0

Ladies & Gentleman,

Or should I say 'Gentle Ladies' and 'Hard Men' (tough guys)! :winky:

Here is my very latest (New Code) reg.php. I have modified it by:

  • Removing outdated strip tags, mysqli_escape_string.
  • Bound input parameters on the user reg form.
  • Added htmlspecialcharacters code on output to prevent sql injection.

Look how cluttered my old code was before a lot of programmers here and other sources helped me out (thanks to all!).

Ok, my new code does not have the email confirmation code and a lot of others but I will add them soon. I took them out here to make the new code simple for you to easily understand the code. Kept just the fundamentals on the 1st impression. Will add the remaining necessities on the 2nd impression.
You are welcome to make any suggestions and critisize the coding (but do bother to show an example of an improvement to the area you critisize). Ok ?

Old Code:

<?php 

//Connect to DB. 
require "conn.php"; 

//Grab basic site details. 
require "site_details.php"; 

//Perform following action when user registration "Submit button is clicked". 
if  (isset($_POST['submit'])) 
{ 
    //Check if user filled-in "Username", "Password" and "Email" fields or not. If not, give alert to fill them in. 
    if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_email"])) 
    { 
        //Check for username match in "Usernames" column in "users"    table. If there is a match then do the following ... 
        $stmt = mysqli_prepare($conn, 'SELECT COUNT(*) FROM users WHERE usernames = ?'); 
        mysqli_stmt_bind_param($stmt, 's', $_POST['member_registration_username']); 
        mysqli_stmt_execute($stmt); 
        mysqli_stmt_bind_result($stmt, $rows); 
        if (mysqli_stmt_fetch($stmt) && $rows)  
        { 
            die( 
            'That Username '.htmlspecialchars($_POST['member_registration_username']).' is already registered!' 
            ); 
        } 

        //Check for email match in "Emails" column is "users" table. If there is a match then do the following ... 
        $stmt = mysqli_prepare($conn, 'SELECT COUNT(*) FROM users WHERE emails = ?');
        mysqli_stmt_bind_param($stmt, 's', $_POST['member_registration_email']); 
        mysqli_stmt_execute($stmt); 
        mysqli_stmt_bind_result($stmt, $rows); 
        if (mysqli_stmt_fetch($stmt) && $rows)  
        { 
            die( 
            'That Email '.htmlspecialchars($_POST['member_registration_email']).' is already registered!' 
            ); 
        } 

        //Dump new "Username", "Email" and "Password" into "users" table.         
        $name = $_GET['member_registration_username']; 
        $password = $_GET['member_registration_email']; 
        $password = $_GET['member_registration_password']; 

        if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (name, password) VALUES (?, ?)"))  
        {  
        // Bind the variables to the parameter as strings.  
        $stmt->bind_param("ss", $name, $password); 

        // Execute the statement. 
        $stmt->execute(); 

        // Close the prepared statement. 
        $stmt->close(); 
        }     
    } 
    else 
    {    //Give alert to fill-in all fields. 
        echo "You must fill-in all input fields!"; 
    } 
} 

?> 
<!DOCTYPE html> 
<html> 
<head> 
<title><?php $site_name ?> Signup Page</title> 
  <meta charset="utf-8"> 
</head> 
<body> 
<div class = "container"> 
<form method="post" action=""> 
<center><h2>Signup Form</h2></center> 
<div class="form-group"> 
<center><label>Username:</label> 
<input type="text" name="member_registration_username" required [A-Za-z0-9]></center>
</div> 
<div class="form-group"> 
<center><label>Password:</label> 
<input type="password" name="member_registration_password" required [A-Za-z0-9]></center> 
</div> 
<div class="form-group"> 
<center><label>Email:</label> 
<input type="email" name="member_registration_email" required [A-Za-z0-9]></center> 
</div> 
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center> 
</form> 
</div> 
</body> 
</html>

