Jump to content

PHP Form Security

cozzy1984

By cozzy1984
in PHP Coding Help

 Share

Recommended Posts

cozzy1984 Member

cozzy1984

Posted
Posted

Hi, I'm still in early processes of trying to learn PHP and have done a basic form so far for registration on the site i am designing, however I don't know too much about the security side of it and am afraid that my code may not be too secure. Was wondering if possible someone could look at it and tell me if its really vunerable to attacks. I still have to do a check on the invalid chartacters for username and prevent it from having spaces, which i'm trying to figure out.

 

Cheers

 

<?php
// Start a session
session_start(); 
include("database.php");
include("login.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Ad'll Do</title>
<link rel='stylesheet' type='text/css' href='css/base.css' />
<script language="javascript">

function info(director)
{
document.getElementById('directions').innerHTML = director;
}

function infotitle(text)
{
document.getElementById('directionstitle').innerHTML = text;
}

</script>

</head>
<body class='home'>
<div id='top'>
<a href="mailto:cozzy1@gmail.com" class="contact"><img src="img/contact.png" alt="" /><span>Contact Us</span></a>


</div>
<div id='mastheadwrapper'>
<div id='masthead'>
<ul id='smallnav'>
<li><a href='index.php'>Home</a> | </li>
<li><a href='register.php';">Sign Up</a> FREE!</li>
</ul>


</div>

</div><!-- end div masthead -->
</div><!-- end div masthead wrapper -->
<div id='menu'>
<ul class="mainmenu">
<li><a href="#" onClick="sendRequest('home.php');">Computers</a></li>
<li><a href="#">Electrical</a></li>
<li><a href="#">Home & Garden</a></li>
<li><a href="#">Music</a></li>
<li><a href="#">Pets</a></li>
<li><a href="#">Sport & Leisure</a></li>
</ul>
<div id='searchbar'>
<form action='#' method='post'>
<input type='text' name='searchtext' size='20' />
<input class='searchbtn' type='submit' value='' title="Search" />
</form>
</div>
</div>

<div id='contentwrapper'>
    <ul id='bignav'>
      <li id="nav-home"><a href="index.php"></a></li>
      <li id="nav-about"><a href="#"></a></li>
      <li id="nav-faqs"><a href="#"></a></li>
    </ul>
<div id='maincontent'>
<div id='content'>



<?php
if (isset($_POST['submit'])) {
$username = trim($_POST['username']);
$password = $_POST['password'];
$password2 = $_POST['password2'];
$md5password = md5($_POST['password']);
$email = $_POST['email'];
$forename = $_POST['forename'];
$surname = $_POST['surname'];
$location = $_POST['location'];
$ip = $_SERVER['REMOTE_ADDR'];


	if($username && strlen($username) >= 3){
		$query = mysql_query("SELECT username FROM users WHERE username ='$username' LIMIT 1");
		if(@mysql_num_rows($query)){
			$error['userexists'] = 'Username already exists';
			$usernameerror = 'regerrorwrong';
		}
	} else {
		$error['usernameinput'] = 'Username Invalid';
		$usernameerror = 'regerrorwrong';

	}

	if (!$username || !$password || !$email || !$forename || !$surname || !$location) {

	$error['reqfieldsinput'] = 'Please complete all the fields below  '; }


		if($password && $password2)
		{
			if($password != $password2)
			{
				$error['dontmatch'] = 'Passwords don\'t match';
				$passworderror = 'regerrorwrong';
			}
		} else {
		$error['passwordinput'] = 'Enter password in both fields';
		$passworderror = 'regerrorwrong';
	}

	if($email){
		 if(!eregi("^[a-zA-Z0-9]+[a-zA-Z0-9_.-]*@[a-zA-Z0-9]+[a-zA-Z0-9_.-])*\.[a-z]{2,4}$", $email)){
		  $error['emailerror'] = 'Email Incorrect';
		  $emailerror = 'regerrorwrong';
	  } else {
	  	$query = mysql_query("SELECT username FROM users WHERE email='$email' LIMIT 1");
			if(@mysql_num_rows($query)){
				$error['emailexists'] = 'Email exists';
				$emailerror = 'regerrorwrong';
			}
	  }
	} else {
		$error['emailinput'] = 'Email Required';
		$emailerror = 'regerrorwrong';
	}

