utf8 secure registration form help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
st3fanos
Forum Newbie
Posts: 12
Joined: Tue Apr 13, 2010 1:30 am

utf8 secure registration form help

Post by st3fanos »

Hi

I thought I would dive str8 into learning PHP by creating a registration form that is secure. I have come to the concusion it's confusing and I could do with some help and advice.

1) is this code OK to use in the form or is it vunrable?

Code: Select all

<input name="UserName" type="text" size="12" value="<?php if(isset($_POST['UserName'])){ echo $_POST['UserName']; } ?>">
2) Never trust users! - So when the form is submitted I follow this process:

Code: Select all

        // trim {input Data}
        foreach ($_POST as $key => $value) { $_POST[$key] = trim($value); }

        // Strip Tags
        foreach ($_POST as $key => $value) { $_POST[$key] = strip_tags($value); }

        // encode Data htmlentities
        foreach ($_POST as $key => $value) { $_POST[$key] = htmlentities($value, ENT_QUOTES,"UTF-8" ); }

        //correct case, not sure if strtolower,ucwords works with UTF8
        $_POST["UserName"] = strtolower($_POST["UserName"]);
        $_POST["FirstName"] = ucwords(strtolower($_POST["FirstName"]));
        $_POST["LastName"] = ucwords(strtolower($_POST["LastName"]));
        $_POST["Email"] = strtolower($_POST["Email"]);

        // test FirstName ,NO number, between 3 and 30 chars, encoded for other language, first letter cap others lower
        // THIS IS UTF-8
        if (!filter_has_var(INPUT_POST, 'FirstName')){ $msg = "Please fill ALL the fields in the Registration Form - FirstName"; }
        if (mb_strlen( $_POST["FirstName"]) > 30 || mb_strlen($_POST["FirstName"]) < 3) { $msg = "Opps..It looks like your First name is too long for our system."; }
        if (filter_var($_POST["FirstName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_`¬@!£$%^]/")))){ $msg = "Your FirstName must only use Letters UTF-8 if fine."; }
        // This is to encode HTML... NOT NEEDED
        // $_POST["FirstName"] = filter_input(INPUT_POST, "FirstName" , FILTER_SANITIZE_SPECIAL_CHARS);
3) I am also worried about multibite vunrabilities so I was going to run the UTF8 fields through the following:

Code: Select all

$convert = array();
setlocale(LC_CTYPE, 'en_US.UTF-8');
foreach( $strings as $string )
        $convert[] = iconv('UTF-8', 'UTF-8//IGNORE', $string);

/*
In the bellow algorithm the first preg_replace() only allows well formed Unicode
(and rejects overly long 2 byte sequences, as well as characters above U+10000).
http://webcollab.sourceforge.net/unicode.html
U-00000000 â U-0000007F:        0xxxxxxx
U-00000080 â U-000007FF:        110xxxxx 10xxxxxx
U-00000800 â U-0000FFFF:        1110xxxx 10xxxxxx 10xxxxxx
U-00010000 â U-001FFFFF:        11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
U-00200000 â U-03FFFFFF:        111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
U-04000000 â U-7FFFFFFF:        1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
*/

$strings = preg_replace('/[\x00-\x08\x10\x0B\x0C\x0E-\x19\x7F]'.
                                                '|[\x00-\x7F][\x80-\xBF]+'.
                                                '|([\xC0\xC1]|[\xF0-\xFF])[\x80-\xBF]*'.
                                                '|[\xC2-\xDF]((?![\x80-\xBF])|[\x80-\xBF]{2,})'.
                                                '|[\xE0-\xEF](([\x80-\xBF](?![\x80-\xBF]))|(?![\x80-\xBF]{2})|[\x80-\xBF]{3,})/S',
                                                '?', $strings );

//The second preg_replace() removes overly long 3 byte sequences and UTF-16 surrogates.
$strings = preg_replace('/\xE0[\x80-\x9F][\x80-\xBF]'.
                                                '|\xED[\xA0-\xBF][\x80-\xBF]/S',
                                                '?', $strings );
4) As a last thing I was going to run the data through mysql_real_escape_string(trim($variable)); before entering the data into my DB using a preprepaired statment.

Or am I going over the top and doing things than don't need to be done for user data validation. My form also uses a form_token and capcha and will validate the MX record of the email domain supplied.

