This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
This is a simple registration I made in PHP.
I just want to know how to make it really secure, as I am new to PHP, so examples would help also. All in all, any resources or guidance would be great.
<?php
$email = $_POST["email"];
$password = $_POST["password"];
$fname = $_POST["first_name"];
$lname = $_POST["last_name"];
$db = "mydatabase";
$connect = mysql_connect("localhost","root","");
if(!$connect){
die('Could not connect.');
}
$query = "INSERT INTO users (id, email, password, first_name, last_name) VALUES (DEFAULT, '".$email."', '".$password."', '".$fname."', '".$lname."')";
mysql_select_db($db, $connect);
if(!mysql_query($query)){
echo 'Failed: '.mysql_error();
}
else{
echo 'You have registered.';
}
mysql_close($connect);
?>
and this is the register input form
<html>
<head>
</html>
<body>
<form action="new_user_db.php" method="POST">
<input type="text" name="first_name" placeholder="First Name" required><br>
<input type="text" name="last_name" placeholder="Last Name" required><br>
<input type="email" name="email" placeholder="E-mail" required><br>
<input type="password" name="password" placeholder="Password" required><br>
<input type="submit" value="Register">
</form>
</body>
</html>
thanks for all your feedback!
Security Issues:
Use MySQLi/PDO. mysql_ functions are deprecated.
Stop using the root account to run your mysql queries. Create a new database user with the minimum required privileges
Finally (unrelated to PHP), look into SSL and securing the movement of credentials from client to server.
Also, not a security risk but...
Having your credentials in every single PHP file that uses it is bad practice. Put it in a separate PHP and include/require it, whenever you want to make a connection. That prevents you having to make several changes when changing database server/user/password.
Use a Prepared Statement
$db = mysqli_connect($dbserver, $dbuser, $dbpass,$dbname);
$sql = "insert into mytable (mycol1, mycol2) values (?,?)";
$statement = $db->prepare($sql);
$statement -> bindparam("ss",$myval1, $myval2)'
mysqli_stmt_execute(#statement);
Related
This question already has answers here:
How to include a PHP variable inside a MySQL statement
(5 answers)
Closed 2 years ago.
I am a beginner in PHP. And decided to make a fully working model of a registration form. But when I program it, it doesn't work.
Here is the main HTML code
<html>
<form method="POST">
<input required type="text" name="name" placeholder="Your Name"><br>
<input required type="email" name="email" placeholder="Your Email"><br>
<input required type="password" name="pass" placeholder="Your Password"><br>
<button name="submit" type="submit" value="Submit">Submit</button>
</form>
</html>
Here is the PHP code
<?php
$conn = mysqli_connect("localhost", "root", "", "shayeq");
if (isset($_POST['submit'])) {
# code...
$user = $_POST['name'];
$email = $_POST['email'];
$pass = $_POST['pass'];
$sql = "INSERT INTO 'user'(name, email, password) VALUE ('$user', '$email', '$pass')"
}
You have to run sql command.
$sql = "INSERT INTO user (name, email, password) VALUES ('$user', '$email', '$pass')";
$result = mysqli_query($sql);
I'm new to php and sql and all that stuff, and I was watching a tutorial on youtube about forums in php and wonder why this code doesn't echo "Success" when submitting the form. I also wonder why it echo out Failure before I have submitted the form. I have connected successfully to the database.
<!DOCTYPE HTML>
<html>
<head>
<title>Register</title>
</head>
<body>
<form action="register.php" method="POST">
Username: <input type="text" name="username">
<br/>
Password: <input type="password" name="password">
<br/>
Confirm Password: <input type="password" name="confirmPassword">
<br/>
Email: <input type="text" name="email">
<br/>
<input type="submit" name="submit" value="Register"> or Log in
</form>
</body>
</html>
<?php
require('connect.php');
$username = $_POST['username'];
$password = $_POST['password'];
$confirmPassword = $_POST['confirmPassword'];
$email = $_POST['email'];
if(isset($_POST["submit"])){
if($query = mysql_query("INSERT INTO users ('id', 'username', 'password', 'email') VALUES('', '".$username."', '".$password."', '".$email."')")){
echo "Success";
}else{
echo "Failure" . mysql_error();
}
}
?>
Connect.php
<?php
$connect = mysqli_connect("localhost", "root", "") or die("Could not connect to server!");
mysqli_select_db($connect, "php_forum") or die("Could not connect to database!");
?>
There are a few things wrong here.
You're using the wrong identifiers for your columns in (and being quotes):
('id', 'username', 'password', 'email')
remove them
(id, username, password, email)
or use backticks
(`id`, `username`, `password`, `email`)
mysql_error() should have thrown you an error, but it didn't because of:
You're mixing MySQL APIs with mysqli_ to connect with, then mysql_ in your query.
