Page 1 of 1
Signup Form
Posted: Wed Jul 12, 2006 11:26 am
by tecktalkcm0391
I am just wondering what other people do to handle the username and password after its sent to the process page after a user signes up?
For example do you do:
$name = $_POST['name'] or do you just leave it as $_POST['name']
and do you do stuff like
trim($name);
Posted: Wed Jul 12, 2006 11:31 am
by Oren
Never leave any data from your users as
$_POST['data'].
As for the password, at least "md5" it and then escape it with
mysql_real_escape_string() (of course after filtering it).
Posted: Wed Jul 12, 2006 11:31 am
by RobertGonzalez
First step for me is reading the post/get/cookie/session array var names into a regular var. Then do with that var what needs to be done.
Posted: Wed Jul 12, 2006 11:41 am
by Christopher
I tend to use preg_replace() for everything from the request. If it is an int I might just cast to (int).
So something like:
Code: Select all
$name = preg_replace('/[^a-zA-Z0-9\@\.\_\-]/', '', $_POST['name']);
That replaces everything that is NOT in the set of characters specified with '' which removes unwanted characters. I like it because it clearly documents what characters you are allowing. Trying to do the reverse by elminiating what you don't want always seems to miss something in my experience. Better to force you self to open the door wider.
Then you need to validate the value to see if it meets any other criteria, such as length, etc.