php - Validation Display in Registration form with Bootstrap -
in following code in crudindex.php if enter password length less 6 characters error message not showing using span command.required pattern working. messages using span command not displaying ex : if enter length less 6 in password no error message displays
what wrong in code?
<?php $con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql") or die("error " . mysqli_error($con)); $error=false; if (isset($_post) && (!empty($_post))){ $uname=mysqli_real_escape_string($con,$_post["uname"]); $pwd=mysqli_real_escape_string($con,$_post["pwd"]); $cpwd=mysqli_real_escape_string($con,$_post["cpwd"]); $password_error=""; $cpassword_error=""; if(strlen($pwd) < 6) { $error = true; $password_error = "password must minimum of 6 characters"; } if($pwd != $cpwd) { $error = true; $cpassword_error = "password , confirm password doesn't match"; } if (isset($_post['register'])) { # register-button clicked $createsql1="insert cruduser(id,username,password) values ('','$uname','$pwd')"; if (mysqli_query($con,$createsql1)) { echo "insert successful in table cruduser"; mysqli_close($con); //redirect because need consider post request crudadd.php header( 'location: crudaddusr.php' ) ; //include ("crudadd.php"); } else { die(mysqli_error($con)); } } if (isset($_post['login'])) { # login-button clicked session_start(); $session['suname']=$uname; $session['spwd']=$pwd; if ($uname=='admin' && $pwd=='admin') { include('crudview.php'); } else { header( "location: crudeditusr.php?suname=$uname&spwd=$pwd"); } } mysqli_close($con); } ?> <!--doctype html --> <! bootstrap link downloaded bootstrapcdn.com css , js --> <! col-mod-6 col-mod-offset bootstrap related--> <html> <head> <title>"add records in crud table"</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body> <div class="container"> <div class="row"> <form method="post" class="form-horizontal col-mod-6 col-mod-offset-3"> <h2>create table crud</h2> <div class="form-group"> <label for="input" class="col-sm-2 control-label">username : </label> <div class="col-sm-10"> <input type="text" name="uname" required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="username"/> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">password: </label> <div class="col-sm-10"> <input type="password" name="pwd" required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="password"/> <span class="error"><?php if (isset($password_error)) echo $password_error;?></span> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">confirm password : </label> <div class="col-sm-10"> <input type="password" name="cpwd" required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="confirm password"/> <span class="text-danger"><?php if (isset($cpassword_error)) echo $cpassword_error; ?></span> </div> </div> <div class="row"> <div class="col-mod-6 col-mod-offset-3"> <button id="submit1" name="register" class="btn btn-primary pull-right">register</button> <button id="submit2" name="login" class="btn btn-secondary pull-right">login</button> </div> </div> </form> </body> </html>
this working example display errors , prevent security problems. have removed required pattern
html. didn't set errors. can handle errors php , display them. plus didn't use action="path/to/handleform.php"
.
and redirect should in login: header( "location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);
there 3 security problems here:
- sql injection. solution=> prepared statement
- password saved plain text. solution=> password_hash()
cross-site request forgery (csrf). solution=> input hidden token
<?php $con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql") or die("error " . mysqli_error($con)); // declare array errors $error=array(); //-----------------------------------------------------// //---------------------csrf protect--------------------// //-----------------------------------------------------// //generate token/ function generatetoken( $formname ) { //secret_key change $secretkey ='?@geskki58668445744!erpoejsj48'; if ( !session_id() ) { session_start(); } $sessionid = session_id(); return hash('sha512', $formname.$sessionid.$secretkey ); } //check if token valid function checktoken( $token, $formname) { return $token === generatetoken( $formname ); } //separate register , login not confused// //-----------------------------------------------------// //---------------------registration--------------------// //-----------------------------------------------------// if ( isset($_post['register']) && checktoken( $_post['csrf_token'], 'userfromregistration' ) ) { //if username required if(!preg_match('/^[a-za-z0-9]+$/',$_post['uname'])) { $error['username'] = "username must have alphanumeric characters "; } //if password has less 6 characters if(strlen($_post['pwd']) < 6) { $error['password'] = "password must minimum of 6 characters"; } //if password not match if($_post['pwd'] !== $_post['cpwd'] or empty($_post['cpwd']) ) { $error['passwordmatch'] = "password , confirm password doesn't match"; } //if empty error array if( !array_filter($error) ) { //trim data $username = trim( $_post['uname'] ); // hash password, never save password plain text!!!!!!! // mysql! : allow storage expand past 60 characters (varchar 255 good) $password = password_hash( $_post['pwd'], password_default); //if id autoincremented leave id //----------use prepared statement sql injection---// $query = 'insert cruduser (username, password) values (?,?)'; $stmt = $con->prepare($query); $stmt->bind_param("ss", $username, $password); $stmt->execute(); $stmt->close(); $con->close(); //redirect because need consider post request crudadd.php header( 'location: crudaddusr.php' ) ; } } //-----------------------------------------------------// //------------------------login------------------------// //-----------------------------------------------------// if (isset($_post['login'])) { //what ever want //use password_verify() , session_regenerate_id() //to compare passwords , generate session id prevent session fixation. session_start(); $uname = $_post['uname']; $pwd = $_post['pwd']; //if don't need delete $session['suname']=$unmane; $session['spwd']=$pwd; if ($uname=='admin' && $pwd=='admin') { include('crudview.php'); } else { header( "location: crudeditusr.php?suname=".$uname."&spwd=".$pwd); } } ?> <!--html part--> <!doctype html> <html> <head> <title>"add records in crud table"</title> <!-- bootstrap link downloaded bootstrapcdn.com css , js --> <!-- col-mod-6 col-mod-offset bootstrap related--> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body> <div class="container"> <div class="row"> <form method="post" action="" class="form-horizontal col-mod-6 col-mod-offset-3"> <input type="hidden" name="csrf_token" value="<?php echo generatetoken('userfromregistration'); ?>" required/> <h2>create table crud</h2> <div class="form-group"> <label for="input" class="col-sm-2 control-label">username : </label> <div class="col-sm-10 <?php if( !empty( $error['username'] ) ){ echo 'has-error';} ?> "> <input type="text" name="uname" class="form-control" id="input1" placeholder="username"/> <span class="help-block"><?php if (!empty($error['username'])) echo $error['username'];?></span> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">password: </label> <div class="col-sm-10 <?php if( !empty( $error['password'] ) ){ echo 'has-error';} ?>"> <input type="password" name="pwd" class="form-control" id="input1" placeholder="password"/> <span class="help-block"><?php if (!empty($error['password'])) echo $error['password'];?></span> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">confirm password : </label> <div class="col-sm-10 <?php if( !empty( $error['passwordmatch'] ) ){ echo 'has-error';} ?>"> <input type="password" name="cpwd" class="form-control" id="input1" placeholder="confirm password"/> <span class="help-block"><?php if (!empty($error['passwordmatch'])) echo $error['passwordmatch'];?></span> </div> </div> <div class="row"> <div class="col-mod-6 col-mod-offset-3"> <button id="submit1" name="register" class="btn btn-primary pull-right">register</button> <button id="submit2" name="login" class="btn btn-secondary pull-right">login</button> </div> </div> </form> </body>
Comments
Post a Comment