]) { clear_error("Incorrect password entered"); } } }[/code] Link to comment https://forums.phpfreaks.com/topic/26380-is-this-code-missing-anything-validation-code/ Share on other sites More sharing options...
xtentic Posted November 6, 2006 Share Posted November 6, 2006 Yes it misses alot!$_SERVER['REQUEST_METHOD'] == "POST" so you know that a form is submitted! then you should ask if some $_POST variables exists!.Second, never try to trust the input that is given in a form!. There are alot of tutorials that will teach you how to safely secure your scripts. Like some functions.AddSlashespreg_matchis_numericand so on. So the first thing you've got to do is go to google.com and search for some php security tutorials.. Link to comment https://forums.phpfreaks.com/topic/26380-is-this-code-missing-anything-validation-code/#findComment-120616 Share on other sites More sharing options...
jumpenjuhosaphat Posted November 6, 2006 Author Share Posted November 6, 2006 Thank you for the advice. I'd have never known that a malicious user could access my DB by using a sign in form. I did some reading up on the subject, and it appears as though I'm gonna need to do some deeper validation on the input. However, the one thing that I couldn't find is any understandable logic on is the $_SERVER['REQUEST_METHOD']. I was hoping that you could elaborate a bit more on this for me, and maybe explain what it does. I did a search on Google for it, but didn't come up with any usable results. Link to comment https://forums.phpfreaks.com/topic/26380-is-this-code-missing-anything-validation-code/#findComment-120648 Share on other sites More sharing options...
jumpenjuhosaphat Posted November 11, 2006 Author Share Posted November 11, 2006 Okay, I've redone a few things. Does this look better now?[code]function clear_error($error) { unset($_POST); include("refresh.php"); echo $error; }funtion secure($user_data) { $user_data=strip_tags($user_data); $user_data=stripslashes($user_data); $user_data=addslashes(trim($user_data)); return $user_data; }if(isset($_POST["signin"])) { $username=secure($_POST["username"]; $password=secure($_POST["password"]; if(strlen($username)<5) || (strlen($username)>16) { clear_error("User name must be between 5 and 16 characters"); } if(strlen($password)<5) || (strlen($password)>10) { clear_error("Password must be between 5 and 10 characters"); } $result = mysql_query('SELECT * FROM user WHERE username=$username'); if(!$result) { clear_error("Incorrect user data entered"); } else { $row=mysql_fetch_array($result); if($row["password"]!=$password) { clear_error("Incorrect user data entered"); } } }[/code] Link to comment https://forums.phpfreaks.com/topic/26380-is-this-code-missing-anything-validation-code/#findComment-123107 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.