0
 <?php 
    if (isset ($_POST['submit'])) {
            try {
                $picture = "../images/default-picsss.png";
                $sql = "
                        INSERT INTO user (username, password, fullname, address, mobile, email, picture)
                            VALUES (:username, :password, :fullname, 
                                :address, :mobile, :email, :picture );
                        INSERT INTO user_balance (username) VALUE (:username);
                ";
                $stmt = $PDO->prepare($sql);
                $stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
                $stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
                $stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
                $stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
                $stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
                $stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
                $stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
                $stmt->execute();
                echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";
            }
            catch (PDOException $e) {
                echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";
            }
        }
    ?> 
3
Contributors
4
Replies
41
Views
1 Year
Discussion Span
Last Post by diafol
3

No, from SQL injection you're safe with prepared statements, but you are exposed to an XSS attack, here:

echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";

echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";

$_POST is not sanitized, so I could inject javascript or an iframe. The Google Chrome XSS Auditor in this case will raise an alert, which is visible in the developer console.

Use filter_input() if you want to return the contents to the page:

Votes + Comments
Great explanation of XSS
Good point. I would have missed that.
0

Now is it ok?

<?php 
    if (isset ($_POST['submit'])) {
            try {
                $picture = "../images/default-picsss.png";
                $user = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);

                $sql = "
                        INSERT INTO user (username, password, fullname, address, mobile, email, picture)
                            VALUES (:username, :password, :fullname, 
                                :address, :mobile, :email, :picture );
                        INSERT INTO user_balance (username) VALUE (:username);
                ";
                $stmt = $PDO->prepare($sql);
                $stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
                $stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
                $stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
                $stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
                $stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
                $stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
                $stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
                $stmt->execute();
                echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>$user</b></div>";
            }
            catch (PDOException $e) {
                echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$user</b></div>";
            }
        }
    ?> 

`

0

Not sure $user will be passed to the catch branch. You make no use of $e. No exceptions thrown to pass data in the try branch.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.