patternphpMinor
Increase security of sign up form code
Viewed 0 times
securityincreasecodeformsign
Problem
Does my PHP look secure enough for a sign up form?
<?php
$con=mysqli_connect("host","user","password","db_name");
$sql="INSERT INTO users values (?, ?, ?)";
if ($stmt = mysqli_prepare($con,$sql)) {
mysqli_stmt_bind_param($stmt, "sss",
$_POST["username"], $_POST["pwd"], $_POST["email"]);
if (mysqli_stmt_execute($stmt)) {
echo "User added!";
}
}Solution
It looks like you have a good and solid
The prepare just means that the insert will not break anything, but if you run a SQL Query on the information in that column where someone has entered SQL injection Characters it could still crash the database.
Please make sure the input is safe all the way around. Alert the user that they cannot enter certain characters but be aware you are asking for an e-mail address there too. The Password should be encrypted, not sure whether you should do that here or in the Database itself, probably in the PHP, but that is another review altogether.
Insert, probably pretty safe, but this still allows a user to enter data into the database that could be run at a later time, you should still check the input coming in before inserting it into the Database even though it has been "prepared".The prepare just means that the insert will not break anything, but if you run a SQL Query on the information in that column where someone has entered SQL injection Characters it could still crash the database.
Please make sure the input is safe all the way around. Alert the user that they cannot enter certain characters but be aware you are asking for an e-mail address there too. The Password should be encrypted, not sure whether you should do that here or in the Database itself, probably in the PHP, but that is another review altogether.
Context
StackExchange Code Review Q#37383, answer score: 3
Revisions (0)
No revisions yet.