1

I'm creating a basic sign up form, where I want to validate the user input. I've read a LOT of different methods of doing this. First of all, mine is not working because it echoes "Email is valid" when it is not a valid email. I really wish I could figure out the most efficient, succinct way of doing this!

So my two questions are:

1.) Is there something wrong in my code that says it's a valid email even though it isn't?

2.) How can I make this as efficient as possible?

Here is the code:

<?php
include('functions.php');

$server = "localhost";
$auth = "root";
$pass = "password";
$db = "users";

$conn = connect_to_db($server, $auth, $pass, $db);

$signup = isset($_POST['submit']);
$output = NULL;

if( $signup ){
  $username = htmlspecialchars($_POST['username']);
  $password = md5($_POST['password']);
  $email = $_POST['email'];
  if( filter_var($email, FILTER_VALIDATE_EMAIL) && !empty($username) && !empty($password) && !empty($email) ){
    echo 'Email is valid';
      $sql = "SELECT username FROM info WHERE username = '$username'";
      $result = mysqli_query($conn, $sql);
      if( mysqli_num_rows($result) > 0 ){
        echo "Sorry, there is already an account registered with that username";
      } else {
        $sql = "INSERT INTO info (username, password, date_created) VALUES ('$username', '$password', NOW())";
        mysqli_query($conn, $sql);
        $output = "<p> Username: $username <br />" . "Password: $password </p>";
      }
  } elseif ( empty($username) || empty($password) ) {
        $output = "<p> Both fields are required </p>";
  }
  echo $output;
}


?>

<!DOCTYPE html>
<html>

<head>
  <title>My Website</title>
</head>

<body>

<form method="POST">
  <h1>Signup: </h1><br />
  Choose a username: <input type="text" name="username" /> <br />
  Choose a password: <input type="password" name="password" /> <br />
  Enter your email: <input type="email" name="email" /> <br />
  <input type="submit" name="submit" value="Signup" />
  <p>Already have an account? Login here: <br /> <a href="index.php">Login</a></p>
</form>

</body>
</html>
John Doe
  • 11
  • 1
  • as you are doing 4 tests at once, how do you know which fails? ALSO md5- dont do it, and your open to SQL injection attacks\ –  Jul 03 '17 at 22:43
  • `filter_var($email, FILTER_VALIDATE_EMAIL)` should validate the email successfully. I'd recommend isolating it to confirm that it is validating correctly. You might also want to use `filter_var($email, FILTER_SANITIZE_EMAIL);` to strip out illegal characters. Also, MD5 is a **very** weak encryption -- please switch to something more secure instead :) – Obsidian Age Jul 03 '17 at 22:45
  • Besides your code is vulnerable to SQL injection you should consider using `filter_input` http://php.net/manual/en/function.filter-input.php – lkdhruw Jul 03 '17 at 22:45
  • @ObsidianAge what is the best alternative to md5? – John Doe Jul 03 '17 at 22:46
  • @lkdhruw Is filter_input better than filter_var in this case? If so, why? I've always been extremely confused by this. I've looked it up here on Stackoverflow and have seen many answers, though I am still extremely confused. – John Doe Jul 03 '17 at 22:47
  • 1
    'Best' is subjective. I personally use [**BCRYPT**](https://en.wikipedia.org/wiki/Bcrypt), whilst also encrypting the registrations with [**SHA512**](https://en.wikipedia.org/wiki/SHA512). You'll also probably want to validate the user information before encrypting it. – Obsidian Age Jul 03 '17 at 22:48
  • 1
    Best is *not* subjective when it comes to password_hashing with PHP. `md5()`is obsolete for hashing passwords and should *not be used*. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php), please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). – John Conde Jul 03 '17 at 22:55
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Jul 03 '17 at 22:56
  • You do not provide an example of what email addresses are supposedly invalid so we can't help you. – John Conde Jul 03 '17 at 22:57
  • @JohnDoe `filter_input` is better in case of handling null value error and if you group data than you can use `filter_input_array`. https://secure.php.net/manual/en/function.filter-input.php#115086 – lkdhruw Jul 03 '17 at 23:02

2 Answers2

-2

Emm .. For the username and password inputs you can use ths function and put it in the functions file:

 function makeItSafe($value) {
        htmlspecialchars($value);
        strip_tags($value);
        htmlentities($value, ENT_QUOTES);
        return $value;
    }

And for the email, yes it is you can use the filter_var function or use the RegExp way .. But in my opinion the filter_var is easier for use :)

S3FaQ El
  • 3
  • 3
  • Unfortunately that's not quite enough to validate an email address. I've created proof of this [**here**](https://3v4l.org/MCrOL). – Obsidian Age Jul 03 '17 at 22:54
  • strip_tags() after htmlspecialchars() what do you think happens there? –  Jul 03 '17 at 22:58
  • This function is useless garbage that not only makes nothing safe, but it mangles the content passed through it. – John Conde Jul 03 '17 at 22:59
  • So that mean that the regExp is the best way, is there any way unless regExp !! – S3FaQ El Jul 03 '17 at 23:07
-2

I use the code below to validate for email addresses. I then require a user to confirm their email to complete signup as there is no true way to know if an email is actually real or not.

if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // invalid emailaddress
}

Also, you should create a function to check your POST data.

function checkData($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
SPLDev
  • 11
  • 1
  • 5