Please Is This Script Free From Sql Injection And Xss Attacks - Webmasters - Nairaland
Nairaland Forum / Science/Technology / Webmasters / Please Is This Script Free From Sql Injection And Xss Attacks (687 Views)
How To Use Mp3 Tag Editor Script Free Download / Mmm Clone Script Free Download (2) (3) (4)
| Please Is This Script Free From Sql Injection And Xss Attacks by Nobody: 7:17am On Jan 20, 2017 |
I wrote a php script and I've tried to make the login as secure as possible, but I wonder if there are any flaws and is it's free from *xss* attacks and *sql injection* also the login cookies secession. Here is the code: |
| Re: Please Is This Script Free From Sql Injection And Xss Attacks by Nobody: 7:19am On Jan 20, 2017 |
**register.php** <?php require('includes/config.php'); j function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); $data = filter_var($data, FILTER_SANITIZE_STRING); return $data; } //if logged in redirect to members page if( $user->is_logged_in() ){ header('Location: memberpage.php'); } $getline = test_input($_GET['line']); $stmt = $db->prepare('SELECT * FROM members WHERE username=:getref'); $stmt->execute(array(':getref' => $getline)); while($result = $stmt->fetch(PDO::FETCH_ASSOC)){ $referral = $result['username']; $referralz = $result['referral']; } $stmt = $db->prepare('SELECT * FROM members WHERE username = :referrall'); $stmt->execute(array(':referrall' => $referralz)); while($resultt = $stmt->fetch(PDO::FETCH_ASSOC)){ $sponsor = $resultt['username']; } if (empty($referral)){ $referral = "General"; } if (empty($sponsor)){ $sponsor = "Omosco"; } //if form has been submitted process it if(isset($_POST['submit'])){ //very basic validation if(strlen($_POST['bankaccount']) < 3){ $error[] = 'Bank Account is too short.'; } if(!empty($_POST['bankaccount'])){ $bankaccount = test_input($_POST["bankaccount"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[0-9]+$/",$bankaccount)) { $error[] = 'Bank Account: Only numbers are allowed'; } } if(strlen($_POST['firstname']) < 2){ $error[] = 'First name is too short.'; } if(!empty($_POST['firstname'])){ $firstname = test_input($_POST["firstname"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z .]*$/",$firstname)) { $error[] = 'Firstname: Only alphabet, dot and white space is allowed'; } } if(strlen($_POST['lastname']) < 2){ $error[] = 'Last name is too short.'; } if(!empty($_POST['lastname'])){ $lastname = test_input($_POST["lastname"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z .]*$/",$lastname)) { $error[] = 'Lastname: Only alphabet, dot and white space is allowed'; } } if(strlen($_POST['phonenumber']) < 7){ $error[] = 'Phone number is too short.'; } if(!empty($_POST['phonenumber'])){ $phonenumber = test_input($_POST["phonenumber"]); //Checks if name only contains letters and whitespace if (!preg_match("/^((\+)?[1-9]{1,2})?([-\s\.])?((\(\d{1,4}\))|\d{1,4})(([-\s\.])?[0-9]{1,12}){1,2}(\s*(ext|x)\s*\.?:?\s*([0-9]+))?$/",$phonenumber)) { $error[] = 'Phone Number: Only number and + is allowed'; } } if(strlen($_POST['country']) < 1){ $error[] = 'No country selected.'; } if(!empty($_POST['country'])){ $country = test_input($_POST["country"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z .]*$/",$country)) { $error[] = 'Country: Only letters, dot and white space are allowed'; } } if(strlen($_POST['bankname']) < 2){ $error[] = 'Bank name is too short.'; } if(!empty($_POST['bankname'])){ $bankname = test_input($_POST["bankname"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9 .]*$/",$bankname)) { $error[] = 'BankName: Only number, alphabet, dot and white space are allowed'; } } if(!empty($_POST['username'])){ $username = test_input($_POST["username"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9]*$/",$username)) { $error[] = 'Username: Only alphabet and number is allowed'; } } if(strlen($_POST['username']) < 3){ $error[] = 'Username is too short.'; } else { $usernamexx = test_input($_POST['username']); $stmt = $db->prepare('SELECT username FROM members WHERE username = :username'); $stmt->execute(array(':username' => $usernamexx)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if(!empty($row['username'])){ $error[] = 'Username provided is already in use.'; } } if(!empty($_POST['password'])){ $password = test_input($_POST["password"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9]*$/",$password)) { $error[] = 'Password: 1 upper/lower case & number is required'; } } if(strlen($_POST['password']) < 3){ $error[] = 'Password is too short.'; } if(strlen($_POST['passwordConfirm']) < 3){ $error[] = 'Confirm password is too short.'; } if($_POST['password'] != $_POST['passwordConfirm']){ $error[] = 'Passwords do not match.'; } //email validation if(!empty($_POST['email'])){ $email = test_input($_POST["email"]); //Checks if name only contains letters and whitespace if (!preg_match("/^[a-zA-Z0-9._*@#]*$/",$email)) { $error[] = 'Email: Invalid email address'; } } if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){ $error[] = 'Please enter a valid email address'; } else { $emailxx = test_input($_POST['email']); $stmt = $db->prepare('SELECT email FROM members WHERE email = :email'); $stmt->execute(array(':email' => $emailxx)); $row = $stmt->fetch(PDO::FETCH_ASSOC); if(!empty($row['email'])){ $error[] = 'Email provided is already in use.'; } } //if no errors have been created carry on if(!isset($error)){ //hash the password $hashedpassword = $user->password_hash($_POST['password'], PASSWORD_BCRYPT); $thedate = date("Y-m-d H:i:s"  ;$thepause = "pause"; $thecomment = "Please call me on and after payment. Dont forget to upload the details of your payment."; //create the activasion code $activasion = md5(uniqid(rand(),true)); try { //insert into database with a prepared statement $stmt = $db->prepare('INSERT INTO members (username,password,email,active,sponsor,referral,bankaccount,surname,name,bankname,phone,country,joindate,pause,downlinemsg) VALUES (:username, :password, :email, :active, :sponsor, :referral, :bankaccount, :surname, :name, :bankname, :phone, :country, :joindate, :pause, :downlinemsg)'); $stmt->execute(array( ':username' => $username, ':password' => $hashedpassword, ':email' => $email, ':active' => $activasion, ':sponsor' => $sponsor, ':referral' => $referral, ':bankaccount' => $bankaccount, ':surname' => $firstname, ':name' => $lastname, ':bankname' => $bankname, ':phone' => $phonenumber, ':country' => $country, ':joindate' => $thedate, ':pause' => $thepause, ':downlinemsg' => $thecomment )); $id = $db->lastInsertId('memberID'); //send email $emailxxx = test_input($_POST['email']); $to = $emailxxx; $subject = "Registration Confirmation"; $body = "<p>Thank you for registering at our site.</p> <p>To activate your account, please click on this link: <a href='".DIR."activate.php?x=$id&y=$activasion'>".DIR."activate.php?x=$id&y=$activasion</a></p> <p>Regards Site Admin</p>"; $mail = new Mail(); $mail->setFrom(SITEEMAIL); $mail->addAddress($to); $mail->subject($subject); $mail->body($body); $mail->send(); //redirect to index page header('Location: register.php?action=joined'); exit; //else catch the exception and show the error. } catch(PDOException $e) { $error[] = $e->getMessage(); } } } //define page title $title = 'Register'; //include header template require('layout/header.php'); ?> <!-- jQuery Form Validation code --> <script type="text/javascript" language="JavaScript"> <!-- // Password check $.validator.addMethod("pwcheck", function (value) { return /[a-z]/.test(value) && /[0-9]/.test(value) && /[A-Z]/.test(value) }); $.validator.addMethod("firstnamev", function (value) { return /^[a-z .]+$/i.test(value) }); $.validator.addMethod("lastnamev", function (value) { return /^[a-z .]+$/i.test(value) }); $.validator.addMethod("banknamev", function (value) { return /^[a-z .]+$/i.test(value) }); $.validator.addMethod("countryv", function (value) { return /^[a-z .]+$/i.test(value) }); $.validator.addMethod("usernamev", function (value) { return /[a-zA-Z]/.test(value) && /^[a-zA-Z0-9]+$/i.test(value) }); $.validator.addMethod("phonenumberv", function (value) { return (value.match(/^((\+)?[1-9]{1,2})?([-\s\.])?((\(\d{1,4}\))|\d{1,4})(([-\s\.])?[0-9]{1,12}){1,2}(\s*(ext|x)\s*\.?:?\s*([0-9]+))?$/)); }); $.validator.addMethod('bankaccountv', function (value) { return /^[0-9]+$/.test(value); }), // Removes Error Message When reCaptcha is Checked Valid function recaptchaCallback() { $('#hiddenRecaptcha').valid(); }; $(function () { $("#RegisterForm" .validate({ignore: ".ignore", invalidHandler : function() { $('html, body').animate({ scrollTop: $("#RegisterForm" .offset().top // scroll top to your form on error}, 'slow' ); } |
| Re: Please Is This Script Free From Sql Injection And Xss Attacks by Okporiaku: 3:29pm On Aug 14, 2022 |
Almost New methods are out But u try |
| Re: Please Is This Script Free From Sql Injection And Xss Attacks by Xedmark: 10:35pm On Aug 14, 2022 |
Coming online to show off someone else work is just funny and if it's yours well, clap for yourself. Now the SQL connection in your code can be manipulate and part or some parts of your program can be hijacked. Therefore show us what u've got in your config.php that the only way to determine if it can be injected. |
| Re: Please Is This Script Free From Sql Injection And Xss Attacks by Chatflick(m): 2:19am On Aug 15, 2022 |
You should use the prepared statement in the mysql code and also bind_param. That way, you'll directly specify the expected input and type. |
| Re: Please Is This Script Free From Sql Injection And Xss Attacks by nnamdiosu(m): 1:15am On Aug 16, 2022 |
Okporiaku:What are the new methods? |
(1) (Reply)
Need A Reliable Web Hosting Company / Mark Zuckerberg Launches New App 2 Help Find & Contact Ur Elected Representative / How To Create/build/design/develop A Ponzi Scheme/peer To Peer Donation Website
(Go Up)
| Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 39 |