Php Sql Injection Secure Tags

Question

UI-3 Junior Poster

8 Years Ago

New Friends! :)

The following is my member registration code as of latest.

ISSUE 1:
I get this error:

Parse error: syntax error, unexpected '_' (T_STRING), expecting ',' or ')' in C:\xampp\htdocs\e_id\register_edited.php on line 10

What is wrong ? I copied the "'images/'_$FILES['avatar']['name']);" from a youtube tutorial on how to create feature for your member site members to upload their images. It was working on my site but not now on my xammp.

ISSUE 2:

Is the following ok or have I got them wrong way round ? I mean the real_escape and the strtolower and the strip_tags. Eg.

$member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"]))));

Any mistakes I made from line 9-22 ?

Question 3:

Looking at my html form, do you spot any errors apart from the <center> outdated tags ? (Will replace them and design with css instead. In the middle of it now).

Question 4:
Should there be 2 equal signs ? Eg. "== 0" (equal to) ? instead of just "=" ?
$member_registration_account_activation = 0;

FULL REG PAGE CODE:

<?php require "conn.php"; require "site_details.php"; if (isset($_POST['submit'])) { if(!empty($_POST["member_registration_username"]) && !empty($_POST["member_registration_password"])&& !empty($_POST["member_registration_password_confirmation"])&& !empty($_POST["member_registration_email"])&& !empty($_POST["member_registration_email_confirmation"])&& !empty($_POST["member_registration_forename"])&& !empty($_POST["member_registration_surname"])) { $account_activation_link = "http://www.$site_domain.com/$site-name/activate_account.php?email=$member_registration_email&&member_registration_account_activation_code=$member_registration_account_activation_code"; $avatar_path = trim(strip_tags(mysqli_real_escape_string($conn,'images/'_$FILES['avatar']['name']); $member_registration_account_activation = 0; $member_registration_random_numbers = random_int(0, 9999999999); $member_registration_username = trim(strip_tags(strtolower(mysqli_real_escape_string($conn,$_POST["member_registration_username"])))); $member_registration_password = trim(strip_tags(md5(mysqli_real_escape_string($conn,$_POST["member_registration_password"])))); $member_registration_password_confirmation = trim(strip_tags(md5(mysqli_real_escape_string($conn,($_POST["member_registration_password_confirmation"]))))); $member_registration_forename = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_forename"]))); $member_registration_surname = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_surname"]))); $member_registration_gender = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_gender"]))); $member_registration_email = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email"]))); $member_registration_email_confirmation = trim(strip_tags(mysqli_real_escape_string($conn,$_POST["member_registration_email_confirmation"])); $member_registration_account_activation_code = trim(strip_tags(mysqli_real_escape_string($conn,"$member_registration_random_numbers"))); if (preg_match("!image!", $_FILES['avatar']['type'])) { //copy image to images/ folder. if(copy($_$FILES['avatar']['tmp_name'], $avatar_path)) { $_SESSION['avatar']=$avatar_path; } else { $_SESSION['message']= "Image could not be uploaded!"; } else { $_SESSION['message']= "Only gif, jpeg or png files allowed for your avatar!"; exit(); } if($_POST["member_registration_email"] != $_POST["member_registration_email_confirmation"]) { $_SESSION['message']= "Your email inputs do not match! Try inputting again and then re-submit."; exit(); } if($_POST["member_registration_password_confirmation"] != $_POST["member_registration_password_confirmation"]) { $_SESSION['message']= "Your password inputs do not match! Try inputting again and then re-submit."; exit(); } //Check for Username match in users table. $sql = "SELECT * FROM users WHERE Usernames ='".$member_registration_username."'"; $result = mysqli_query($conn,$sql); if(mysqli_num_rows($result)!=0) { $_SESSION['message']="That Username $member_registration_username is already registered!"; exit(); } $sql = "SELECT * FROM users WHERE Emails ='".$member_registration_email."'"; $result = mysqli_query($conn,$sql); if(mysqli_num_rows($result)>0) { $_SESSION['message']="That Email $member_registration_email is already registered!"; exit(); } $sql = "INSERT INTO users(Usernames,Passwords,Emails,Forenames,Surnames,Genders,Account_Activation_Codes,Account_Activations) VALUES('".$member_registration_username."','".$member_registration_password."','".$member_registration_email."','".$member_registration_forename."','".$member_registration_surname."','".$member_registration_account_activation_code."','".$member_registration_account_activation."')"; if($sql) { $_SESSION['message']="Data insertion into table success!"; } else { $_SESSION['message']="Data insertion into table failure!"; } $to = "$member_registration_email"; $subject = "Your $site_name Account Activation!"; $body = "$member_registration_forename $member_registration_surname,\n\n You need to click the following link to confirm your email address and activate your account.\n\n\ $account_activation_link; $from = "$site_admin_email"; $headers = "from: $from"; mail($to,$subject,$body,$headers); $_SESSION['message']="Check your email for further instructions!"; } else { $_SESSION['message']="You must fill-in all input fields!"; } } ?> <!DOCTYPE html> <html> <head> <title><?php $site_name ?> Signup Page</title> <meta charset="utf-8"> </head> <body> <div class = "container"> <form method="post" action=""> <center><h2>Signup Form</h2></center> <div class="form-group"> <center><label>Username:</label> <input type="text" placeholder="Enter a unique Username" name="member_registration_username" required [A-Za-z0-9]></center> </div> <div class="form-group"> <center><label>Password:</label> <input type="password" placeholder="Enter a new Password" name="member_registration_password" required [A-Za-z0-9]></center> </div> <div class="form-group"> <center><label>Repeat Password:</label> <input type="password" placeholder="Repeat a new Password" name="member_registration_password_confirmation" required [A-Za-z0-9]></center> </div> <div class="form-group"> <center><label>First Name:</label> <input type="text" placeholder="Enter your First Name" name="member_registration_forename" required [A-Za-z]></center> </div> <div class="form-group"> <center><label>Surname:</label> <input type="text" placeholder="Enter your Surname" name="member_registration_surname" required [A-Za-z]></center> </div> <div class="form-group"> <center><label>Gender:</label> <input type="radio" name="member_registration_gender" value="male" required>Male<input type="radio" name="member_registration_gender" value="female" required>Female</center> </div> <div class="form-group"> <center><label>Email:</label> <input type="email" placeholder="Enter your Email" name="member_registration_email" required [A-Za-z0-9]></center> </div> <div class="form-group"> <center><label>Repeat Email:</label> <input type="email" placeholder="Repeat your Email" name="member_registration_email_confirmation" required [A-Za-z0-9]></center> </div> <center><button type="submit" class="btn btn-default" name="submit">Register!</button></center> <center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center> </form> </div> </body> </html>

