patternjavascriptMinor
Simple AJAX login/register script
Viewed 0 times
scriptsimpleajaxloginregister
Problem
I'm using Twitter Bootstrap. I haven't coded anything significant web design related in a while, because I've been doing desktop stuff and games. I'm trying to get back into the flow of things. Can anyone tell me if what I have is sufficient without going into ridiculous detail (the script, not the answer)?
Partial HTML:
JavaScript:
PHP:
```
connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
if (isset($_POST['inputRegisterSubmit']))
{
if (!($stmt = $mysqli->prepare("INSERT INTO users(user_name, user_pass, user_email, user_date) VALUES (?, ?, ?, ?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
$user_name = $_POST['inputRegisterUsername'];
$user_pass = $_POST['inputRegisterPassword'];
$
Partial HTML:
Login
Username
Password
Submit
JavaScript:
$(document).ready(function() {
$('#register').submit(function(event) {
event.preventDefault();
$.post('process.php', {
inputRegisterSubmit: '',
inputRegisterUsername: $('#inputRegisterUsername').val(),
inputRegisterPassword: $('#inputRegisterPassword').val(),
inputConfirmPassword: $('#inputConfirmPassword').val()
}).done(function(data) {
$('#registerOutput').html(data);
if (data.indexOf("success") !== -1)
$('#registerContainer').slideUp();
});
});
$('#login').submit(function(event) {
event.preventDefault();
$.post('process.php', {
inputLoginSubmit: '',
inputLoginUsername: $('#inputLoginUsername').val(),
inputLoginPassword: $('#inputLoginPassword').val()
}).done(function(data) {
$('#loginOutput').html(data);
if (data.indexOf("success") !== -1)
$('#loginContainer').slideUp();
});
});
});
PHP:
```
connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
if (isset($_POST['inputRegisterSubmit']))
{
if (!($stmt = $mysqli->prepare("INSERT INTO users(user_name, user_pass, user_email, user_date) VALUES (?, ?, ?, ?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
$user_name = $_POST['inputRegisterUsername'];
$user_pass = $_POST['inputRegisterPassword'];
$
Solution
If you plan on putting this out in the wild (the web), I suggest you handle your error feedback a little more user friendly. If this is for your home server and you'll be the only one using it, it's fine. But displaying binding or executing errors definitely helps attackers get an insight of your methods.
Also, you seem to have forgotten to actually check the username when they log in? You're seeing if there's a row with that password (more on that below), and then if there's one or more accounts with that password, you log them in?
You should be checking to make sure there is exactly one row with the user-submitted username and password. Perhaps you accidentally just forgot this part!
More on your passwords! You have some protection: you're binding. But that's it? You're storing your passwords in plain text! Go ahead and read this to learn a bit more on how you should be keeping your sensitive data in databases!
Also, you seem to have forgotten to actually check the username when they log in? You're seeing if there's a row with that password (more on that below), and then if there's one or more accounts with that password, you log them in?
You should be checking to make sure there is exactly one row with the user-submitted username and password. Perhaps you accidentally just forgot this part!
More on your passwords! You have some protection: you're binding. But that's it? You're storing your passwords in plain text! Go ahead and read this to learn a bit more on how you should be keeping your sensitive data in databases!
Context
StackExchange Code Review Q#29766, answer score: 3
Revisions (0)
No revisions yet.