Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Donald2015-12-28 17:41:22
PHP
Donald, 2015-12-28 17:41:22

Is such registration safe and correct?

I am a beginner in php, I am studying locally and now I asked myself the following question: am I doing it right, I would like to know what errors and how safe such registration is

$my = mysqli_connect("localhost", "root", "") or die("Ошибка");
mysqli_select_db($my, "user");

if (isset($_POST)) {
    $name = htmlspecialchars(mysqli_real_escape_string($my,$_POST['name']));
    $login = htmlspecialchars(mysqli_real_escape_string($my,$_POST['login']));
    $password = htmlspecialchars(mysqli_real_escape_string($my,md5($_POST['password'])));
    $captcha = $_POST['captcha'];
    $query = mysqli_query($my,("SELECT * FROM `use` WHERE login='$login'")) or die("Ошибка");
    $user = mysqli_fetch_assoc($query);

if ($name == "" || $login == "" || $password == "") {
        echo "Заполните пустые поля";
}

else if (!preg_match("/^[a-zA-Z0-9\-\_\[\]\(\)]+$/i", $login)) {
        echo "Недопустимые символы";
}

else {
        if ($_SESSION['captcha'] == $captcha && $user['login'] !== $login) {
            $query = mysqli_query($my,"INSERT INTO `use` (`name`, `login`, `password`) VALUES ('$name', '$login', '$password')") or die("Ошибка");
            echo "Вы успешно зарегистрировались";
        }
        else if ($user['login'] == $login) {
            echo "Такой логин уже зарегистрирован";
        }
        else {
            echo "Каптча ведена неверно";
        }
    }
}

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
A
Alexey Nikolaev, 2015-12-28
@Heian

1. Remove all htmlspecialchars, mysqli_real_escape_string and the like from the code
2. Use PDO and placeholders ( the best guide)
3. Don't use md5, upgrade to php 5.5 and use the Password API (or at least sha if you can't upgrade)
4. Check the received data for invalid characters before any operations with them (you now have the first request before checking)
After these 4 points, the code will already be much better and safer.

Report
A
Alexander Litvinenko, 2015-12-28
@edli007

php.net/manual/ru/pdo.prepare.php instead

$name = htmlspecialchars(mysqli_real_escape_string($my,$_POST['name']));
$login = htmlspecialchars(mysqli_real_escape_string($my,$_POST['login']));
$password = htmlspecialchars(mysqli_real_escape_string($my,md5($_POST['password'])));
$captcha = $_POST['captcha'];
$query = mysqli_query($my,("SELECT * FROM `use` WHERE login='$login'")) or die("Error");
$user = mysqli_fetch_assoc($query);

and hash the password

Report
R
romy4, 2015-12-28
@romy4

minimum against sql injections will stand. but security is a very broad matter and goes far beyond escaping special characters

Report
R
Rustamka Vorontsov, 2015-12-28
@rmfordev

I agree with Alexey Nikolaev.
And it’s better to study on the framework and work with MVC, if you have a desire to figure it out in a week, I can offer laravel 5

Report
D
Donald Dak, 2015-12-28
@Don_Donald

Thanks to all!

Report
A
Anar4you, 2015-12-29
@Anar4you

I advise you to use YII or CodeIgniter for such simple registrations (the latter is currently being updated)

Similar questions
K
khudobinvasiliy2021-04-02 20:04:00
How to resolve 500 error on Flask Heroku? 3Reply
Y
Yuri Kulaxyz2019-09-21 23:05:53
Why doesn't Laravel sort() work? 3Reply
I
ibr_982017-04-24 19:18:51
Why doesn't "MouseEnter" work in visual c#? 2Reply
J
Jan2017-05-08 08:56:20
How to pass data to popup (Angular)? 3Reply
E
Evgeny Yakushov2019-10-09 19:41:27
How to download a dynamically generated file and make the location of this page? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question