Kind Regards
Stephen
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: utf8 secure registration form help

Post by timWebUK »

You may find this thread helpful:

viewtopic.php?t=95337

Just ensure that the escaping is final thing you do before it enters the database. And remember, validate OUTPUT as well as input. Someone may compromise your database somewhere along the line and input data that bypasses your checks, so you must validate your output too. Encoding, etc.

Good luck. You should find that thread useful.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: utf8 secure registration form help

Post by kaisellgren »

st3fanos wrote:1) is this code OK to use in the form or is it vunrable?

Code: Select all

<input name="UserName" type="text" size="12" value="<?php if(isset($_POST['UserName'])){ echo $_POST['UserName']; } ?>">
No. That code is vulnerable to cross-site scripting attacks.
st3fanos wrote:2) Never trust users! - So when the form is submitted I follow this process:

Code: Select all

        // trim {input Data}
        foreach ($_POST as $key => $value) { $_POST[$key] = trim($value); }

        // Strip Tags
        foreach ($_POST as $key => $value) { $_POST[$key] = strip_tags($value); }

        // encode Data htmlentities
        foreach ($_POST as $key => $value) { $_POST[$key] = htmlentities($value, ENT_QUOTES,"UTF-8" ); }

        //correct case, not sure if strtolower,ucwords works with UTF8
        $_POST["UserName"] = strtolower($_POST["UserName"]);
        $_POST["FirstName"] = ucwords(strtolower($_POST["FirstName"]));
        $_POST["LastName"] = ucwords(strtolower($_POST["LastName"]));
        $_POST["Email"] = strtolower($_POST["Email"]);

        // test FirstName ,NO number, between 3 and 30 chars, encoded for other language, first letter cap others lower
        // THIS IS UTF-8
        if (!filter_has_var(INPUT_POST, 'FirstName')){ $msg = "Please fill ALL the fields in the Registration Form - FirstName"; }
        if (mb_strlen( $_POST["FirstName"]) > 30 || mb_strlen($_POST["FirstName"]) < 3) { $msg = "Opps..It looks like your First name is too long for our system."; }
        if (filter_var($_POST["FirstName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_`¬@!£$%^]/")))){ $msg = "Your FirstName must only use Letters UTF-8 if fine."; }
        // This is to encode HTML... NOT NEEDED
        // $_POST["FirstName"] = filter_input(INPUT_POST, "FirstName" , FILTER_SANITIZE_SPECIAL_CHARS);
That's a bit hyperbole. The thing is that you should not process data before you actually use it. It makes no sense to pre-process data with trim()'s, htmlentities()'s, etc. before you even know what you are going to do with the data. For example, say you have an email string from the user, you might output it back to the user, send a mail to it and save it to a database. That's three different events which all require different actions. For emailing, you need validation. For the save process, you need to escape. Outputting, on the other hand, requires you to encode it.
st3fanos wrote:3) I am also worried about multibite vunrabilities so I was going to run the UTF8 fields through the following:

Code: Select all

$convert = array();
setlocale(LC_CTYPE, 'en_US.UTF-8');
foreach( $strings as $string )
        $convert[] = iconv('UTF-8', 'UTF-8//IGNORE', $string);

/*
In the bellow algorithm the first preg_replace() only allows well formed Unicode
(and rejects overly long 2 byte sequences, as well as characters above U+10000).
http://webcollab.sourceforge.net/unicode.html
U-00000000 â U-0000007F:        0xxxxxxx
U-00000080 â U-000007FF:        110xxxxx 10xxxxxx
U-00000800 â U-0000FFFF:        1110xxxx 10xxxxxx 10xxxxxx
U-00010000 â U-001FFFFF:        11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
U-00200000 â U-03FFFFFF:        111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
U-04000000 â U-7FFFFFFF:        1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
*/

$strings = preg_replace('/[\x00-\x08\x10\x0B\x0C\x0E-\x19\x7F]'.
                                                '|[\x00-\x7F][\x80-\xBF]+'.
                                                '|([\xC0\xC1]|[\xF0-\xFF])[\x80-\xBF]*'.
                                                '|[\xC2-\xDF]((?![\x80-\xBF])|[\x80-\xBF]{2,})'.
                                                '|[\xE0-\xEF](([\x80-\xBF](?![\x80-\xBF]))|(?![\x80-\xBF]{2})|[\x80-\xBF]{3,})/S',
                                                '?', $strings );

