0

I have a form for user registration. everything works as expected. but one of my team members removed the name and required attributes from the form and submitted it. my PHP script shows Notice: Undefined index: password. can someone advise how to fix this?

Processing Script

  function register_user() {
    global $connection;
    if (is_post_request() && isset($_POST['signup-submit'])) {
      $email = escape_string($_POST['email']) ?? NULL;
      $username = escape_string($_POST['username']) ?? '';
      $password = escape_string($_POST['password']) ?? '';
      $country = escape_string($_POST['country']) ?? '';

      // * validate inputs
      $errors = [];
      if (is_blank($email) || !has_valid_email_format($email)) $errors['email'] = 'Looks like this email is incomplete.';
      if(!has_uniqueness($email, 's', 'users', 'email')) $errors['email'] = 'Sorry, this email can\'t be registered. Let\'s try another one.';
      if (is_blank($username) || !has_format_matching($username, '/^[A-Za-z0-9_]{1,15}$/')) $errors['username'] = 'Username must begin with a letter and can include numbers and underscores.';
      if (!has_length($username, ['min' => 6, 'max' => 15])) $errors['username'] = 'Username must be at least 6 characters.';
      if(!has_uniqueness($username, 's', 'users', 'username')) $errors['username'] = 'Username is already taken. Please pick a new one.';
      if (is_blank($password) || !has_length($password, ['min' => 8])) $errors['password'] = 'Password must be min 8 characters.';
      if (is_blank($country)) $errors['country'] = 'Please select your country!';

      // * if there were no errors, try to register
      if (!empty($errors)) {
        return $errors;
      } else {
        $sql = "INSERT INTO users(username, email, password, country_id, joined) VALUES (?, ?, ?, ?, now())";
        $stmt = mysqli_stmt_init($connection);
        mysqli_stmt_prepare($stmt, $sql);

        // * hashing password
        $hashed_password = password_hash($password, PASSWORD_BCRYPT);
        mysqli_stmt_bind_param($stmt, 'sssi', $username, $email, $hashed_password, $country);
        $result = mysqli_stmt_execute($stmt);
        mysqli_stmt_close($stmt);

        if (!$result) {
          exit("Database query failed.");
        } else {
          $_SESSION['message'] = 'Successfuly Registered!';
          redirect_to('index.php');
        }

      }

    }

  }

Please let me know if you guys want to see the form as well :)

  • Why do you need a function like `escape_string`? What does it do? – Dharman Feb 28 '20 at 19:46
  • @Dharman it trims the string and then passes it to `mysqli_real_escape_string()` –  Feb 28 '20 at 21:34
  • What for? Don't use it. You don't need it. It will only damage your data – Dharman Feb 28 '20 at 21:35
  • Should I not escape data before inserting it in DB? –  Feb 28 '20 at 21:36
  • No. Don't escape data. Please read more about this topic. I don't want you to be learning incorrect information. You can start here https://stackoverflow.com/a/24716632/1839439 and https://phpdelusions.net/sql_injection – Dharman Feb 28 '20 at 22:46

2 Answers2

1

Your use of null coalescing is slightly wrong, when you use

$email = escape_string($_POST['email']) ?? NULL;

it will first do the escape_string($_POST['email']) before the null check. Which means if the field doesn't exist it will throw the error.

You should be doing something like...

$email = escape_string($_POST['email'] ?? "");
Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
1

Use escape_string($_POST['inputName'] ?? ''); instead of escape_string($_POST['inputName']) ?? '';

Illya
  • 1,268
  • 1
  • 5
  • 16
  • 1
    thank you for the answer. but Nigel answered first. I gave you an upvote. –  Feb 28 '20 at 19:20