开发者

PHP Sign Up Form - Safe and Secure? [closed]

问答 作者:
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 11 years ago.

I just wanted to see how secure this form is, and if there are any potential problems. I tried to add mysqli_real_escape_string to the Prepared statement but it gave me an error.

Also if I enter a name with an apostrophe, like "Drew's Company" i开发者_开发问答t puts it in the database as 

Drew\'s Garage

Is that how it should be?

Code:

<?php
if(isset($_POST['submit'])) {
    $errors = array();
    $clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
    $clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
    $clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT);
    $clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
    $clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
    if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; }

    $formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST));
    $formatPhone = formatPhone($clean_phone);

    if($clean_name == "") {
        $errors[] = "Please enter your Business Name.";
    }
    if($clean_address == "") {
        $errors[] = "Please enter your Business Address.";
    }
    if($clean_zip == "") {
        $errors[] = "Please enter your Business Zip Code.";
    }
    if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) { 
        $row_cnt = $result->num_rows;
        if(!$row_cnt) {
            $errors[] = "Please enter a valid zip code.";
        }
    }
    if($clean_phone == "") {
        $errors[] = "Please enter your Business Phone Number.";
    }
    if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) { 
        $email_count = $check_email->num_rows;
        if($email_count) {
            $errors[] = "There is already an account associated with that e-mail address.";
        }
    }
    if(!checkEmail($clean_email)) {
        $errors[] = "Please enter a valid e-mail address.";
    }
    if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) {
        $errors[] = "Your password must be between 8 and 16 characters.";
    }
    if($_POST['password'] != $_POST['password2']) {
        $errors[] = "Passwords do not match.  Please enter the same password.";
    }

    if (count($errors) == 0) {

        /* Create the prepared statement */
        if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) {

        $hashed_pass = PassHash::hash($_POST['password']);

        /* Bind our params */
        $stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email);

         /* Execute the prepared Statement */
         $stmt->execute();

         if($mysqli->error) {
            echo $mysqli->error;
        }

         /* Echo results */
        echo "<div class='success'>Thank You!  You are now registered.</div>";

    }

}


}


if(count(@$errors))
 {
    $error_display = implode('<br />',$errors);
    echo "<div class='error'><strong>Error:</strong> $error_display</div>";
}

?>

The problem might be caused by using magic_quotes_gpc, check your php.ini file and in case this flag is on - turn it off.

继续阅读:code-injectionformsphpregistrationsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9