I am just wondering what other people do to handle the username and password after its sent to the process page after a user signes up?
For example do you do:
$name = $_POST['name'] or do you just leave it as $_POST['name']
and do you do stuff like
trim($name);
Signup Form
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Never leave any data from your users as $_POST['data'].
As for the password, at least "md5" it and then escape it with mysql_real_escape_string() (of course after filtering it).
As for the password, at least "md5" it and then escape it with mysql_real_escape_string() (of course after filtering it).
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I tend to use preg_replace() for everything from the request. If it is an int I might just cast to (int).
So something like:
That replaces everything that is NOT in the set of characters specified with '' which removes unwanted characters. I like it because it clearly documents what characters you are allowing. Trying to do the reverse by elminiating what you don't want always seems to miss something in my experience. Better to force you self to open the door wider.
Then you need to validate the value to see if it meets any other criteria, such as length, etc.
So something like:
Code: Select all
$name = preg_replace('/[^a-zA-Z0-9\@\.\_\-]/', '', $_POST['name']);Then you need to validate the value to see if it meets any other criteria, such as length, etc.
(#10850)