//The second preg_replace() removes overly long 3 byte sequences and UTF-16 surrogates.
$strings = preg_replace('/\xE0[\x80-\x9F][\x80-\xBF]'.
                                                '|\xED[\xA0-\xBF][\x80-\xBF]/S',
                                                '?', $strings );
That might fix some content submitted by the user, but it's not really useful in terms of security.
st3fanos wrote:4) As a last thing I was going to run the data through mysql_real_escape_string(trim($variable)); before entering the data into my DB using a preprepaired statment.
Prepared statements by nature send the data as apart of the query. You do not need to escape when you use prepared statements. Just be careful that you do not insert user input into the query itself without sanitizing or validating it first.
st3fanos
Forum Newbie
Posts: 12
Joined: Tue Apr 13, 2010 1:30 am

Re: utf8 secure registration form help

Post by st3fanos »

Hi kaisellgren,
<input name="UserName" type="text" size="12" value="<?php if(isset($_POST['UserName'])){ echo $_POST['UserName']; } ?>">
hmm I thought it was vulnerable to xss but I was not sure why, Thanks for the link I think I understand it now.
For example, say you have an email string from the user, you might output it back to the user, send a mail to it and save it to a database. That's three different events which all require different actions. For emailing, you need validation. For the save process, you need to escape. Outputting, on the other hand, requires you to encode it.
This is what I never found, I was looking for information on the net and in the end I assumed that one must clean all the data and once cleaned process the information. *** Very usefull Info. :)

As for the UTF8 validation
That might fix some content submitted by the user, but it's not really useful in terms of security.
I saw the following:
Overly long UTF-8 sequences and UTF-16 surrogates are a serious security threat. Validation of input data is very important.
from
http://webcollab.sourceforge.net/unicode.html

timWebUK, I am still going throught the topic.. it's quite long..

Thanks
Stephen
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: utf8 secure registration form help

Post by kaisellgren »

About the Unicode issues. It is a very good idea to send the following headers:

Code: Select all

header( 'Content-Type: text/html; charset=UTF-8' );
and then use UTF-8 as the option in each filter you use (such as htmlspecialchars()).

However, overlong UTF-8 based attacks will only bite if you do something stupid like:

Code: Select all

<?php
$name = utf8_decode(mysql_real_escape_string($GET_['name'], $c));
mysql_query("SELECT * FROM table WHERE name='$name';");
?> 
but this, in my opinion, is not a valid point because escaping should be the last thing you do. The reason why the above is insecure is that the escaping does not understand/escape overlong UTF-8 sequences, but utf8_decode() does. And with UTF-16 surrogates you are in trouble if you convert from UTF-8 to UTF-16 or vice-versa after filtering.

From the site:
The characters are limited to those below U+10000 (largest possible 3 byte character), because this is the limitation in MySQL and PostgreSQL
That's true, MySQL < 6 is limited to Basic Multilingual Plane, but again, nothing to do with security. And in MySQL 6, 4-byte characters are supported.

I'm not telling you whether you should or should not try to fix user supplied content. I think it's a good idea to fix invalid Unicode sequences.
st3fanos
Forum Newbie
Posts: 12
Joined: Tue Apr 13, 2010 1:30 am

Re: utf8 secure registration form help

Post by st3fanos »

Hi,

I have gone through all my code again and I think I must be close, I cannot think of much more I can do.

I have taken point about processing data only when it is required pointed out to me by kaisellgren.. Thanks :)

I hence would like to post my code:
a) So that it can be ripped apart and improved, and
b) so anyone can use it who would like to.
c) I can find out what my mistakes are

I would appreciate it if someone can go through it and tell me my mistakes and also if there are any improvments I could do.
General comments anything constructive.

I have included a zip of all my code, if you use it you will need to update the db.inc file and insert into the DB the data from title.sql used for the dropdown menu. I am on XAMPP on windowsXP

Kind Regards
Stephen

page_header.php

Code: Select all

<?php
	// Tell PHP to work in UTF-8 mode
	mb_internal_encoding( 'UTF-8' );
	// Inform browser we are sending data in UTF-8
	header('Content-Type: text/html; charset=UTF-8');
	// We are submitting a form so not Cache please
	header("Cache-control: private"); 
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
index.php

Code: Select all

<?php
	if (!session_id()){ session_start(); }

	// The following 7 php statments are not needed for this example but will be required for when we insert the UTF8 into a mysql DB
	// Start by including
	include("db.inc");
	include("error.inc");

	// make a UTF-8 connection to the database NOT PREPREP
	if (!($connection = mysql_connect($hostName, $username, $password))) die("Could not connect to database");
	if (!mysql_query("SET NAMES 'utf8';", $connection)) { echo "SET NAME ERROR"; }
	if (!mysql_set_charset('utf8',$connection)) { echo "SET CHARACTER ERROR"; }
	if (!mysql_selectdb($databaseName, $connection)) {	showerror(); }
	if ($connection){ mysql_close($connection); }
	
?>
<?php include "page_header.php" ?>
<?php
	include("forms.inc");
	if( $_POST['submit'] ) { $msg = validate_registration_form(); }
	if($msg != 1) {
		display_registration_form($msg);
	} else {
		echo "You submited the Following Data, please confirm it is OK<br>";
		foreach ($_POST as $key => $value) {
			echo encode_output_registration_form($key) . "=" . encode_output_registration_form($value) . "<br>";
		}
	}
?>
<?php
	include("dumps.inc");
	include "page_footer.php"
?>
form.inc

Code: Select all

<?php function display_registration_form($msg=NULL) {
		include("dropdown.inc");
?>
		<style type="text/css">
			body { font: 14px Georgia, serif; }
			form { width:350px; text-align:left;   -moz-border-radius:15px 15px 15px 15px;    -moz-box-shadow:0 0 10px #333333;    border:3px solid blue;    padding:10px;}
			fieldset ol {  list-style: none;  }
			label {  display: block;  color:#7C6767;    font-size:14px;	}
			input, select {    border-color:#EEEEEE #CCCCCC #CCCCCC #EEEEEE;    border-right:1px solid #CCCCCC;    border-style:solid;    border-width:1px;    font-size:12px;    margin:0 0 15px;    padding:5px;    width:250px;}
			input[type="text"]:focus, input[type="password"]:focus {  border-color:#555555; background-color: #efefef;}
			input:hover {		border-color: blue; border-width: 1px; border-style: solid;	}
			span.error { color:red; font: 10px Georgia, serif;}
			div.securitycode { text-align:left; }
		</style>
		<form class="standard-form" name="registration" action="" method="post" accept-charset="UTF-8" enctype="application/x-www-form-urlencoded">
			<fieldset>
				<legend>Registration Form</legend>
				<span class="error"><?php if(!empty($msg)){ echo "Following errors occurred:<br>$msg<br>"; } ?></span>
				<ol>
					<li>
						<label for="Username">UserName</label>
						<input name="UserName" type="text" size="12" value="<?php if(isset($_POST['UserName'])){ echo encode_output_registration_form($_POST['UserName']); } ?>">
					</li>
					<li>
						<label for="Title">Title</label>
						<?php $intIdField = "TitleID"; $strNameField = "Title"; $strTableName = "title"; $strOrderField = "TitleID"; $strNameOrdinal = "Title"; $strMethod="asc"; $selectedVal=encode_output_registration_form($_POST['Title']); dropdown($intIdField, $strNameField, $strTableName, $strOrderField, $strNameOrdinal, $strMethod, $selectedVal);?>
					</li>
					<li>
						<label for="FirstName">FirstName</label>
						<input name="FirstName" type="text" size="40" value="<?php if(isset($_POST['FirstName'])){ echo encode_output_registration_form($_POST['FirstName']); } ?>">
					</li>
					<li>
						<label for="Lastname">LastName</label>
						<input name="LastName" type="text" size="40" value="<?php if(isset($_POST['LastName'])){ echo encode_output_registration_form($_POST['LastName']); } ?>">
					</li>
					<li>
						<label for="email">Email</label>
						<input name="Email" type="text" size="40" value="<?php if(isset($_POST['Email'])){ echo encode_output_registration_form($_POST['Email']); } ?>">
					</li>
					<li>
						<label for="password">Password</label>
						<input name="Password" type="password" size="40" />
					</li>
					<li>
						<label for="password">Confirm Password</label>
						<input name="Password2" type="password" size="40">
					</li>
					<li>
						<label for="securitycode">Please Type in this Security Code:</label><div class="securitycode"><img src="gencap.php"></div>
						<input name="securitycode" type="text" size="6">

