Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Php Sql Injection Secure Tags

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 719
    Answer it


    New Friends! :)

    The following is my member registration code as of latest.

    ISSUE 1: 
    I get this error:

    Parse error: syntax error, unexpected '_' (T_STRING), expecting ',' or ')' in C:\xampp\htdocs\e_id\register_edited.php on line 10

    What is wrong ? I copied the "'images/'_$FILES['avatar']['name']);" from a  youtube tutorial on how to create feature for your member site members to upload their images. It was working on my site but not now on my xammp.


    ISSUE 2:

    Is the following ok or have I got them wrong way round ? I mean the real_escape and the strtolower and the strip_tags. Eg.

    $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));

    Any mistakes I made from line 9-22 ?


    Question 3:

    Looking at my html form, do you spot any errors apart from the <center> outdated tags ? (Will replace them and design with css instead. In the middle of it now).


    Question 4:
    Should there be 2 equal signs ? Eg. "== 0" (equal to) ? instead of just "=" ?
    $member_registration_account_activation = 0;


    FULL REG PAGE CODE:

    [php]
    
    <?php
    require "conn.php";
    require "site_details.php";
    
    if  (isset($_POST['submit']))
    {
        if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_password_confirmation"])&& !empty($_POST["member_registration_email"])&& !empty($_POST["member_registration_email_confirmation"])&& !empty($_POST["member_registration_forename"])&& !empty($_POST["member_registration_surname"]))
        {
            $account_activation_link = "http://www.$site_domain.com/$site-name/activate_account.php?email=$member_registration_email&&member_registration_account_activation_code=$member_registration_account_activation_code";
            $avatar_path = trim(strip_tags(mysqli_real_escape_string($conn,'images/'_$FILES['avatar']['name']);
            $member_registration_account_activation = 0;
            $member_registration_random_numbers = random_int(0, 9999999999);
               
            $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));
            $member_registration_password = trim(strip_tags(md5(mysqli_real_escape_string($conn,$_POST["member_registration_password"]))));
            $member_registration_password_confirmation = trim(strip_tags(md5(mysqli_real_escape_string($conn,($_POST["member_registration_password_confirmation"])))));
            $member_registration_forename = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_forename"])));
            $member_registration_surname = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_surname"])));
            $member_registration_gender = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_gender"])));
            $member_registration_email = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email"])));
            $member_registration_email_confirmation = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email_confirmation"]));
            $member_registration_account_activation_code = trim(strip_tags(mysqli_real_escape_string($conn,"$member_registration_random_numbers")));
            
            if (preg_match("!image!", $_FILES['avatar']['type'])) 
            {        
            //copy image to images/ folder.
                if(copy($_$FILES['avatar']['tmp_name'], $avatar_path)) 
                {            
                    $_SESSION['avatar']=$avatar_path;
                }
                else
                {
                    $_SESSION['message']= "Image could not be uploaded!";
                }
            else
            {
                $_SESSION['message']= "Only gif, jpeg or png files allowed for your avatar!";
                exit();
            }
                
            if($_POST["member_registration_email"] != $_POST["member_registration_email_confirmation"])
            {
                $_SESSION['message']= "Your email inputs do not match! Try inputting again and then re-submit.";
                exit();
            }
            
            if($_POST["member_registration_password_confirmation"] != $_POST["member_registration_password_confirmation"])
            {
                $_SESSION['message']= "Your password inputs do not match! Try inputting again and then re-submit.";
                exit();
            }
        
            //Check for Username match in users    table.    
            $sql = "SELECT * FROM users WHERE Usernames ='".$member_registration_username."'";
            $result = mysqli_query($conn,$sql);
            if(mysqli_num_rows($result)!=0)
            {
                $_SESSION['message']="That Username $member_registration_username is already registered!";
                exit();
            }
    
            $sql = "SELECT * FROM users WHERE Emails ='".$member_registration_email."'";
            $result = mysqli_query($conn,$sql);
            if(mysqli_num_rows($result)>0)
            {
                $_SESSION['message']="That Email $member_registration_email is already registered!";
                exit();
            }
            
            $sql = "INSERT INTO users(Usernames,Passwords,Emails,Forenames,Surnames,Genders,Account_Activation_Codes,Account_Activations) VALUES('".$member_registration_username."','".$member_registration_password."','".$member_registration_email."','".$member_registration_forename."','".$member_registration_surname."','".$member_registration_account_activation_code."','".$member_registration_account_activation."')";
            if($sql)
            {
                $_SESSION['message']="Data insertion into table success!";
            }
            else    
            {
                $_SESSION['message']="Data insertion into table failure!";
            }
        
            $to = "$member_registration_email";
            $subject = "Your $site_name Account Activation!";
            $body = "$member_registration_forename $member_registration_surname,\n\n You need to click the following link to confirm your email address and activate your account.\n\n\
            $account_activation_link;
            $from = "$site_admin_email";
            $headers = "from: $from";
        
            mail($to,$subject,$body,$headers);
            $_SESSION['message']="Check your email for further instructions!";
        }
        else
        {
            $_SESSION['message']="You must fill-in all input fields!";
        }
    }
    
    ?>
    <!DOCTYPE html>
    <html>
    <head>
    <title><?php $site_name ?> Signup Page</title>
      <meta charset="utf-8">
    </head>
    <body>
    <div class = "container">
    <form method="post" action="">
    <center><h2>Signup Form</h2></center>
    <div class="form-group">
    <center><label>Username:</label>
    <input type="text" placeholder="Enter a unique Username" name="member_registration_username" required [A-Za-z0-9]></center>
    </div>
    <div class="form-group">
    <center><label>Password:</label>
    <input type="password" placeholder="Enter a new Password" name="member_registration_password" required [A-Za-z0-9]></center>
    </div>
    <div class="form-group">
    <center><label>Repeat Password:</label>
    <input type="password" placeholder="Repeat a new Password" name="member_registration_password_confirmation" required [A-Za-z0-9]></center>
    </div>
    <div class="form-group">
    <center><label>First Name:</label>
    <input type="text" placeholder="Enter your First Name" name="member_registration_forename" required [A-Za-z]></center>
    </div>
    <div class="form-group">
    <center><label>Surname:</label>
    <input type="text" placeholder="Enter your Surname" name="member_registration_surname" required [A-Za-z]></center>
    </div>
    <div class="form-group">
    <center><label>Gender:</label>
    <input type="radio" name="member_registration_gender" value="male" required>Male<input type="radio" name="member_registration_gender" value="female" required>Female</center>
    </div>
    <div class="form-group">
    <center><label>Email:</label>
    <input type="email" placeholder="Enter your Email" name="member_registration_email" required [A-Za-z0-9]></center>
    </div>
    <div class="form-group">
    <center><label>Repeat Email:</label>
    <input type="email" placeholder="Repeat your Email" name="member_registration_email_confirmation" required [A-Za-z0-9]></center>
    </div>
    <center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
    <center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
    </form>
    </div>
    </body>
    </html>
    
    [/php]

     

 0 Answer(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: