PHP registration. Is it the right way of thinking?

R

Roman Romanov2015-10-12 18:17:33

PHP

Roman Romanov, 2015-10-12 18:17:33

I am writing a small news site for practice. While at the stage of writing authorization. The bottom line for me so far is this: There is a main index.htm file in it, only a login form and at the same time (for now) for registration, a login / password pair is entered into the fields, the presence of this pair in the database is checked, if not, it is recorded. I used the session to save the input data, in show.htm I just display for myself what was entered by the user, checking the input parameters in the same file. Appreciate if possible. Point out the mistakes, give some guidance or push the right idea.) PHP files are placed in a separate directory. In Htm files I try to include only the necessary files. Rate the code)
index.htm

<!DOCTYPE HTML>
<html>
<head>
  <meta http-equiv="content-type" content="text/html" />
  <meta name="author" content="admin" />
  <title>вход</title>
</head>
<body>
    <form action="php/session.php" method="post">
        <label>Логин:<br /><input type="text" name="login" value="<?php echo filter_var($_SESSION['login'], FILTER_SANITIZE_SPECIAL_CHARS); ?>" /><br /></label>
        <label>Пароль:<br /><input type="password" name="pass" value="<?php echo filter_var($_SESSION['pass'], FILTER_SANITIZE_SPECIAL_CHARS); ?>" /><br /></label>
        <label>Почта:<br /><input type="text" name="email" value="<?php echo filter_var($_SESSION['email'], FILTER_SANITIZE_EMAIL); ?>" /><br /></label>
        <label><button type="submit">Войти</button></label>
    </form>
</body>
</html>

php/session.php

<?php
session_start();
$whitelist = array(
        'login' => 'login',
        'pass' => 'pass',
        'email' => 'email'
);
$incoming = array_keys(array_intersect_key($_POST, $whitelist));
foreach($whitelist as $key){
    $_SESSION[$key] = $_POST[$key];
}
header('Location: show.htm');

php/users.php

<?php
$SelectFromDb = "SELECT * FROM people WHERE name = '$login'";
    $res = mysqli_query($mysqli,$SelectFromDb);
    $num = mysqli_num_rows($res);
        if($num == 0){
    $querry = "INSERT INTO people(name, pass, email) VALUES('$login', '$pass', '$email')";
    $result = mysqli_query($mysqli, $querry) or die("Ошибка записи!");
        }
        else {
            echo "Ошибка записи в БД! Данный логин уже существует!";
        }

php/show.htm

<?php
session_start();
$login = filter_var($_SESSION['login'], FILTER_SANITIZE_SPECIAL_CHARS);
$pass = filter_var($_SESSION['pass'], FILTER_SANITIZE_SPECIAL_CHARS);
$email = filter_var($_SESSION['email'], FILTER_SANITIZE_EMAIL);
require_once ('db.php');
?>
<!DOCTYPE HTML>
<html>
<head>
  <meta http-equiv="content-type" content="text/html" />
  <meta name="author" content="admin" />
  <title>Результат</title>
</head>
<body>
<table>
    <tr>
        <?php echo $login; ?>
    </tr>
    <tr>
        <?php echo $pass; ?>
    </tr>
    <tr>
        <?php echo $email; ?>
    </tr>
</table>
    <form action="../index.htm" method="post">
        <input type="hidden" name="login" value="<?php echo $login; ?>" />
        <input type="hidden" name="pass" value="<?php echo $pass; ?>" />
        <input type="hidden" name="email" value="<?php echo $email; ?>" />
        <button type="submit">Редактровать</button>
    </form>
<?php require_once('users.php'); ?>
</body>
</html>

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Alexey Skobkin, 2015-10-12
@Roman_Romanov

the username/password pair is entered into the fields, the presence of this pair in the database is checked, if not, then it is written

So-so approach. No, somewhere it works, but it must be applied very wisely. And so your users will register an account and will wonder why the settings disappear.

foreach($whitelist as $key){
    $_SESSION[$key] = $_POST[$key];
}

Look towards filter_input with a filter for the desired data type, if you want to dig deeper without frameworks for now.
And why is all PHP in HTML files?
Considering that you did not display anything here, you can, for example, without a redirect, simply execute the necessary logic and show another page. However, the difference between the options will be small, so you can leave it like that.
Hello SQL Injection ! Filter, as I said above, the input. It is better to use prepared queries and parameter binding - there the data will be safe. In general, it's better to use PDO (not forgetting about prepared queries and parameter binding).
This is about the first three blocks of code.
In general, I strongly recommend that you familiarize yourself with the PSR standards, and read (realizing) PHP The Right Way (there is a translation if necessary).

D

Denis, 2015-10-12
@prototype_denis

The session does not start in index.htm.
FILTER_SANITIZE_SPECIAL_CHARS is almost FILTER_SANITIZE_FULL_SPECIAL_CHARS which is equivalent to htmlspecialchars(). htmlspecialchars should be shorter.
htmlspecialchars($text, ENT_COMPAT, 'UTF-8', true);
For now fix these 2 points

T

twobomb, 2015-10-19
@twobomb

I do not recommend storing passwords in their original form. When adding a password to the database, use the md5($pass) function

R

Roman Romanov, 2015-10-13
@Roman_Romanov

2nd line in users.php corrected to

$SelectFromDb = "SELECT * FROM people WHERE name = '". $login . "'";
session_start(); //добавил в index.htm