php - Validation Display in Registration form with Bootstrap -


in following code in crudindex.php if enter password length less 6 characters error message not showing using span command.required pattern working. messages using span command not displaying ex : if enter length less 6 in password no error message displays

what wrong in code?

<?php $con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql")  or die("error " . mysqli_error($con)); $error=false; if (isset($_post) && (!empty($_post))){  $uname=mysqli_real_escape_string($con,$_post["uname"]);  $pwd=mysqli_real_escape_string($con,$_post["pwd"]);  $cpwd=mysqli_real_escape_string($con,$_post["cpwd"]); $password_error=""; $cpassword_error=""; if(strlen($pwd) < 6) {         $error = true;         $password_error = "password must minimum of 6 characters";     }     if($pwd != $cpwd) {         $error = true;         $cpassword_error = "password , confirm password doesn't match";     }  if (isset($_post['register'])) {         # register-button clicked   $createsql1="insert cruduser(id,username,password) values                              ('','$uname','$pwd')";  if (mysqli_query($con,$createsql1)) { echo "insert successful in table cruduser"; mysqli_close($con); //redirect because need consider post request crudadd.php header( 'location: crudaddusr.php' ) ; //include ("crudadd.php"); } else { die(mysqli_error($con)); } } if (isset($_post['login'])) {         # login-button clicked session_start(); $session['suname']=$uname; $session['spwd']=$pwd; if ($uname=='admin' && $pwd=='admin') { include('crudview.php'); } else { header( "location: crudeditusr.php?suname=$uname&spwd=$pwd"); } } mysqli_close($con); } ?> <!--doctype html --> <! bootstrap link downloaded bootstrapcdn.com css , js --> <! col-mod-6 col-mod-offset bootstrap related--> <html> <head> <title>"add records in crud table"</title> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body> <div class="container">  <div class="row"> <form method="post" class="form-horizontal col-mod-6 col-mod-offset-3"> <h2>create table crud</h2> <div class="form-group"> <label for="input" class="col-sm-2 control-label">username : </label> <div class="col-sm-10"> <input type="text" name="uname"  required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="username"/> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">password: </label> <div class="col-sm-10"> <input type="password" name="pwd"  required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="password"/> <span class="error"><?php if (isset($password_error)) echo $password_error;?></span> </div> </div> <div class="form-group"> <label for="input" class="col-sm-2 control-label">confirm password : </label> <div class="col-sm-10"> <input type="password" name="cpwd"  required pattern="^[a-za-z0-9]+" class="form-control" id="input1" placeholder="confirm password"/> <span class="text-danger"><?php if (isset($cpassword_error))  echo $cpassword_error; ?></span> </div> </div> <div class="row">                  <div class="col-mod-6 col-mod-offset-3">                    <button id="submit1" name="register" class="btn btn-primary pull-right">register</button>                   <button id="submit2" name="login" class="btn btn-secondary pull-right">login</button>                 </div>             </div> </form> </body> </html> 

this working example display errors , prevent security problems. have removed required pattern html. didn't set errors. can handle errors php , display them. plus didn't use action="path/to/handleform.php".

and redirect should in login: header( "location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);

there 3 security problems here:

  • sql injection. solution=> prepared statement
  • password saved plain text. solution=> password_hash()
  • cross-site request forgery (csrf). solution=> input hidden token

