1

I am trying to build a website with login system. i have read this stuff in the web. But i find it difficult to put them together. and i think i am missing a lots of important things, like security.

  • mysqli
  • verify email
  • prepared statement (i have no idea what its ><)
  • is there any security risk otherthan injection in the code below?

I am a self-learn programmer (just started coding several month, please help ><)

  • i do not know OOP and PDO, so plesae use procedural format T.T
  • do not know much about security
  • This is not a project, i would like to publish it. So there must be good security.
  • please help to improve it, thanks a lot!!!

am i asking to many question??

<?php
      if(isset($_POST['signup-name']) and isset($_POST['signup-password-1']) and isset($_POST['signup-password-2']) and isset($_POST['signup-email-1']) and isset($_POST['signup-email-2']) and isset($_POST['signup-country']) and isset( $_POST['recaptcha_challenge_field']) and isset( $_POST['recaptcha_response_field'])){
        if(!empty($_POST['signup-name']) and !empty($_POST['signup-password-1']) and !empty($_POST['signup-password-2']) and !empty($_POST['signup-email-1']) and !empty($_POST['signup-email-2']) and !empty($_POST['signup-country']) and !empty( $_POST['recaptcha_challenge_field']) and !empty( $_POST['recaptcha_response_field'])){

          //echo"ok1";

          $username = $_POST['signup-name'];
          $email1 = $_POST['signup-password-1'];
          $email2 = $_POST['signup-password-2'];
          $password1 = $_POST['signup-email-1'];
          $password2 = $_POST['signup-email-2'];
          $country = $_POST['signup-country'];
          $recaptcha_challenge_field = $_POST['recaptcha_challenge_field'];
          $recaptcha_response_field = $_POST['recaptcha_response_field'];

          if($email1==$email2 and $password1==$password2){


      include 'db_info.php';
      $connect = mysqli_connect("localhost", $db_uusseerrss, $db_ppwwdd) or die(mysql_error("Unable to select database"));

      $username = mysqli_real_escape_string($connect, $username);
      $email1 = mysqli_real_escape_string($connect, $email1);
      $password1 = mysqli_real_escape_string($connect, $password1);  
      $country = mysqli_real_escape_string($connect, $username);

      $bcrypt_option = array('cost'=>12);
      $hashed_password = password_hash($password1, PASSWORD_BCRYPT,$bcrypt_option);
      echo $hashed_password;

      $query = "INSERT INTO user_info (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
      echo "ok3";
      if ($stmt = mysqli_prepare($connect, $query) ) {
        $stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
        $stmt->execute();
        echo "ok4";


              //redirect to main page
              headr(....)
            }
          }
        }
      }else{

      } 
    ?>
Improve this question
9
  • 1
    You're asking a lot of stuff in the same quesiton, but I would recommending learning about prepared statements first. That will prevent sql-injection. Begin here: se2.php.net/pdo.prepared-statements. There are high risk for sql-injection(s) in your code. Commented Apr 26, 2014 at 16:26
  • 2
    Please don't use bulletin board speak. If you don't want any help links, do you expect a full rewrite then instead? That would be off-topic, and unlikely to help you in the future if you don't understand and research it afterwards. Commented Apr 26, 2014 at 16:28
  • you can send an activation link to the user's email then they have to click the activation link to activate their account. Commented Apr 26, 2014 at 16:28
  • thz, i hv considered to add email activation but i already have recaptcha so i am not sure if it is still necessary to hv email activation. Commented Apr 26, 2014 at 16:32
  • Bear in mind that OCD-levels of grammar pickiness are common in the audience you are addressing. Thus, if you would expand "hv" to "have" and "plz" to "please", it would be appreciated, and may even help avoid the odd down-vote. Thanks. Commented Apr 26, 2014 at 16:34

2 Answers 2

Reset to default
3

I think an easy solution, and one you should always use when inserting user values into the database, is to use a prepared statement. Prepared statements allow you to tell the database what to expect and will treat it as such, even if a malicious user attempts to throw sql injections. The basics are one ? per parameter and then you must tell it what to expect in the bind_param with a s, i, or whatnot. Hope this helps.

$query = "INSERT INTO users (`username`, `email`, `password`, 'country') VALUES( ?, ?, ?, ?)";
if ($stmt = mysqli_prepare($conn, $query) ) {
$stmt->bind_param("ssss", $username, $email1, $hashed_password, $country );
$stmt->execute();
} else {
    //I always put some sort of error message here
    ob_clean();
    header("Location: ".$_SERVER['HTTP_REFERER']);
    mysqli_close($conn);
    exit();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Change the single quotation mark around country. Other than that, I am unsure.
John mysqli prepared statements are the best way to go. The only problem with them is that you have to have everything exactly right. You miss one comma out or put something in wrong you will get an error. Sometimes it takes a while to debug a prepared statement so be patient and check your code thoroughly.
1

You have an XSS vulnerability in your code. If visitor enter a JavaScript code in the username field for example, when his name will be diplayed, the code will be executed. You have to use htmlentities('string message') to prevent any code injection in your page.

Use it like this on all your user entry :

$username = htmlentities($username);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.