#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    70
    Rep Power
    1

    Question Php Sql Injection Secure Tags


    New Friends!

    The following is my member registration code as of latest.

    ISSUE 1:
    I get this error:

    Parse error: syntax error, unexpected '_' (T_STRING), expecting ',' or ')' in C:\xampp\htdocs\e_id\register_edited.php on line 10

    What is wrong ? I copied the "'images/'_$FILES['avatar']['name']);" from a youtube tutorial on how to create feature for your member site members to upload their images. It was working on my site but not now on my xammp.


    ISSUE 2:

    Is the following ok or have I got them wrong way round ? I mean the real_escape and the strtolower and the strip_tags. Eg.

    $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));

    Any mistakes I made from line 9-22 ?


    Question 3:

    Looking at my html form, do you spot any errors apart from the <center> outdated tags ? (Will replace them and design with css instead. In the middle of it now).


    Question 4:
    Should there be 2 equal signs ? Eg. "== 0" (equal to) ? instead of just "=" ?
    $member_registration_account_activation = 0;


    FULL REG PAGE CODE:

    PHP Code:

    <?php
    require "conn.php";
    require 
    "site_details.php";

    if  (isset(
    $_POST['submit']))
    {
        if(!empty(
    $_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_password_confirmation"])&& !empty($_POST["member_registration_email"])&& !empty($_POST["member_registration_email_confirmation"])&& !empty($_POST["member_registration_forename"])&& !empty($_POST["member_registration_surname"]))
        {
            
    $account_activation_link "http://www.$site_domain.com/$site-name/activate_account.php?email=$member_registration_email&&member_registration_account_activation_code=$member_registration_account_activation_code";
            
    $avatar_path trim(strip_tags(mysqli_real_escape_string($conn,'images/'_$FILES['avatar']['name']);
            
    $member_registration_account_activation 0;
            
    $member_registration_random_numbers random_int(09999999999);
               
            
    $member_registration_username trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));
            
    $member_registration_password trim(strip_tags(md5(mysqli_real_escape_string($conn,$_POST["member_registration_password"]))));
            
    $member_registration_password_confirmation trim(strip_tags(md5(mysqli_real_escape_string($conn,($_POST["member_registration_password_confirmation"])))));
            
    $member_registration_forename trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_forename"])));
            
    $member_registration_surname trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_surname"])));
            
    $member_registration_gender trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_gender"])));
            
    $member_registration_email trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email"])));
            
    $member_registration_email_confirmation trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email_confirmation"]));
            
    $member_registration_account_activation_code trim(strip_tags(mysqli_real_escape_string($conn,"$member_registration_random_numbers")));
            
            if (
    preg_match("!image!"$_FILES['avatar']['type'])) 
            {        
            
    //copy image to images/ folder.
                
    if(copy($_$FILES['avatar']['tmp_name'], $avatar_path)) 
                {            
                    
    $_SESSION['avatar']=$avatar_path;
                }
                else
                {
                    
    $_SESSION['message']= "Image could not be uploaded!";
                }
            else
            {
                
    $_SESSION['message']= "Only gif, jpeg or png files allowed for your avatar!";
                exit();
            }
                
            if(
    $_POST["member_registration_email"] != $_POST["member_registration_email_confirmation"])
            {
                
    $_SESSION['message']= "Your email inputs do not match! Try inputting again and then re-submit.";
                exit();
            }
            
            if(
    $_POST["member_registration_password_confirmation"] != $_POST["member_registration_password_confirmation"])
            {
                
    $_SESSION['message']= "Your password inputs do not match! Try inputting again and then re-submit.";
                exit();
            }
        
            
    //Check for Username match in users    table.    
            
    $sql "SELECT * FROM users WHERE Usernames ='".$member_registration_username."'";
            
    $result mysqli_query($conn,$sql);
            if(
    mysqli_num_rows($result)!=0)
            {
                
    $_SESSION['message']="That Username $member_registration_username is already registered!";
                exit();
            }

            
    $sql "SELECT * FROM users WHERE Emails ='".$member_registration_email."'";
            
    $result mysqli_query($conn,$sql);
            if(
    mysqli_num_rows($result)>0)
            {
                
    $_SESSION['message']="That Email $member_registration_email is already registered!";
                exit();
            }
            
            
    $sql "INSERT INTO users(Usernames,Passwords,Emails,Forenames,Surnames,Genders,Account_Activation_Codes,Account_Activations) VALUES('".$member_registration_username."','".$member_registration_password."','".$member_registration_email."','".$member_registration_forename."','".$member_registration_surname."','".$member_registration_account_activation_code."','".$member_registration_account_activation."')";
            if(
    $sql)
            {
                
    $_SESSION['message']="Data insertion into table success!";
            }
            else    
            {
                