<?php 

//DB connection details.     
$server_name = "localhost"; 
$user_name = "root"; 
$server_password = ""; 
$db_name = "e-id"; 

//Connect to DB. 
$conn = new mysqli($server_name,$user_name,$server_password,$db_name); 

if($conn->connect_error) 
{ 
    die($conn->connect_error); 
} 

//Site details. 
$site_domain = "site-domain.com"; 
$site_name = "site-name"; 
$site_admin_email = "admin@site-domain.com"; 

//Perform following action when user registration "Submit button is clicked". 
if  (isset($_POST['submit'])) 
{ 
    //Check if user filled-in "Username", "Password" and "Email" fields or not. If not, give alert to fill them in. 
    if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_email"])) 
    { 
        $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"])))); 
        $member_registration_password = trim(strip_tags(md5(mysqli_real_escape_string($conn,$_POST["member_registration_password"])))); 

        //Check for Username match in users    table.     
        $sql = "SELECT * FROM users WHERE Usernames ='".$member_registration_username."'"; 
        $result = mysqli_query($conn,$sql); 
        //If there is a Username match in the "Usernames" column then do the following ... 
        if(mysqli_num_rows($result)!=0) 
        { 
            //Give alert "username" already taken. 
            $_SESSION['message']="That Username $member_registration_username is already registered!"; 
            exit(); 
        } 

        //Check for Email match in users table. 
        $sql = "SELECT * FROM users WHERE Emails ='".$member_registration_email."'"; 
        $result = mysqli_query($conn,$sql); 

        //If there is a Username match in the "Usernames" column then do the following ... 
        if(mysqli_num_rows($result)>0) 
        { 
            //Give alert "email" already taken. 
            $_SESSION['message']="That Email $member_registration_email is already registered!"; 
            exit(); 
        } 

        //Dump new "Username", "Email" and "Password" into "users" table. 
        $sql = "INSERT INTO users(Usernames,Passwords,Emails) VALUES('".$member_registration_username."','".$member_registration_password."','".$member_registration_email."')"; 
        if($sql) 
        { 
            //Give alert dumping new user details into db a success. 
            $_SESSION['message']="Data insertion into table success!"; 
        } 
        else     
        { 
            //Give alert dumping new user details into db a failure. 
            $_SESSION['message']="Data insertion into table failure!"; 
        }     
    } 
    else 
    {    //Give alert to fill-in all fields. 
        $_SESSION['message']="You must fill-in all input fields!"; 
    } 
} 

?> 
<!DOCTYPE html> 
<html> 
<head> 
<title><?php $site_name ?> Signup Page</title> 
  <meta charset="utf-8"> 
</head> 
<body> 
<div class = "container"> 
<form method="post" action=""> 
<center><h2>Signup Form</h2></center> 
<div class="form-group"> 
<center><label>Username:</label> 
<input type="text" placeholder="Enter a unique Username" name="member_registration_username" required [A-Za-z0-9]></center> 
</div> 
<div class="form-group"> 
<center><label>Password:</label> 
<input type="password" placeholder="Enter a new Password" name="member_registration_password" required [A-Za-z0-9]></center> 
</div> 
<div class="form-group"> 
<center><label>Email:</label> 
<input type="email" placeholder="Enter your Email" name="member_registration_email" required [A-Za-z0-9]></center> 
</div> 
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center> 
</form> 
</div> 
</body> 
</html>

Fellow programmers, looking at my 2nd code, do you think:

  • it is better;
  • clutter free;
  • more understandable;
  • sql injection free.

And, on my 2nd code, any chance you can help me convert the INSERT sql command (line 45-55) to mysqli style from pdo ?
I got that pdo code from:

http://www.wikihow.com/Prevent-SQL-Injection-in-PHP

Since most of my code, in my many pages script, is in mysqli or procedural style, it will look odd if 10 lines are pdo or oop style.
Yes, I know I know, I should do it in pdo and oop style but I'm still a beginner and most tutorials on basic php are in mysqli and procedural style and so I cannot just switch to pdo and oop just yet. Let me learn to walk first and then I'll hop like a Kangaroo. I'm still a toddler. have to take things one step at a time or I'll get confused and put-off from php.

