ive quickly done a user registration script, just wondered if n e one cld quickly have a look and tell me how it could be improved. <?php if(isset($_POST['submit'])){ //------------------------- Protect from SQL injection $email = mysql_real_escape_string($_POST['email']); $confirm_email = mysql_real_escape_string($_POST['confirm_email']); $password = mysql_real_escape_string($_POST['password']); $verify_password = mysql_real_escape_string($_POST['verify_password']); $first_name = mysql_real_escape_string($_POST['first_name']); $last_name = mysql_real_escape_string($_POST['last_name']); $address_line_one = mysql_real_escape_string($_POST['address_line_one']); $address_line_two = mysql_real_escape_string($_POST['address_line_two']); $town = mysql_real_escape_string($_POST['town']); $county = mysql_real_escape_string($_POST['county']); $postcode = mysql_real_escape_string($_POST['postcode']); //------------------------- Protect from XSS $email = htmlentities($email); $confirm_email = htmlentities($confirm_email); $password = htmlentities($password); $verify_password = htmlentities($verify_password); $first_name = htmlentities($first_name); $last_name = htmlentities($last_name); $address_line_one = htmlentities($address_line_one); $address_line_two = htmlentities($address_line_two); $town = htmlentities($town); $county = htmlentities($county); $postcode = htmlentities($postcode); $password = md5($password); $checkuser = mysql_query("SELECT email FROM users WHERE email='$email'"); $username_exist = mysql_num_rows($checkuser); if($username_exist > 0){ echo "I'm sorry but the username you specified has already been taken. Please pick another one."; unset($email); } else { $query = "INSERT INTO users (first_name, second_name, email, password, address_line_one, address_line_two, town, county, postcode) VALUES('$first_name', '$last_name', '$email', '$password', '$address_line_one', '$address_line_two', '$town', '$county', '$postcode')"; mysql_query($query) or die(mysql_error()); mysql_close(); echo "You have successfully Registered"; } } ?> Code (markup):
- Add password salt - Check that $password == $verify_password (else what's the point) - Rather than just htmlentitiesing everything, actually strip things down to appropriate characters. - Asking people to enter their email address twice is pointless. It makes sense for passwords, where they can't see what they're typing. But with email it's just a nuisance. Your verification email will ensure they have provided a valid address. But before sending that, confirm that the email address is at least vaguely valid in format. Also you will not reliably be able to handle characters in different languages until you become character-set-aware (most easily by doing everything in UTF8). You may not think it matters but these days people seem to find all kinds of ways to type characters you didn't expect.
1 more thing. Redirect the user to another page after the registration page or else this is what they see when they refresh the page - ads2help
In other words, leave the page as it is & add META REFRESH ( delay redirect for at least 5 seconds ).
Yes redirect to other pages: echo("<script>location.href='desiredpath'</script>"); PHP: Regards Stylesofts Developing Team
yeah i'm getting to that bit now, next stage is programming the user panel and using sessions ect thanks for comments
instead of using mysql_real_escape_string and htmlentities on each variable you can create the function to "check and clean" the full POST array or even using array_map
Hello, it is the inbuilt function htmlentities ( string string [, int quote_style [, string charset]] ) you can also try these while entering htmlspecialchars ( string string [, int quote_style [, string charset]] ) and this to decode those values htmlspecialchars_decode ( string string [, int quote_style] ) Regards, Stylesofts Developing Team