Those two different APIs do not intermix with each other.
Use mysqli_ exclusively and change your present query to:
if($query = mysqli_query($connect, "INSERT...
and change mysql_error() to mysqli_error($connect)
as a rewrite for that block:
if(isset($_POST["submit"])){
if($query = mysqli_query($connect,"INSERT INTO users ('id', 'username', 'password', 'email') VALUES('', '".$username."', '".$password."', '".$email."')")){
echo "Success";
}else{
echo "Failure" . mysqli_error($connect);
}
}
Just to test the error, make the changes as I outlined just above, while keeping the quotes around your columns the way you have it now. You will then see the error that MySQL will throw. You can then do as I've already outlined above and remove the quotes around the column names, or replace them with backticks.
The tutorial you saw may very well used backticks, but were probably not distinguishable enough for you to tell that they were indeed backticks and not single quotes.
However, your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.
Also, instead of doing:
$connect = mysqli_connect("localhost", "root", "") or die("Could not connect to server!");
mysqli_select_db($connect, "php_forum") or die("Could not connect to database!");
You should be checking for errors instead, just as the manual states
$link = mysqli_connect("myhost","myuser","mypassw","mybd")
or die("Error " . mysqli_error($link));
http://php.net/manual/en/function.mysqli-connect.php
So in your case:
$connect = mysqli_connect("localhost", "root", "","php_forum")
or die("Error " . mysqli_error($connect));
Edit: and I changed action="register.php" to action="" since you're using the entire code inside the same page.
<!DOCTYPE HTML>
<html>
<head>
<title>Register</title>
</head>
<body>
<form action="" method="POST">
Username: <input type="text" name="username">
<br/>
Password: <input type="password" name="password">
<br/>
Confirm Password: <input type="password" name="confirmPassword">
<br/>
Email: <input type="text" name="email">
<br/>
<input type="submit" name="submit" value="Register"> or Log in
</form>
</body>
</html>
<?php
require('connect.php');
$username = $_POST['username'];
$password = $_POST['password'];
$confirmPassword = $_POST['confirmPassword'];
$email = $_POST['email'];
if(isset($_POST["submit"])){
if($query = mysqli_query($connect,"INSERT INTO users (`id`, `username`, `password`, `email`) VALUES ('', '".$username."', '".$password."', '".$email."')")){
echo "Success";
}else{
echo "Failure" . mysqli_error($connect);
}
}
?>
:It will echo ;Failure' so executing this bit of code
else{
echo "Failure" . mysql_error();
}
whenever $_POST["submit"]) is not set and it will be not set anytime you open you page (even if you navigate to it from your bookmark of from google search results) or when you submit you FORM in GET mode
I am trying to build a login system with registration etc.
now for the registration i use a form and the method "post". Now it fails in what i think is sending the input trough the post. can you help me fix it? here is the code involved in it:
above !doctype
<?php
include('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST["username"]) && isset($_POST["password"])){
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$query = "INSERT INTO `user` (username, password, email) VALUES ($username, $password, $email)";
$result = mysqli_query($query);
if($result){
$msg = "User Created Successfully.";
}
else
{echo "fail";}
}
?>
the form:
<div class="register-form">
<?php
if(isset($msg) & !empty($msg)){
echo $msg;
}
?>
<h1>Registreer</h1>
<form action="" method="POST">
<p><label>User Name : </label>
<input id="username" type="text" name="username" placeholder="username" /></p>
<p><label>E-Mail : </label>
<input id="password" type="email" name="email" required placeholder="name#email.com" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password" placeholder="password" /></p>
<a class="btn" href="login.php">Login</a>
<input class="btn register" type="submit" name="submit" value="Registreer" />
</form>
</div>
The connect.php
<?php
$servername = "localhost";
$username = "sqluser";
$password = "Welkom01!";
$dbname = "users";
$connection = mysqli_connect($servername, $username, $password);
if (!$connection){
die("Database Connection Failed". mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, $dbname);
if (!$select_db){
die("Database Selection Failed" . mysqli_error($connection));
}
?>
Thanks in advance.
As per your originally posted question and without marking it as an edit under your newly edited question, should anyone wonder why the answer.
Since we're more than likely dealing with strings
VALUES ($username, $password, $email)
needs to be wrapped inside quotes:
VALUES ('$username', '$password', '$email')
you also need to pass DB connection to your query $result = mysqli_query($query);
Edit: (you added your DB connection code after) from your original post
Since you've not shown what your DB connection is, this would be something like
$result = mysqli_query($connection,$query);
plus, adding or die(mysqli_error($connection)) to mysqli_query()
You also have a missing & in if(isset($msg) & !empty($msg)){ which should read as if(isset($msg) && !empty($msg)){
However, your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements, they're much safer.
