PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
<?php
if($_POST["Xon"]){
//the user submitted the form start validation
$errors = array();
if(!$_POST["username"]){
$errors[] = "You have not completed the <b>username</b> field";
}
if(!$_POST["password"]){
$errors[] = "You have not completed the <b>password</b> field";
}
//if there were errors show the form and pass the errors back to the function
if(count($errors) > 0){
showtheform($errors);
}
else{
//validation OK enter data into db now
echo "data entered into DB";
}
}
else{
//the user either did not submit the form or the script was called directly
showtheform();
}
?>
<?
function showtheform($errors){
?>
<html>
<head>
<title>Registraion - register.php</title>
</head>
<body>
<?
if(count($errors) > 0){
echo "Please correct the following mistakes:<ul>";
for($i=0;$i < count($errors);$i++){
echo "<li>".$errors[$i];
}
echo "</ul>";
}
?>
<form method="post" action="register.php">
<TABLE>
<TR>
<TD><b>Username: </b></TD>
<TD><input type="text" size="20" name="username" value="<?=$_POST["username"]?>"></TD>
</TR>
<TR>
<TD><b>Password: </b></TD>
<TD><input type="password" size="20" name="password"></TD>
</TR>
<TR>
<TD colspan="2"><input type="submit" name="Xon"></TD>
</TR>
</TABLE>
</form>
</body>
</html>
<?
}
?>
well it looks like you're only checking to see if someone filled in anything to the form. What if they put a bunch of HTML code in there? What if they put a bunch of numbers in their name field?
What if they put in exec code that can go right into your database? The question should be what exactly you're doing with the form.
Just how secure do you need it to be? You can get pretty crazy on form validation such as..
did the user submit the username field?
is this name field all letters?
does this namefield contain any apostrophes that might corrupty my database table
does this name field contain html code that will mess up my display when I show them their name?
JPlush76 raises all the good points. XSS (Cross site scripting) and SQL Injection are the two main things to watch out for from a security standpoint. Hence you should alsmost always be using addslashes and/or htmlspecialchars at some point. Your PHP settings may be doing the first one for you. But the second is important before displaying any user submitted data that wasn't "cleansed" via a regexp. (Or Un-tainted to use a perl-ism)
A more esoteric thing to keep in mind:
Did the form come from your server, or was the form modified, published remotely, and submitted back to you? You either need to test for this method of attack or non-trust results from checkboxes, radio boxes, and select boxes, etc.
<?php
if($_POST["Xon"]){
//the user submitted the form start validation
$errors = array();
if(!$_POST["username"]){
$errors[] = "You have not completed the <b>username</b> field";
}
if(!$_POST["password"]){
$errors[] = "You have not completed the <b>password</b> field";
}
//if there were errors show the form and pass the errors back to the function
if(count($errors) > 0){
showtheform($errors);
}
else{
$F_username = htmlspecialchars(stripslashes($_POST["username"]));
//validation OK enter data into db now
echo "data entered into DB<p>values after formatting are:<p>username: ".$F_username."<p>password: ".$_POST["password"];
}
}
else{
//the user either did not submit the form or the script was called directly
showtheform();
}
?>
<?
function showtheform($errors){
?>
<html>
<head>
<title>Registraion - register.php</title>
</head>
<body>
<?
if(count($errors) > 0){
echo "Please correct the following mistakes:<ul>";
for($i=0;$i < count($errors);$i++){
echo "<li>".$errors[$i];
}
echo "</ul>";
}
?>
<form method="post" action="register.php">
<TABLE>
<TR>
<TD><b>Username: </b></TD>
<TD><input type="text" size="20" name="username" value="<?=$_POST["username"]?>"></TD>
</TR>
<TR>
<TD><b>Password: </b></TD>
<TD><input type="password" size="20" name="password"></TD>
</TR>
<TR>
<TD colspan="2"><input type="submit" name="Xon"></TD>
</TR>
</TABLE>
</form>
</body>
</html>
<?
}
?>