summaryrefslogtreecommitdiff
path: root/register.php
diff options
context:
space:
mode:
authorCflip <36554078+cflip@users.noreply.github.com>2021-01-23 11:24:05 -0700
committerCflip <36554078+cflip@users.noreply.github.com>2021-01-23 11:24:05 -0700
commit19a3704acbf9801c0b1491a84828496ef46bc840 (patch)
treeaff00dc7753eb9dff38d4e556f633fd17e0dff79 /register.php
parent6a2867481359b185b32955be4de5c3bee4cdc269 (diff)
Form cleanup and better password hashing
Diffstat (limited to 'register.php')
-rw-r--r--register.php82
1 files changed, 46 insertions, 36 deletions
diff --git a/register.php b/register.php
index f0cb3f5..d167c2e 100644
--- a/register.php
+++ b/register.php
@@ -1,12 +1,7 @@
-<?php
-
-include_once 'header.php';
-include_once 'includes/db_inc.php';
+<?php include_once 'header.php';?>
-echo '<section><h2>Register an account</h2>';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
- echo '
+<section>
+ <h2>Register an account</h2>
<form action="register.php" method="post">
<label for="user_name">Username: </label><br>
<input type="text" name="user_name"><br>
@@ -16,27 +11,40 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
<input type="password" name="user_pass_check"><br>
<input type="submit" name="submit">
</form>
- ';
-} else {
+
+<?php
+include_once 'includes/db_inc.php';
+
+function validate($data) {
+ $data = trim($data);
+ $data = stripslashes($data);
+ $data = htmlspecialchars($data);
+ return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$errors = array();
- if (isset($_POST['user_name'])) {
- if (!ctype_alnum($_POST['user_name'])) {
- $errors[] = 'Invalid username. Only letters and numbers are supported.';
- }
- if (strlen($_POST['user_name']) > 30) {
- $errors[] = 'Username must be 30 characters or less.';
- }
+ $user_name = "";
+ $user_pass = "";
+
+ if (empty($_POST['user_name'])) {
+ $errors[] = "You must provide a username.";
} else {
- $errors[] = 'Please provide a username.';
+ $user_name = validate($_POST['user_name']);
+ if (strlen($user_name) > 30) {
+ $errors[] = "Your username must be 30 characters or less.";
+ }
}
- if (isset($_POST['user_pass'])) {
- if ($_POST['user_pass'] != $_POST['user_pass_check']) {
- $errors[] = 'The two passwords do not match.';
- }
+ if (empty($_POST['user_pass'])) {
+ $errors[] = "You must provide a password.";
} else {
- $errors[] = 'Please provide a password.';
+ $user_pass = validate($_POST['user_pass']);
+ $pass_check = validate($_POST['user_pass_check']);
+ if ($user_pass !== $pass_check) {
+ $errors[] = "The two passwords do not match.";
+ }
}
if (!empty($errors)) {
@@ -46,22 +54,24 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
}
echo '</ul>';
} else {
- $sql = "INSERT INTO users(user_name, user_pass, user_date)
- VALUES('" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "',
- '" . sha1($_POST['user_pass']) . "',
- NOW())
- ";
+ $sql = "INSERT INTO users(user_name, user_pass, user_date) VALUES(?, ?, NOW());";
+ $stmt = mysqli_stmt_init($dbc);
- $result = mysqli_query($dbc, $sql);
- if (!$result) {
- echo 'Failed to register account due to internal error.';
- echo mysqli_error($dbc);
- } else {
- echo 'Account successfully created!';
+ if (!mysqli_stmt_prepare($stmt, $sql)) {
+ die('Could not create account due to internal error: ' . mysqli_error($dbc));
}
+
+ $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+ mysqli_stmt_bind_param($stmt, "ss", $user_name, $pass_hash);
+ mysqli_stmt_execute($stmt);
+ mysqli_stmt_close($stmt);
+
+ echo 'Account successfully registered! You can now <a href="signin.php">sign in</a>';
}
}
+?>
-echo '</section>';
+</section>
-include_once 'footer.php';
+<?php include_once 'footer.php';?> \ No newline at end of file