Passwords
I also noticed that you may be storing passwords in plain text. This is not recommended.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
PBKDF2 For PHP
I need to send my database over to the guy who has the server for a website that I'm managing. Problem is, I'm just now starting to learn PHP and MySQL after only really knowing HTML and CSS. I need to have a form submit data such as FirstName, LastName, Date of Birth, Telephone and etc. through PHP to a MySQL database. Security isn't highly important, as no credit card numbers or anything like that will be going through. But, I'd still like to know how to get the data secure.
Inside of my database, I have a table with all of the entries I need, (FirstName,LastName, DateofBirth, etc.) and I now need to send it to him, so it will be able to store information for the website it self. Here is the problem, I am not exactly sure I am going about the coding portion the correct way.
Here is my HTML:
<html>
<body>
<form action="insert.php" method="post">
<label>First Name: </label><input type="text" name="FirstName">
<label>Last Name:</label> <input type="text" name="LastName"> <br>
<label>Date of Birth:</label> <input type="date" name="DateofBirth">
<label>Telephone:</label> <input type="tel" maxlength="10" name ="Telephone">
<input type="submit">
</form>
</body>
</html>
Here is insert.php
<?php
$con=mysqli_connect("host","username","password","database");
if (mysqli_connect_errno())
{
echo "Error, please try again later.";
}
$sql="INSERT INTO table (FirstName, LastName, DateofBirth, Telephone)
VALUES
('$_POST[FirstName]',
'$_POST[LastName]',
'$_POST[DateofBirth]',
'$_POST[Telephone]')";
if (!mysqli_query($con,$sql))
{
die('Error, please try again later.';
}
echo "Successful";
mysqli_close($con);
?>
Is this correct? Will it work the way that I am needing it to, to where I can pull the information from the table later on? Am I missing any highly crucial components of what I need?
Your code is not correct. $_Post[''] is not directly put in query and this is wrong way to insert data. You should be get data by variables. I have make insert file with database connection file please try this
$host = "hostname";
$user = "username";
$pwd = "password";
$db = "databasename";
$connect = mysql_connect($host, $user, $pwd) or die('Could not connect');
$db = mysql_select_db($db);
$firstname = $_REQUEST['FirstName'];
$lastname = $_REQUEST['LastName'];
$date = $_REQUEST['DateofBirth'];
$telephone = $_REQUEST['Telephone'];
$sql="INSERT INTO `table` (`FirstName`, `LastName`, `DateofBirth`, `Telephone`)VALUES('".$firstname."','".$lastname."','".$date."','".$telephone."')";
if (!mysqli_query($con,$sql))
{
die('Error, please try again later.');
}else{
echo "Successful";
}
This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 3 years ago.
I am trying to create a login page so that certain users within our organization will have access to a form with sensitive information. I decided to use PHP and MySQL to do this and believe I am very close, but am having issues getting the two to connect to one another. I am using WAMP server so I have a localhost setup.
Here is my very basic html form:
<form method="post" action="addemail.php">
<label for="firstname">First Name:</label>
<input type="text" id="firstname" name="firstname" /> <br/>
<label for="lastname">Last Name:</label>
<input type="text" id="lastname" name="lastname" /> <br/>
<label for="email">Email:</label>
<input type="text" id="email" name="email" /> <br/>
<input type="submit" value="submit" name="submit"/>
</form>
On my PHP form, I have this:
$dbc = mysqli_connect('localhost', 'root', 'password', 'leadmen')
or die('Error connection to MySQL server.');
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email'];
$query ="INSERT INTO leadmen_usernames (first_name, last_name, email)" .
"VALUES ('$first_name', '$last_name', '$email')";
mysqli_query($dbc, $query)
or die('Error querying database');
echo 'Username Added.';
mysqli_close($dbc);
I don't know too much about these technologies but believe the problem lies either within my connection info to $dbc = mysqli_connect, or maybe there's an error with mysqli vs mysql?
Not sure if this matters, but I used phpmyadmin to create the table.
If you see just the PHP code you probably forgot the opening PHP tag before you start to write actual PHP code.
<?php
$dbc = mysqli_connect('localhost', 'root', 'password', 'leadmen')
or die('Error connection to MySQL server.');
$first_name = $_POST['firstname'];
$last_name = $_POST['lastname'];
$email = $_POST['email'];
$query ="INSERT INTO leadmen_usernames (first_name, last_name, email)" .
"VALUES ('$first_name', '$last_name', '$email')";
mysqli_query($dbc, $query)
or die('Error querying database');
echo 'Username Added.';
mysqli_close($dbc);
?>
You can close it again with '?>'