0

I am creating my first sign in/register function to my web site by following a online tutorial. Every thing seems to be working good , My problem is in the tutorial the php if ($_SERVER['REQUEST_METHOD'] == 'POST') is set in the index page which checks if all the fields and then inserts them into the DB . But for me this not seem to work. But if I put the code onto the page where the form action redirects after it works fine. Is this the right way to do it. I wouldn't like to think so because I would like to check all the variable before we move on.

So if someone would like to educate me on this would be great.

Here is my php code still not fully finished but i wanted to clear this up first.

This is used by include method

<?php 

    //setup some variables/arrays
    $action = array();
    $action['result'] = null;

    //check if the form has been submitted
    if ($_SERVER['REQUEST_METHOD'] == 'POST'){

       $message = "wrong answer";
       echo "<script type='text/javascript'>alert('$message');</script>"; 


      $firstName = mysqli_real_escape_string($link,$_POST['firstName']);
      $lastName = mysqli_real_escape_string($link,$_POST['lastName']);
      $password = mysqli_real_escape_string($link,$_POST['sign-up-password']);
      $confirmPassword = mysqli_real_escape_string($link,$_POST['password-confirm']);
      $email = mysqli_real_escape_string($link,$_POST['email2']);

      //quick/simple validation
      if(empty($firstName)){ $action['result'] = 'error';}
      if(empty($lastName)){ $action['result'] = 'error';}
      if(empty($password)){ $action['result'] = 'error';}
      if(empty($email)){ $action['result'] = 'error';}

      if($password != $confirmPassword){ $action['result'] = 'error';}

      if($action['result'] != 'error'){

          $add = mysqli_query($link,"INSERT INTO `users` VALUES(NULL,'$firstName','$lastName','$password','$email',0)");


          if($add){
              //the user was added to the database    

              //get the new user id
              $userid = mysqli_insert_id($link);

              //create a random key
              $key = $firstName . $email . date('mY');
              $key = md5($key);

              //add confirm row
              $confirm = mysqli_query($link,"INSERT INTO `confirm` VALUES(NULL,'$userid','$key','$email')"); 

              if($confirm){

                  //let's send the email
              }
          }else{

              $action['result'] = 'error';
              array_push($text,'User could not be added to the database. Reason: ' . mysql_error());

          }
      }else{

      }
    }

  ?>
Qirel
  • 25,449
  • 7
  • 45
  • 62
Alexander Kirwan
  • 25
  • 1
  • 10
  • `if ($_SERVER['REQUEST_METHOD'] == 'POST')` checks if a form has been submitted over the global `$_POST` array. So you'll only need to have this before any code that handles the input, as a check to see if a form has been submitted. – Qirel Mar 11 '16 at 10:37
  • @Qirel Not to sure what you mean. i have this at the top my index at the moment which does not work. I was using if(isset($_POST['signup'])) but read that this is an incorrect way to do it as IE has some problems. – Alexander Kirwan Mar 11 '16 at 10:41
  • Oh and thanks for you reply – Alexander Kirwan Mar 11 '16 at 10:42
  • `mysqli_real_escape_string` does not protect you from SQL injections. Use `prepared statements` or use `Zaffy's approach` as described in http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Ramon Bakker Mar 11 '16 at 10:42
  • The browser isn't depending on that, because PHP is parsed on server-side, before being sent to the browser. `if (isset($_POST['signup']))` is as good as a check. And as I said, those `if`-statements check if a form has submitted, and it will only execute the code inside only, and only if, a form as been submitted. – Qirel Mar 11 '16 at 10:44
  • @RamonBakker Ok i will implement that , thanks, – Alexander Kirwan Mar 11 '16 at 11:06
  • @Qirel how would go about about it so . What im thinking is i can use java script to check if the fields are empty but what if I want to check if the email address is already in use before proceeding. – Alexander Kirwan Mar 11 '16 at 11:08
  • You should always do validation on a server-side level (in PHP, you can do `if (empty($email)) { /* do something */ }`), but there's nothing wrong in doing it in client-side (Java) as well, it makes for better user experience. If you want to check if an email is in use, run a select for that email, something like `SELECT COUNT('email') FROM users WHERE email = '$email'` -- although all of these queries are prone to SQL-injection, so you should convert to prepared statements (escaping isn't *always* enough). – Qirel Mar 11 '16 at 11:18
  • Also, passwords **really should be hashed**, it's a big no-no to store them in plaintext! Have a read at http://php.net/manual/en/function.password-hash.php (you should avoid `sha1` and `md5` if you can) – Qirel Mar 11 '16 at 11:19
  • @Qirel Okay thanks very much ill get on that straight away thanks for your help. – Alexander Kirwan Mar 11 '16 at 12:32
  • Not sure, but date seems a bad thing to use as salt. The date is ALWAYS relative to the current system/server time. So when logging in the day after, the salt changes, so the key is different. Perhaps also a smart idea to use hash512 instead of md5, md5 became a little unsafe. – Demiën Drost Mar 11 '16 at 13:26

0 Answers0