    <?php $con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql")  or die("error " . mysqli_error($con));  // declare array errors $error=array();  //-----------------------------------------------------// //---------------------csrf protect--------------------// //-----------------------------------------------------//  //generate token/ function generatetoken( $formname ) {        //secret_key change     $secretkey ='?@geskki58668445744!erpoejsj48';    if ( !session_id() )     {        session_start();    }    $sessionid = session_id();    return hash('sha512', $formname.$sessionid.$secretkey ); }  //check if token valid function checktoken( $token, $formname) {    return $token === generatetoken( $formname ); }  //separate register , login not confused//  //-----------------------------------------------------// //---------------------registration--------------------// //-----------------------------------------------------// if ( isset($_post['register']) && checktoken( $_post['csrf_token'], 'userfromregistration' )  )  {     //if username required     if(!preg_match('/^[a-za-z0-9]+$/',$_post['uname']))     {          $error['username'] = "username must have alphanumeric characters ";     }      //if password has less 6 characters     if(strlen($_post['pwd']) < 6)     {          $error['password'] = "password must minimum of 6 characters";     }      //if password not match    if($_post['pwd'] !== $_post['cpwd'] or empty($_post['cpwd']) )     {          $error['passwordmatch'] = "password , confirm password doesn't match";    }      //if empty error array     if( !array_filter($error) )     {          //trim data          $username = trim( $_post['uname'] );           // hash password, never save password plain text!!!!!!!          // mysql! : allow storage expand past 60 characters (varchar 255 good)          $password = password_hash( $_post['pwd'], password_default);           //if id autoincremented leave id          //----------use prepared statement sql injection---//           $query = 'insert cruduser (username, password) values (?,?)';          $stmt = $con->prepare($query);          $stmt->bind_param("ss", $username, $password);          $stmt->execute();          $stmt->close();          $con->close();           //redirect because need consider post request crudadd.php          header( 'location: crudaddusr.php' ) ;      } }  //-----------------------------------------------------// //------------------------login------------------------// //-----------------------------------------------------// if (isset($_post['login'])) {      //what ever want      //use password_verify() , session_regenerate_id()       //to compare passwords , generate session id prevent session fixation.       session_start();       $uname = $_post['uname'];       $pwd = $_post['pwd'];        //if don't need delete       $session['suname']=$unmane;       $session['spwd']=$pwd;        if ($uname=='admin' && $pwd=='admin')       {           include('crudview.php');       }       else       {           header( "location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);       }     }  ?>  <!--html part--> <!doctype html> <html>     <head>         <title>"add records in crud table"</title>         <!-- bootstrap link downloaded bootstrapcdn.com css , js -->         <!-- col-mod-6 col-mod-offset bootstrap related-->         <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">         <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>     </head>     <body>     <div class="container">          <div class="row">             <form method="post" action="" class="form-horizontal col-mod-6 col-mod-offset-3">             <input type="hidden" name="csrf_token" value="<?php echo generatetoken('userfromregistration'); ?>" required/>             <h2>create table crud</h2>             <div class="form-group">                 <label for="input" class="col-sm-2 control-label">username : </label>                 <div class="col-sm-10 <?php if( !empty( $error['username'] ) ){ echo 'has-error';}  ?> ">                     <input type="text" name="uname" class="form-control" id="input1" placeholder="username"/>                     <span class="help-block"><?php if (!empty($error['username'])) echo $error['username'];?></span>                 </div>             </div>             <div class="form-group">                 <label for="input" class="col-sm-2 control-label">password: </label>                 <div class="col-sm-10 <?php if( !empty( $error['password'] ) ){ echo 'has-error';}  ?>">                     <input type="password" name="pwd"  class="form-control" id="input1" placeholder="password"/>                     <span class="help-block"><?php if (!empty($error['password'])) echo $error['password'];?></span>                 </div>             </div>             <div class="form-group">                 <label for="input" class="col-sm-2 control-label">confirm password : </label>                 <div class="col-sm-10 <?php if( !empty( $error['passwordmatch'] ) ){ echo 'has-error';}  ?>">                     <input type="password" name="cpwd" class="form-control" id="input1" placeholder="confirm password"/>                     <span class="help-block"><?php if (!empty($error['passwordmatch'])) echo $error['passwordmatch'];?></span>                 </div>             </div>             <div class="row">                  <div class="col-mod-6 col-mod-offset-3">                    <button id="submit1" name="register" class="btn btn-primary pull-right">register</button>                    <button id="submit2" name="login" class="btn btn-secondary pull-right">login</button>                </div>            </div>        </form>    </body> 


Comments

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

python Tkinter Capturing keyboard events save as one single string -

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -