From 19a3704acbf9801c0b1491a84828496ef46bc840 Mon Sep 17 00:00:00 2001
From: Cflip <36554078+cflip@users.noreply.github.com>
Date: Sat, 23 Jan 2021 11:24:05 -0700
Subject: Form cleanup and better password hashing

---
 register.php | 82 ++++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 46 insertions(+), 36 deletions(-)

(limited to 'register.php')

diff --git a/register.php b/register.php
index f0cb3f5..d167c2e 100644
--- a/register.php
+++ b/register.php
@@ -1,12 +1,7 @@
-<?php
-
-include_once 'header.php';
-include_once 'includes/db_inc.php';
+<?php include_once 'header.php';?>
 
-echo '<section><h2>Register an account</h2>';
-
-if ($_SERVER['REQUEST_METHOD'] != 'POST') {
-	echo '
+<section>
+	<h2>Register an account</h2>
 	<form action="register.php" method="post">
 		<label for="user_name">Username: </label><br>
 		<input type="text" name="user_name"><br>
@@ -16,27 +11,40 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
 		<input type="password" name="user_pass_check"><br>
 		<input type="submit" name="submit">
 	</form>
-	';
-} else {
+
+<?php
+include_once 'includes/db_inc.php';
+
+function validate($data)  {
+	$data = trim($data);
+	$data = stripslashes($data);
+	$data = htmlspecialchars($data);
+	return $data;
+}
+
+if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 	$errors = array();
 
-	if (isset($_POST['user_name'])) {
-		if (!ctype_alnum($_POST['user_name'])) {
-			$errors[] = 'Invalid username. Only letters and numbers are supported.';
-		}
-		if (strlen($_POST['user_name']) > 30) {
-			$errors[] = 'Username must be 30 characters or less.';
-		}
+	$user_name = "";
+	$user_pass = "";
+
+	if (empty($_POST['user_name'])) {
+		$errors[] = "You must provide a username.";
 	} else {
-		$errors[] = 'Please provide a username.';
+		$user_name = validate($_POST['user_name']);
+		if (strlen($user_name) > 30) {
+			$errors[] = "Your username must be 30 characters or less.";
+		}
 	}
 
-	if (isset($_POST['user_pass'])) {
-		if ($_POST['user_pass'] != $_POST['user_pass_check']) {
-			$errors[] = 'The two passwords do not match.';
-		}
+	if (empty($_POST['user_pass'])) {
+		$errors[] = "You must provide a password.";
 	} else {
-		$errors[] = 'Please provide a password.';
+		$user_pass = validate($_POST['user_pass']);
+		$pass_check = validate($_POST['user_pass_check']);
+		if ($user_pass !== $pass_check) {
+			$errors[] = "The two passwords do not match.";
+		}
 	}
 
 	if (!empty($errors)) {
@@ -46,22 +54,24 @@ if ($_SERVER['REQUEST_METHOD'] != 'POST') {
 		}
 		echo '</ul>';
 	} else {
-		$sql = "INSERT INTO users(user_name, user_pass, user_date)
-				VALUES('" . mysqli_real_escape_string($dbc, $_POST['user_name']) . "',
-						'" . sha1($_POST['user_pass']) . "',
-						NOW())
-				";
+		$sql = "INSERT INTO users(user_name, user_pass, user_date) VALUES(?, ?, NOW());";
+		$stmt = mysqli_stmt_init($dbc);
 
-		$result = mysqli_query($dbc, $sql);
-		if (!$result) {
-			echo 'Failed to register account due to internal error.';
-			echo mysqli_error($dbc);
-		} else {
-			echo 'Account successfully created!';
+		if (!mysqli_stmt_prepare($stmt, $sql)) {
+			die('Could not create account due to internal error: ' . mysqli_error($dbc));
 		}
+
+		$pass_hash = password_hash($user_pass, PASSWORD_DEFAULT);
+
+		mysqli_stmt_bind_param($stmt, "ss", $user_name, $pass_hash);
+		mysqli_stmt_execute($stmt);
+		mysqli_stmt_close($stmt);
+
+		echo 'Account successfully registered! You can now <a href="signin.php">sign in</a>';
 	}
 }
+?>
 
-echo '</section>';
+</section>
 
-include_once 'footer.php';
+<?php include_once 'footer.php';?>
\ No newline at end of file
-- 
cgit v1.2.3