mysql php

4 Contributors
5 Replies
343 Views
1 Week Discussion Span
Latest Post 8 Years Ago Latest Post by UI

rproffitt2,701 https://5calls.org

8 Years Ago

Regarding item 4.
Single equal signs are for when we want to assign a value to a variable.
Double (and triple) equal signs are when we want comparison tests. (varies with language)

Time to read http://php.net/manual/en/language.operators.comparison.php again.

diafol

8 Years Ago

https://www.daniweb.com/programming/web-development/tutorials/499320/common-issues-with-mysql-and-php have a look at the first 5 items.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

UI-3 Junior Poster · Answer 1 · 2017-04-12T22:27:24+00:00

I am now reading this since so many programmers are against me not using Prepared Statements:

http://www.wikihow.com/Prevent-SQL-Injection-in-PHP

The following, however, earlier on did my head in and put me off from php!

http://php.net/manual/en/pdo.prepared-statements.php

AndrisP193 Posting Pro in Training · Answer 2 · 2017-04-13T19:50:51+00:00

I recommend you use filter_input() or filter_input_array() function e.g.

 $args = array( 'member_registration_username' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_password' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_password_confirmation' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_forename' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_surname' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_gender' => array( 'filter' => FILTER_SANITIZE_STRING ), 'member_registration_email' => array( 'filter' => FILTER_VALIDATE_EMAIL ), 'member_registration_email_confirmation' => array( 'filter' => FILTER_VALIDATE_EMAIL ) ); $post = filter_input_array(INPUT_POST, $args);

UI-3 Junior Poster · Answer 3 · 2017-04-17T12:02:07+00:00

AndrisP, your English is ok.
Anyway, most beginner php tutorials are in procedural style teaching mysqli.
Intermediate tutorials teach oop and pdo.
I am still a beginner and so do you mind converting your pdo oop style code to mysqli procedural style as that way I would understand it better ?
I would get into pdo and oop later-on when I'm more experienced in php.

Thank You!