Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Php Sql Injection Secure Tags

php mysql

  • Please log in to reply
No replies to this topic

#1 uniqueideaman

uniqueideaman

    CC Regular

  • Member
  • PipPipPip
  • 45 posts

Posted 09 April 2017 - 04:22 PM

 
New Friends! :)
 
The following is my member registration code as of latest.
 
ISSUE 1: 
I get this error:
 
Parse error: syntax error, unexpected '_' (T_STRING), expecting ',' or ')' in C:\xampp\htdocs\e_id\register_edited.php on line 10
 
What is wrong ? I copied the "'images/'_$FILES['avatar']['name']);" from a  youtube tutorial on how to create feature for your member site members to upload their images. It was working on my site but not now on my xammp.
 
 
ISSUE 2:
 
Is the following ok or have I got them wrong way round ? I mean the real_escape and the strtolower and the strip_tags. Eg.
 
$member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));
 
Any mistakes I made from line 9-22 ?
 
 
Question 3:
 
Looking at my html form, do you spot any errors apart from the <center> outdated tags ? (Will replace them and design with css instead. In the middle of it now).
 
 
Question 4:
Should there be 2 equal signs ? Eg. "== 0" (equal to) ? instead of just "=" ?
$member_registration_account_activation = 0;
 
 
FULL REG PAGE CODE:
 
 
<?php
require "conn.php";
require "site_details.php";
 
if  (isset($_POST['submit']))
{
if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_password_confirmation"])&& !empty($_POST["member_registration_email"])&& !empty($_POST["member_registration_email_confirmation"])&& !empty($_POST["member_registration_forename"])&& !empty($_POST["member_registration_surname"]))
{
$account_activation_link = "http://www.$site_domain.com/$site-name/activate_account.php?email=$member_registration_email&&member_registration_account_activation_code=$member_registration_account_activation_code";
$avatar_path = trim(strip_tags(mysqli_real_escape_string($conn,'images/'_$FILES['avatar']['name']);
$member_registration_account_activation = 0;
$member_registration_random_numbers = random_int(0, 9999999999);
   
        $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));
$member_registration_password = trim(strip_tags(md5(mysqli_real_escape_string($conn,$_POST["member_registration_password"]))));
        $member_registration_password_confirmation = trim(strip_tags(md5(mysqli_real_escape_string($conn,($_POST["member_registration_password_confirmation"])))));
        $member_registration_forename = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_forename"])));
        $member_registration_surname = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_surname"])));
$member_registration_gender = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_gender"])));
        $member_registration_email = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email"])));
        $member_registration_email_confirmation = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email_confirmation"]));
$member_registration_account_activation_code = trim(strip_tags(mysqli_real_escape_string($conn,"$member_registration_random_numbers")));
 
if (preg_match("!image!", $_FILES['avatar']['type'])) 
{
//copy image to images/ folder.
if(copy($_$FILES['avatar']['tmp_name'], $avatar_path)) 
{
$_SESSION['avatar']=$avatar_path;
}
else
{
$_SESSION['message']= "Image could not be uploaded!";
}
else
{
$_SESSION['message']= "Only gif, jpeg or png files allowed for your avatar!";
exit();
}
 
if($_POST["member_registration_email"] != $_POST["member_registration_email_confirmation"])
{
$_SESSION['message']= "Your email inputs do not match! Try inputting again and then re-submit.";
exit();
}
        
if($_POST["member_registration_password_confirmation"] != $_POST["member_registration_password_confirmation"])
{
$_SESSION['message']= "Your password inputs do not match! Try inputting again and then re-submit.";
exit();
}
 
//Check for Username match in users table.
$sql = "SELECT * FROM users WHERE Usernames ='".$member_registration_username."'";
$result = mysqli_query($conn,$sql);
if(mysqli_num_rows($result)!=0)
{
$_SESSION['message']="That Username $member_registration_username is already registered!";
exit();
}
 
$sql = "SELECT * FROM users WHERE Emails ='".$member_registration_email."'";
$result = mysqli_query($conn,$sql);
if(mysqli_num_rows($result)>0)
{
$_SESSION['message']="That Email $member_registration_email is already registered!";
exit();
}
 
   $sql = "INSERT INTO users(Usernames,Passwords,Emails,Forenames,Surnames,Genders,Account_Activation_Codes,Account_Activations) VALUES('".$member_registration_username."','".$member_registration_password."','".$member_registration_email."','".$member_registration_forename."','".$member_registration_surname."','".$member_registration_account_activation_code."','".$member_registration_account_activation."')";
        if($sql)
   {
       $_SESSION['message']="Data insertion into table success!";
        }
   else    
   {
            $_SESSION['message']="Data insertion into table failure!";
   }
 
   $to = "$member_registration_email";
   $subject = "Your $site_name Account Activation!";
   $body = "$member_registration_forename $member_registration_surname,\n\n You need to click the following link to confirm your email address and activate your account.\n\n\
   $account_activation_link;
$from = "$site_admin_email";
   $headers = "from: $from";
 
   mail($to,$subject,$body,$headers);
   $_SESSION['message']="Check your email for further instructions!";
}
else
{
   $_SESSION['message']="You must fill-in all input fields!";
}
}
 
?>
<!DOCTYPE html>
<html>
<head>
<title><?php $site_name ?> Signup Page</title>
  <meta charset="utf-8">
</head>
<body>
<div class = "container">
<form method="post" action="">
<center><h2>Signup Form</h2></center>
<div class="form-group">
<center><label>Username:</label>
<input type="text" placeholder="Enter a unique Username" name="member_registration_username" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter a new Password" name="member_registration_password" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Repeat Password:</label>
<input type="password" placeholder="Repeat a new Password" name="member_registration_password_confirmation" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>First Name:</label>
<input type="text" placeholder="Enter your First Name" name="member_registration_forename" required [A-Za-z]></center>
</div>
<div class="form-group">
<center><label>Surname:</label>
<input type="text" placeholder="Enter your Surname" name="member_registration_surname" required [A-Za-z]></center>
</div>
<div class="form-group">
<center><label>Gender:</label>
<input type="radio" name="member_registration_gender" value="male" required>Male<input type="radio" name="member_registration_gender" value="female" required>Female</center>
</div>
<div class="form-group">
<center><label>Email:</label>
<input type="email" placeholder="Enter your Email" name="member_registration_email" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Repeat Email:</label>
<input type="email" placeholder="Repeat your Email" name="member_registration_email_confirmation" required [A-Za-z0-9]></center>
</div>
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
<center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
</form>
</div>
</body>
</html>
 

  • 0