						<input type="hidden" name="form_token" value="<?php if (!session_id()){ session_start();} ; $_SESSION['form_token'] = md5( uniqid('auth', true) ); echo $_SESSION['form_token']; ?>" />
						<input name="submit" type="submit" value="Register">
					</li>
				</ol>
			</fieldset> 
		</form>

<?php } ?>


<?php function encode_output_registration_form($string) {
	
	// Set utf8 type
	setlocale(LC_CTYPE, 'en_US.UTF-8');

	// only allows well formed Unicode and rejects overly long 2 byte sequences, as well as characters above U+10000).
	$strings = preg_replace('/[\x00-\x08\x10\x0B\x0C\x0E-\x19\x7F]'.
													'|[\x00-\x7F][\x80-\xBF]+'.
													'|([\xC0\xC1]|[\xF0-\xFF])[\x80-\xBF]*'.
													'|[\xC2-\xDF]((?![\x80-\xBF])|[\x80-\xBF]{2,})'.
													'|[\xE0-\xEF](([\x80-\xBF](?![\x80-\xBF]))|(?![\x80-\xBF]{2})|[\x80-\xBF]{3,})/S',
													'?', $strings );

	//The second preg_replace() removes overly long 3 byte sequences and UTF-16 surrogates.
	$strings = preg_replace('/\xE0[\x80-\x9F][\x80-\xBF]'.
													'|\xED[\xA0-\xBF][\x80-\xBF]/S',
													'?', $strings );
													
	$string = iconv('UTF-8', 'UTF-8//IGNORE', $string);

	// Decode strip 
	$string = html_entity_decode($string, ENT_QUOTES,"UTF-8");
	
	// stip <> and () just in case of XSS or other strange reasons
	$string = preg_replace('/[\<\>\(\)]/', ' ', $string);
	//		"<script>alert("xss")</script>\		the following line blockes XSS attack
	$string = htmlentities($string, ENT_QUOTES,"UTF-8");
	
return($string);
}
?>


<?php function validate_registration_form() {
	
	//encode as per output to browser 
	foreach ($_POST as $key => $value) {
		$_POST[$key] = encode_output_registration_form($value);
		$_POST[$key] = html_entity_decode($value, ENT_QUOTES,"UTF-8");
	}
	
	// test UserName ,[A-Za-z0-9_] between 4 and 20 chars, lowercase ASCII
	// SHOULD NOT BE UTF-8
	if (!filter_has_var(INPUT_POST, 'UserName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - UserName.</li>"; }
	if (!filter_var($_POST["UserName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/^[a-zA-Z0-9_]+$/")))){ $msg .= "<li>* Your UserName must only use ASCII Letters, Numbers, or Underscore(_).</li>"; }
	if (strlen( $_POST["UserName"]) > 20 || strlen($_POST["UserName"]) < 4) { $msg .= "<li>* Your UserName need to be between 4 and 20 Charicters in length.</li>"; }

	// test Title ,number, length 3, between 001 and 010
	// will be an INT
	if (!filter_has_var(INPUT_POST, 'Title')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Title.</li>"; }
	if(!filter_var($_POST["Title"], FILTER_VALIDATE_INT,array("options"=>array("min_range" => 1, "max_range" => 10)))){ $msg .= "<li>* Please select your title.</li>"; }
		
	// test FirstName ,NO number, between 3 and 30 chars, NOTE names like O'Neal should be OK
	// THIS IS UTF-8
	if (!filter_has_var(INPUT_POST, 'FirstName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - FirstName.</li>"; }
	if (mb_strlen( $_POST["FirstName"]) > 30 || mb_strlen($_POST["FirstName"]) < 3) { $msg .= "<li>* Opps..It's a problem with you First name.</li>"; }
	if (!filter_var($_POST["FirstName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_¬@!£$%^]/")))){ $msg .= "<li>* Your FirstName must only use Letters UTF-8 is fine.</li>"; }

	// test LastName ,NO number, between 3 and 30 chars, NOTE names like O'Neal should be OK
	// THIS IS UTF-8
	if (!filter_has_var(INPUT_POST, 'LastName')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - LastName.</li>"; }
	if (mb_strlen( $_POST["LastName"]) > 30 || mb_strlen($_POST["LastName"]) < 3) { $msg .= "<li>* Opps..It's a problem with you Last name.</li>"; }
	if (!filter_var($_POST["LastName"], FILTER_VALIDATE_REGEXP,array("options"=>array("regexp"=>"/[0-9<>-_¬@!£$%^]/")))){ $msg .= "<li>* Your LastName must only use Letters.</li>"; }

	// test Email , between 6 and 50 chars, lowwercase, validate, lowercase
	// NOT UTF-8
	if (!filter_has_var(INPUT_POST, 'Email')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Email.</li>"; }
	//convert and make sure it is ACSII only
	$_POST["Email"] = utf8_decode($_POST["Email"]);
	if (strlen($_POST["Email"]) > 50 || strlen($_POST["Email"]) < 6) { $msg .= "<li>* Your Email address seems to be very long (or to short).</li>"; }
	if (!filter_var($_POST["Email"], FILTER_VALIDATE_EMAIL)){ $msg .= "<li>* Please retype you email address, we will email you to validate your account so it needs to be correct.</li>"; }

	// NEED to limit chars
	// test Passwords x2 , between 6 and 50 chars, identical, upper and lower case sensitive,
	// can be UTF-8
	if (!filter_has_var(INPUT_POST, 'Password')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Password.</li>"; }
	if (!filter_has_var(INPUT_POST, 'Password2')){ $msg .= "<li>* Please fill ALL the fields in the Registration Form - Password2.</li>"; }
	if (mb_strlen( $_POST["Password"]) > 50 || mb_strlen($_POST["Password"]) < 6) { $msg .= "<li>* Your Password must be between 6 and 50 characters long.</li>"; }
	if( $_POST["Password"] != $_POST["Password2"]) { $_POST['Password'] = $_POST['Password2'] = NULL; $msg .= "<li>* Your passwords do not match.</li>"; }
		
	// test form_token , session form_token identical, clean out token
	if (!filter_has_var(INPUT_POST, 'form_token')){ $msg .= "<li>* Please use the Registration Form - form_token.</li>"; }
	if (ctype_alnum($_POST['form_token']) != true) { $msg .= "<li>* form_token Error, IP logged.</li>"; }
	if( $_POST['form_token'] != $_SESSION['form_token']) { $msg .= "<li>* We have detected an abnormal attempt to register, probably you have taken too long to fill out the register form, You will need to submit it again.</li>"; }
	unset( $_SESSION['form_token'] );
	
	// test CAPTCHA
	if (!filter_has_var(INPUT_POST, 'securitycode')){ $msg .= "<li>* Please fill in the security code.</li>"; }
	if(strlen($_POST['securitycode']) != 5) { $msg .= "<li>* The security code has five characters</li>"; }
	if (ctype_alnum($_POST['securitycode']) != true) { $msg .= "<li>* Security code Error, Wrong characters.</li>"; }
	if( md5(strtoupper($_POST['securitycode'])) != $_SESSION['rndnum']) { $msg .= "<li>* Opps Wrong Security Code.</li>"; }
	unset( $_SESSION['rndnum'] );

	// test form_submit is Register and clean out
	if (!filter_has_var(INPUT_POST, 'submit')){ $msg .= "<li>* Please use the Registration Form - submit.</li>"; }
	if( $_POST['submit'] != "Register") { $_POST['submit'] = NULL; $msg .= "<li>* Please use our form to register.</li>"; }

	if(!empty($msg)) {
		$msg = "<ol>" . $msg . "</ol>";
		return($msg);
	}
	else {
		return(1);
	}
}
?>
Attachments
source.zip
All my source code
(6.22 KiB) Downloaded 160 times
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: utf8 secure registration form help

Post by kaisellgren »

Make sure your db.inc is not accessible/readable.
st3fanos
Forum Newbie
Posts: 12
Joined: Tue Apr 13, 2010 1:30 am

Re: utf8 secure registration form help

Post by st3fanos »

Hi,

Yes it's never a good idea to have your include files processed as text by your server.

I block access to them with a .htaccess file:

Code: Select all

<FILES ~ "\.inc$">
    Order allow,deny
    Deny from all
</FILES>
Kind Regards
Post Reply