Question: On my 1st (old code), you will see I don't use the "echo" but "Session Message" instead as 2 youtube tutorials showed to do it that way without giving any explanation why. Therefore, I ask:

  1. What is the difference and benefits (pros) aswell as the cons between the echo and the session message ?
  2. When should I use which one of them ?

Thanks!

Edited by UI

3
Contributors
6
Replies
25
Views
4 Months
Discussion Span
Last Post by UI
0

Anyway, these 2 links were a waste of my time.
Anyone have any better link suggestions are welcome!

I think we.re scared off by that. Who wants to suggest something now?

2

Diafol,

I meant these 2 links been a waste of my time:

http://php.net/manual/en/function.password-hash.php
http://php.net/manual/en/function.password-verify.php

These ones I liked:

http://blog.moertel.com/posts/2006-12-15-never-store-passwords-in-a-database.html

http://blog.moertel.com/posts/2007-02-09-dont-let-password-recovery-keep-you-from-protecting-your-users.html

For some reason, on my previous post, these links did not get pasted and so not your fault for misunderstanding me and getting put-off.
Don't get put-off.

Cheers!

0

I forgot to paste my new code in my original post and so here it is (after a few more amendments from feedbacks):

<?php

require "conn.php";
//Connect to DB.

//Grab basic site details.
require "site_details.php";

//Perform following action when user registration "Submit button is clicked".
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
    //Check if user filled-in "Username", "Password" and "Email" fields or not. If not, give alert to fill them in.
    if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_email"]))
    {
        //Check for username match in "Usernames" column in "users" table. If there is a match then do the following ...
        $stmt = mysqli_prepare($conn, 'SELECT COUNT(*) FROM users WHERE usernames = ?');
        mysqli_stmt_bind_param($stmt, 's', $_POST['member_registration_username']);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $rows);
        if (mysqli_stmt_fetch($stmt) && $rows) 
        {
            die(
            'That Username '.htmlspecialchars($_POST['member_registration_username']).' is already registered!'
            );
        }

        //Check for email match in "Emails" column is "users" table. If there is a match then do the following ...
        $stmt = mysqli_prepare($conn, 'SELECT COUNT(*) FROM users WHERE emails = ?');
        mysqli_stmt_bind_param($stmt, 's', $_POST['member_registration_email']);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $rows);
        if (mysqli_stmt_fetch($stmt) && $rows) 
        {
            die(
            'That Email '.htmlspecialchars($_POST['member_registration_email']).' is already registered!'
            );
        }

        //Dump new "Username", "Email" and "Password" into "users" table.       
        $name = $_POST['member_registration_username'];
        $password = $_POST['member_registration_password'];
        $email = $_POST['member_registration_email'];

        if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (name, password) VALUES (?, ?)")) 
        { 
        // Bind the variables to the parameter as strings. 
        $stmt->bind_param("ss", $name, $password);

        // Execute the statement.
        $stmt->execute();

        // Close the prepared statement.
        $stmt->close();
        }   
    }
    else
    {   //Give alert to fill-in all fields.
        echo "You must fill-in all input fields!";
    }
}

?>
<!DOCTYPE html>
<html>
<head>
<title><?php $site_name ?> Signup Page</title>
  <meta charset="utf-8">
</head>
<body>
<div class = "container">
<form method="post" action="">
<center><h2>Signup Form</h2></center>
<div class="form-group">
<center><label>Username:</label>
<input type="text" name="member_registration_username" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" name="member_registration_password" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Email:</label>
<input type="email" name="member_registration_email" required [A-Za-z0-9]></center>
</div>
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
</form>
</div>
</body>
</html>

What do you think now ?

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.