diff options
author | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 11:24:05 -0700 |
---|---|---|
committer | Cflip <36554078+cflip@users.noreply.github.com> | 2021-01-23 11:24:05 -0700 |
commit | 19a3704acbf9801c0b1491a84828496ef46bc840 (patch) | |
tree | aff00dc7753eb9dff38d4e556f633fd17e0dff79 /register.php | |
parent | 6a2867481359b185b32955be4de5c3bee4cdc269 (diff) |
Form cleanup and better password hashing
Diffstat (limited to 'register.php')
-rw-r--r-- | register.php | 82 |
1 files changed, 46 insertions, 36 deletions
diff --git a/register.php b/register.php index f0cb3f5..d167c2e 100644 --- a/register.php +++ b/register.php @@ -1,12 +1,7 @@ -<?php - -include_once 'header.php'; -include_once 'includes/db_inc.php'; +<?php include_once 'header.php';?> -echo '<section><h2>Register an account</h2>'; - -if ($_SERVER['REQUEST_METHOD'] != 'POST') { - echo ' +<section> + <h2>Register an account</h2> <form action="register.php" method="post"> <label for="user_name">Username: </label><br> <input type="text" name="user_name"><br> @@ -16,27 +11,40 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') { <input type="password" name="user_pass_check"><br> <input type="submit" name="submit"> </form> - '; -} else { + +<?php +include_once 'includes/db_inc.php'; + +function validate($data) { + $data = trim($data); + $data = stripslashes($data); + $data = htmlspecialchars($data); + return $data; +} + +if ($_SERVER['REQUEST_METHOD'] == 'POST') { $errors = array(); - if (isset($_POST['user_name'])) { - if (!ctype_alnum($_POST['user_name'])) { - $errors[] = 'Invalid username. Only letters and numbers are supported.'; - } - if (strlen($_POST['user_name']) > 30) { - $errors[] = 'Username must be 30 characters or less.'; - } + $user_name = ""; + $user_pass = ""; + + if (empty($_POST['user_name'])) { + $errors[] = "You must provide a username."; } else { - $errors[] = 'Please provide a username.'; + $user_name = validate($_POST['user_name']); + if (strlen($user_name) > 30) { + $errors[] = "Your username must be 30 characters or less."; + } } - if (isset($_POST['user_pass'])) { - if ($_POST['user_pass'] != $_POST['user_pass_check']) { - $errors[] = 'The two passwords do not match.'; - } + if (empty($_POST['user_pass'])) { + $errors[] = "You must provide a password."; } else { - $errors[] = 'Please provide a password.'; + $user_pass = validate($_POST['user_pass']); + $pass_check = validate($_POST['user_pass_check']); + if ($user_pass !== $pass_check) { + $errors[] = "The two passwords do not match."; + } } if (!empty($errors)) { @@ -46,22 +54,24 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') { } echo '</ul>'; } else { - $sql = "INSERT INTO users(user_name, user_pass, user_date) - VALUES('" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "', - '" . sha1($_POST['user_pass']) . "', - NOW()) - "; + $sql = "INSERT INTO users(user_name, user_pass, user_date) VALUES(?, ?, NOW());"; + $stmt = mysqli_stmt_init($dbc); - $result = mysqli_query($dbc, $sql); - if (!$result) { - echo 'Failed to register account due to internal error.'; - echo mysqli_error($dbc); - } else { - echo 'Account successfully created!'; + if (!mysqli_stmt_prepare($stmt, $sql)) { + die('Could not create account due to internal error: ' . mysqli_error($dbc)); } + + $pass_hash = password_hash($user_pass, PASSWORD_DEFAULT); + + mysqli_stmt_bind_param($stmt, "ss", $user_name, $pass_hash); + mysqli_stmt_execute($stmt); + mysqli_stmt_close($stmt); + + echo 'Account successfully registered! You can now <a href="signin.php">sign in</a>'; } } +?> -echo '</section>'; +</section> -include_once 'footer.php'; +<?php include_once 'footer.php';?>
\ No newline at end of file |