	if(strlen($forename) > 15){
		$error['forename'] = 'Forename too long';
		$forenameerror = 'regerrorwrong';
	}

	if(strlen($surname) > 20){
		$error['surname'] = 'Surname too long';
		$surnameerror = 'regerrorwrong';
	}

	if ($location == 'Please Select'){
		$error['location'] = 'Please select a location';
		$locationerror = 'regerrorwrong';
	}

$query = mysql_query("SELECT ipaddress FROM users WHERE ipaddress ='$ip' LIMIT 1");
		if(@mysql_num_rows($query)){
			$error['ipexists'] = 'You IP address already has an account registered';
		}

}



if(!$error && isset($_POST['submit'])){

mysql_query("INSERT INTO users (username, password, email, forename, surname, location, ipaddress) VALUES ('$username', '$md5password', '$email', '$forename', '$surname', '$location', '$ip')");
?>
<div id='postit'>
<div id='scotchtape'>
<img src='img/scotchtape.png' alt='' height='41' width='100'>
</div>
<h2>Registration Successful</h2>
<?php echo "<p>Congratulations <span class='highlight'>$username</span>, your registration was successful. Your account has now been created with the following details:</p>";?>
</div>
<?php
echo "<p class='registered'><font color='#bc2525'>Username:</font> $username</p>";
echo "<p class='registered'><font color='#bc2525'>Password:</font> $password</p>";
echo "<p class='registered'><font color='#bc2525'>Email:</font> $email</p>";
echo "<p class='registered'><font color='#bc2525'>Forename:</font> $forename</p>";
echo "<p class='registered'><font color='#bc2525'>Surname:</font> $surname</p>";
echo "<p class='registered'><font color='#bc2525'>Location:</font> $location</p><br/><br/>";

echo "<span class='box'>You may now login using the login form & begin creating adverts.</span>";

} else{ ?>

<div id='postit'>

<div id='scotchtape'>
<img src='img/scotchtape.png' alt='' height='41' width='100' />
</div>
<h2>Sign Up Form</h2>
<p><span class='highlight'>Please enter your details below to register.</span><br/>Be advised that contact to you from buyers will be made through the email address that you supply therefore it must be a valid one.</p>
<div id="helpicon"><img src='img/help_icon.png' alt='' height='70' width='70' /></div>
<div id="directionstitle">Help Information</div>
<div id="directions">This box will contain help relating to each section.<br/> All fields are required.</div>
<span class="regerror"><?php echo $error['reqfieldsinput']; ?></span><br/><span class="regerror"><?php echo $error['ipexists']; ?></span>

</div>
<form name="registration" method="post" class="regform" action="" enctype="application/x-www-form-urlencoded">

<fieldset>
<label for="username">Username:</label>
<input name="username" type="text" id="username" maxlength="12" value="<?php echo $_POST['username']; ?>"  onfocus="infotitle('Enter Username'); info('Your username must be between 3 and 12 characters in length and cannot contain any spaces.');" />
<span class="<?php echo $usernameerror; ?>"><?php echo $error['userexists']; echo $error['usernameinput']; ?></span>
</fieldset>

<fieldset>
<label for="password">Password:</label>
<input name="password" type="password" id="password" maxlength="15" value="<?php echo $_POST['password']; ?>" onfocus="infotitle('Enter Password'); info('Your password can be any combination of characters and must be at least 4 chartacters in length.');" />
<span class="<?php echo $passworderror; ?>"><?php echo $error['dontmatch']; echo $error['passwordinput']; ?></span>
</fieldset>

<fieldset>
<label for="password2">Re-Type Password:</label>
<input name="password2" type="password" id="password2" maxlength="15" value="<?php echo $_POST['password2']; ?>" onfocus="infotitle('Re-Enter Password'); info('Please re-enter your password to make sure it is correct');" />
</fieldset>

<fieldset>
<label for="email">Email:</label>
<input name="email" type="text" id="email" maxlength="35" value="<?php echo $_POST['email']; ?>" onfocus="infotitle('Enter Email Address'); info('Your email address is how buyers will intially contact you. Therefore it is essential that you supply the correct email. ');" />
<span class="<?php echo $emailerror; ?>"><?php echo $error['emailinput']; ?><?php echo $error['emailerror']; echo $error['emailexists']; ?></span>
</fieldset>

<fieldset>
<label for="forename">Forename:</label>
<input name="forename" type="text" id="forename" maxlength="15" value="<?php echo $_POST['forename']; ?>" onfocus="infotitle('Enter Forename'); info('Your forename is needed for our records only, and won\'t be posted up for other users to see.');" />
<span class="<?php echo $forenameerror; ?>"><?php echo $error['forename']; ?></span>
</fieldset>

<fieldset>
<label for="surname">Surname:</label>
<input name="surname" type="text" id="surname" maxlength="20" value="<?php echo $_POST['surname']; ?>" onfocus="infotitle('Enter Surname'); info('Again this is for our records only, other users will only know you by your username.');" />
<span class="<?php echo $surnameerror; ?>"><?php echo $error['surname']; ?></span>
</fieldset>

<fieldset>
<label for="county">Location:</label>
<select name="location" onfocus="infotitle('Enter Location'); info('Please select the location that you live in, this will be displayed in your ads.');">
<option value="Please Select">Please Select..</option>
<option value="Co.Antrim">Co.Antrim</option>
<option value="Co.Armagh">Co.Armagh</option>
</select>
<span class="<?php echo $locationerror; ?>"><?php echo $error['location']; ?></span>
</fieldset>

<br />
<input type="submit" class="signupbtn" name="submit" value="" />
</form>

<?php
}
?>

</div>
</div>

<div id='sidebar'>
<div id='member'>
<?php
displaylogin();

?>
</div>

<div id='categories'>
<h2>Categories</h2>
<ul class="cats">
<li><a href="#">Computers</a></li>
<li><a href="#">Electrical</a></li>
<li><a href="#">Home & Garden</a></li>
<li><a href="#">Music</a></li>
<li><a href="#">Pets</a></li>
<li><a href="#">Sport & Leisure</a></li>

</ul>
</div>
</div>

<div id='floatclearer'>.</div>

</div><!-- end div contentwrapper -->

<!--footer start -->
<div id="footerMain">
<div id="footer">
<ul>
<li><a href="#">Computers</a>|</li>
<li><a href="#">Electrical</a>|</li>
<li><a href="#">Home & Garden</a>|</li>
<li><a href="#">Music</a>|</li>
<li><a href="#">Pets</a>|</li>
<li><a href="#">Sports & Leisure</a>|</li>
<li><a href="#">FAQs</a>|</li>
<li><a href="#">Terms & Conditions</a>|</li>
<li><a href="#">Contact Us</a></li>
</ul>
<p class="copyright">©Ad'll Do. All rights reserved.</p>
</div>
</div>
<!--footer end -->

</body>
</html>

Link to comment
Share on other sites
Aureole Advanced Member

Aureole

Posted
Posted

Well for the "detecting spaces in the username" thing, you could try...

 

<?php
strstr( ' ', $username );
// The above will evaluate to true if a space is found in $username... false otherwise.

// Or how about...
$username = explode( ' ', $username );
if( is_array( $username ) && count( $username ) > 1 )
{
    // There was at least one space in $username
}
?>

 

Those are probably bad ways of doing it, but I'm just trying to help...

 

As far as checking for invalid characters goes, you want to use preg_match() and as far as security goes... I don't really know anything about security in PHP...

 

Though I hear mysql_real_escape_string() works well.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.