    $_SESSION['message']="Data insertion into table failure!";
            }
        
            
    $to "$member_registration_email";
            
    $subject "Your $site_name Account Activation!";
            
    $body "$member_registration_forename $member_registration_surname,\n\n You need to click the following link to confirm your email address and activate your account.\n\n\
            
    $account_activation_link;
            
    $from = "$site_admin_email";
            
    $headers = "from$from";
        
            mail(
    $to,$subject,$body,$headers);
            
    $_SESSION['message']="Check your email for further instructions!";
        }
        else
        {
            
    $_SESSION['message']="You must fill-in all input fields!";
        }
    }

    ?>
    <!DOCTYPE html>
    <html>
    <head>
    <title><?php 
    $site_name ?> Signup Page</title>
      <meta charset="
    utf-8">
    </head>
    <body>
    <div class = "
    container">
    <form method="
    post" action="">
    <center><h2>Signup Form</h2></center>
    <div class="
    form-group">
    <center><label>Username:</label>
    <input type="
    text" placeholder="Enter a unique Username" name="member_registration_username" required [A-Za-z0-9]></center>
    </div>
    <div class="
    form-group">
    <center><label>Password:</label>
    <input type="
    password" placeholder="Enter a new Password" name="member_registration_password" required [A-Za-z0-9]></center>
    </div>
    <div class="
    form-group">
    <center><label>Repeat Password:</label>
    <input type="
    password" placeholder="Repeat a new Password" name="member_registration_password_confirmation" required [A-Za-z0-9]></center>
    </div>
    <div class="
    form-group">
    <center><label>First Name:</label>
    <input type="
    text" placeholder="Enter your First Name" name="member_registration_forename" required [A-Za-z]></center>
    </div>
    <div class="
    form-group">
    <center><label>Surname:</label>
    <input type="
    text" placeholder="Enter your Surname" name="member_registration_surname" required [A-Za-z]></center>
    </div>
    <div class="
    form-group">
    <center><label>Gender:</label>
    <input type="
    radio" name="member_registration_gender" value="male" required>Male<input type="radio" name="member_registration_gender" value="female" required>Female</center>
    </div>
    <div class="
    form-group">
    <center><label>Email:</label>
    <input type="
    email" placeholder="Enter your Email" name="member_registration_email" required [A-Za-z0-9]></center>
    </div>
    <div class="
    form-group">
    <center><label>Repeat Email:</label>
    <input type="
    email" placeholder="Repeat your Email" name="member_registration_email_confirmation" required [A-Za-z0-9]></center>
    </div>
    <center><button type="
    submit" class="btn btn-default" name="submit">Register!</button></center>
    <center><font color="
    red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
    </form>
    </div>
    </body>
    </html>
  2. #2
  3. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    15,976
    Rep Power
    9615
    Originally Posted by UniqueIdeaMan
    I get this error:

    Parse error: syntax error, unexpected '_' (T_STRING), expecting ',' or ')' in C:\xampp\htdocs\e_id\register_edited.php on line 10

    What is wrong ? I copied the "'images/'_$FILES['avatar']['name']);" from a youtube tutorial on how to create feature for your member site members to upload their images. It was working on my site but not now on my xammp.
    That code will not work anywhere.

    Have you been learning about file uploads? Or just coping and pasting code? If you're been learning (really, if you know anything about PHP) then you should be able to look at that line and spot the two problems with it.

    Originally Posted by UniqueIdeaMan
    Is the following ok or have I got them wrong way round ? I mean the real_escape and the strtolower and the strip_tags. Eg.

    $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));
    Are you just throwing functions at it and hoping the result is correct?

    Originally Posted by UniqueIdeaMan
    Any mistakes I made from line 9-22 ?
    Yes, but see previous answer.

    Originally Posted by UniqueIdeaMan
    Looking at my html form, do you spot any errors apart from the <center> outdated tags ? (Will replace them and design with css instead. In the middle of it now).
    You aren't using the regex validation feature of <input>s correctly. Please learn more about it.

    Originally Posted by UniqueIdeaMan
    Should there be 2 equal signs ? Eg. "== 0" (equal to) ? instead of just "=" ?
    $member_registration_account_activation = 0;
    I'm going to answer that with more questions:
    1. What does = mean?
    2. What does == mean?
    3. Which of those is appropriate to use at that location?

    Comments on this post

    • Sepodati agrees : Great answer.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    70
    Rep Power
    1
    I am now reading this since so many programmers are against me not using Prepared Statements:

    3 Ways to Prevent SQL Injection in PHP - wikiHow

    The following, however, earlier on did my head in and put me off from php!

    PHP: Prepared statements and stored procedures - Manual

IMN logo majestic logo threadwatch logo seochat tools logo