Menu
Forums
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Trending
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Upgrades
Log in
Register
What's new
Search
Search
Search titles only
By:
All threads
Latest threads
New posts
Trending threads
New posts
Search forums
Menu
Log in
Register
Navigation
Install the app
Install
More options
Contact us
Close Menu
Forums
Software Development
Programming
Programming Q&A
PHP registration form
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="RastaLulz" data-source="post: 345175" data-attributes="member: 1"><p>I'm not sure why you have "value-x" in your query, since you're not bind params or anything? You need to put the actual variable there that is assigned to some data.</p><p></p><p>Also, as mentioned above, you should <strong>NOT</strong> be using mysql_* functions, and when you do switch to mysqli or PDO, make sure that you bind params, as opposed to put the data directly in the query. Also, if you're not modifying the the data posted, you don't really have to redefine them. You also don't have to include things like "id" into your insert query, as MySQL assigns that automatically.</p><p></p><p>Here's an example of a secure way of using PDO:</p><p>[PHP]<?php</p><p></p><p>if (isset($_POST['submit']))</p><p>{</p><p> if (empty($_POST['email']) || empty($_POST['pass']))</p><p> {</p><p> echo 'You must enter an email and password.';</p><p> }</p><p> else</p><p> {</p><p> $PDO = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');</p><p></p><p> $query = $PDO->prepare('SELECT * FROM `php_users_login` WHERE `email` = :email');</p><p></p><p> $query->excute([</p><p> 'email' => $_POST['email'],</p><p> ]);</p><p></p><p> if ($query->rowCount() >= 1)</p><p> {</p><p> echo 'Sorry, but that email is already being used.';</p><p> }</p><p> else</p><p> {</p><p> $query = $PDO->prepare('INSERT INTO `php_users_login` (`email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES (:email, :password, :name, :phone, :content, :last_login)');</p><p></p><p> $query->execute([</p><p> 'email' => $_POST['email'],</p><p> 'password' => $_POST['pass'],</p><p> 'name' => $_POST['name'],</p><p> 'phone' => $_POST['phone'],</p><p> 'content' => $_POST['content'],</p><p> 'last_login' => time(),</p><p> ]);</p><p></p><p> /**</p><p> * You can also bind params like this if you want</p><p> * to be more strict with what type of content you</p><p> * allow, like integers, strings, etc.</p><p> *</p><p> * $query->bindParam('email', $_POST['email'], PDO::PARAM_STR, 50);</p><p> * $query->bindParam('password', $_POST['password'], PDO::PARAM_STR, 250);</p><p> * $query->bindParam('name', $_POST['name'], PDO::PARAM_STR, 30);</p><p> * $query->bindParam('phone', $_POST['phone'], PDO::PARAM_INT, 11);</p><p> * $query->bindParam('content', $_POST['content'], PDO::PARAM_STR, 1000);</p><p> * $query->bindParam('last_login', time());</p><p> *</p><p> * $query->execute();</p><p> */</p><p></p><p> echo 'Account should have been created.';</p><p> }</p><p> }</p><p>}[/PHP]</p><p><em>Please note that the code above is not tested.</em></p><p><em></em></p><p>Also, keep in mind that bind params protects you from things like SQL injections, but is does <strong>NOT</strong> protect you from things like XSS attacks. The point being, never trust the data that the user gives you, and always validate it, and when displaying it, make sure that you use a function like "<a href="http://php.net/manual/en/function.htmlentities.php" target="_blank">htmlentities()</a>".</p></blockquote><p></p>
[QUOTE="RastaLulz, post: 345175, member: 1"] I'm not sure why you have "value-x" in your query, since you're not bind params or anything? You need to put the actual variable there that is assigned to some data. Also, as mentioned above, you should [B]NOT[/B] be using mysql_* functions, and when you do switch to mysqli or PDO, make sure that you bind params, as opposed to put the data directly in the query. Also, if you're not modifying the the data posted, you don't really have to redefine them. You also don't have to include things like "id" into your insert query, as MySQL assigns that automatically. Here's an example of a secure way of using PDO: [PHP]<?php if (isset($_POST['submit'])) { if (empty($_POST['email']) || empty($_POST['pass'])) { echo 'You must enter an email and password.'; } else { $PDO = new PDO('mysql:host=localhost;dbname=database', 'username', 'password'); $query = $PDO->prepare('SELECT * FROM `php_users_login` WHERE `email` = :email'); $query->excute([ 'email' => $_POST['email'], ]); if ($query->rowCount() >= 1) { echo 'Sorry, but that email is already being used.'; } else { $query = $PDO->prepare('INSERT INTO `php_users_login` (`email`, `password`, `name`, `phone`, `content`, `last_login`) VALUES (:email, :password, :name, :phone, :content, :last_login)'); $query->execute([ 'email' => $_POST['email'], 'password' => $_POST['pass'], 'name' => $_POST['name'], 'phone' => $_POST['phone'], 'content' => $_POST['content'], 'last_login' => time(), ]); /** * You can also bind params like this if you want * to be more strict with what type of content you * allow, like integers, strings, etc. * * $query->bindParam('email', $_POST['email'], PDO::PARAM_STR, 50); * $query->bindParam('password', $_POST['password'], PDO::PARAM_STR, 250); * $query->bindParam('name', $_POST['name'], PDO::PARAM_STR, 30); * $query->bindParam('phone', $_POST['phone'], PDO::PARAM_INT, 11); * $query->bindParam('content', $_POST['content'], PDO::PARAM_STR, 1000); * $query->bindParam('last_login', time()); * * $query->execute(); */ echo 'Account should have been created.'; } } }[/PHP] [I]Please note that the code above is not tested. [/I] Also, keep in mind that bind params protects you from things like SQL injections, but is does [B]NOT[/B] protect you from things like XSS attacks. The point being, never trust the data that the user gives you, and always validate it, and when displaying it, make sure that you use a function like "[URL='http://php.net/manual/en/function.htmlentities.php']htmlentities()[/URL]". [/QUOTE]
Insert quotes…
Verification
Post reply
Forums
Software Development
Programming
Programming Q&A
PHP registration form
Top