Review my PHP login and register script, and profile page, and how to improve them

There are some things that I know that need to be fixed, such as mysql_* needing to be converted to PDO, and using a better hash. I am working on building a social networking site, and I've been having issues with some of the mysql like mysql_real_escape_string and implementing newer techniques. Any criticism and/or help would be very appreciated.

register script

```
prepare('SELECT username FROM users WHERE username = :username');
if ($statement->execute(array(':username' => $un))) {
if ($statement->rowCount() > 0){
//user exists
echo "Username already exists, please choose another user name.";
exit();
}
}
//check all of the fields have been filled in
if ($fn&&$ln&&$un&&$em&&$em2&&$pswd&&$pswd2) {
//check that passwords match
if ($pswd==$pswd2) {
//check the maximum length of username/first name/last name does not exceed 25 characters
if (strlen($un)>25||strlen($fn)>25||strlen($ln)>25) {
echo "The maximum limit for username/first name/last name is 25 characters!";
}
else
{
//check the length of the password is between 5 and 30 characters long
if (strlen($pswd)>30||strlen($pswd)setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING );
$sql = 'INSERT INTO users (username, first_name, last_name, email, password, sign_up_date)';
$sql .= 'VALUES (:username, :first_name, :last_name, :e

for your register script

$ln = (!empty($_POST['lname'])) ? $_POST['lname'] : '';
$un = (!empty($_POST['username'])) ? $_POST['username'] : '';
$em = (!empty($_POST['email'])) ? $_POST['email'] : '';
$em2 = (!empty($_POST['email2'])) ? $_POST['email2'] : '';
$pswd = (!empty($_POST['password'])) ? $_POST['password'] : '';
$pswd2 = (!empty($_POST['password2'])) ? $_POST['password2'] : '';
$d = date("y-m-d");

• use more descriptive variable names. looking at $ln, $un, $em, $em2 and $d is a real pain to look at lower in the code. Try $lastname, $username, etc.

• instead of using (!empty($_POST['fname'])) make it the reverse so you dont have to do a negate. try using (empty($_POST['fname'])) ? '' : $_POST['fname']

• Instead of $reg = @$_POST['reg']; and if($fn && $ln && $un && $em && $em2 && $pswd && $pswd2) try: $doRegistration = isset($_POST['reg']) && !(



empty($_POST['lname']) ||
empty($_POST['username']) ||
empty($_POST['email']) ||
empty($_POST['email2']) ||
empty($_POST['password']) ||
empty($_POST['password2'])). Doing this will avoid opening a database connection to check the username if your not actually going to create an account. Only open a database connection when you have all your data lined up and ready to go.

• use constants when ever possible. so for if(strlen($un)>25||strlen($fn)>25||strlen($ln)>25) change 25 to something like USERNAME_MAX_LENGTH, FIRSTNAME_MAX_LENGTH and LASTNAME_MAX_LENGTH by defining it like so: define('USERNAME_MAX_LENGTH', 25); etc. do the same for password length also.

for your login script

• There is no need to filter your password and username with preg_replace before you use it in your prepared statement. Just use the pdo::bindParam function and it will escape the input for you.

• It's not a good idea to store the password in your session. See this on security.

in profile.php

• try to use a better variable name than $get and $check. maybe something like $row and $query would be more suitable.

• And you already know this but stop using mysql_* functions and change that over to PDO with prepared statements with param binding.

• Since your not checking for special characters in the username upon registration you need to htmlencode it when you echo it. change all instances of echo $username; to echo(htmlentities($username));

StackExchange Code Review Q#23792, answer score: 3