Welcome, Guest: Join Nairaland / LOGIN! / Trending / Recent / New
Stats: 2,758,020 members, 6,555,049 topics. Date: Monday, 25 October 2021 at 10:52 AM

Please Is This Script Free From Sql Injection And Xss Attacks - Webmasters - Nairaland

Nairaland Forum / Science/Technology / Webmasters / Please Is This Script Free From Sql Injection And Xss Attacks (437 Views)

How To Use Mp3 Tag Editor Script Free Download / Mmm Clone Script Free Download (2) (3) (4)

(1) (Reply) (Go Down)

Please Is This Script Free From Sql Injection And Xss Attacks by Nobody: 7:17am On Jan 20, 2017
I wrote a php script and I've tried to make the login as secure as possible, but I wonder if there are any flaws and is it's free from *xss* attacks and *sql injection* also the login cookies secession.

Here is the code:
Re: Please Is This Script Free From Sql Injection And Xss Attacks by Nobody: 7:19am On Jan 20, 2017
**register.php**

<?php require('includes/config.php');
j
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
$data = filter_var($data, FILTER_SANITIZE_STRING);
return $data;
}
//if logged in redirect to members page
if( $user->is_logged_in() ){ header('Location: memberpage.php'); }

$getline = test_input($_GET['line']);
$stmt = $db->prepare('SELECT * FROM members WHERE username=:getref');
$stmt->execute(array(':getref' => $getline));
while($result = $stmt->fetch(PDO::FETCH_ASSOC)){

$referral = $result['username'];
$referralz = $result['referral'];
}

$stmt = $db->prepare('SELECT * FROM members WHERE username = :referrall');
$stmt->execute(array(':referrall' => $referralz));
while($resultt = $stmt->fetch(PDO::FETCH_ASSOC)){

$sponsor = $resultt['username'];


}

if (empty($referral)){
$referral = "General";

}

if (empty($sponsor)){
$sponsor = "Omosco";

}



//if form has been submitted process it
if(isset($_POST['submit'])){

//very basic validation
if(strlen($_POST['bankaccount']) < 3){
$error[] = 'Bank Account is too short.';
}

if(!empty($_POST['bankaccount'])){

$bankaccount = test_input($_POST["bankaccount"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[0-9]+$/",$bankaccount)) {
$error[] = 'Bank Account: Only numbers are allowed';
}
}
if(strlen($_POST['firstname']) < 2){
$error[] = 'First name is too short.';
}

if(!empty($_POST['firstname'])){

$firstname = test_input($_POST["firstname"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z .]*$/",$firstname)) {
$error[] = 'Firstname: Only alphabet, dot and white space is allowed';
}
}
if(strlen($_POST['lastname']) < 2){
$error[] = 'Last name is too short.';
}

if(!empty($_POST['lastname'])){

$lastname = test_input($_POST["lastname"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z .]*$/",$lastname)) {
$error[] = 'Lastname: Only alphabet, dot and white space is allowed';
}
}
if(strlen($_POST['phonenumber']) < 7){
$error[] = 'Phone number is too short.';
}

if(!empty($_POST['phonenumber'])){

$phonenumber = test_input($_POST["phonenumber"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^((\+)?[1-9]{1,2})?([-\s\.])?((\(\d{1,4}\))|\d{1,4})(([-\s\.])?[0-9]{1,12}){1,2}(\s*(ext|x)\s*\.?:?\s*([0-9]+))?$/",$phonenumber)) {
$error[] = 'Phone Number: Only number and + is allowed';
}
}
if(strlen($_POST['country']) < 1){
$error[] = 'No country selected.';
}

if(!empty($_POST['country'])){

$country = test_input($_POST["country"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z .]*$/",$country)) {
$error[] = 'Country: Only letters, dot and white space are allowed';
}
}
if(strlen($_POST['bankname']) < 2){
$error[] = 'Bank name is too short.';
}

if(!empty($_POST['bankname'])){

$bankname = test_input($_POST["bankname"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z0-9 .]*$/",$bankname)) {
$error[] = 'BankName: Only number, alphabet, dot and white space are allowed';
}
}

if(!empty($_POST['username'])){

$username = test_input($_POST["username"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z0-9]*$/",$username)) {
$error[] = 'Username: Only alphabet and number is allowed';
}
}


if(strlen($_POST['username']) < 3){
$error[] = 'Username is too short.';
}



else {
$usernamexx = test_input($_POST['username']);
$stmt = $db->prepare('SELECT username FROM members WHERE username = :username');
$stmt->execute(array(':username' => $usernamexx));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

if(!empty($row['username'])){
$error[] = 'Username provided is already in use.';
}

}

if(!empty($_POST['password'])){

$password = test_input($_POST["password"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z0-9]*$/",$password)) {
$error[] = 'Password: 1 upper/lower case & number is required';
}
}
if(strlen($_POST['password']) < 3){
$error[] = 'Password is too short.';
}

if(strlen($_POST['passwordConfirm']) < 3){
$error[] = 'Confirm password is too short.';
}

if($_POST['password'] != $_POST['passwordConfirm']){
$error[] = 'Passwords do not match.';
}

//email validation



if(!empty($_POST['email'])){

$email = test_input($_POST["email"]);
//Checks if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z0-9._*@#]*$/",$email)) {
$error[] = 'Email: Invalid email address';
}
}

if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
$error[] = 'Please enter a valid email address';
} else {
$emailxx = test_input($_POST['email']);
$stmt = $db->prepare('SELECT email FROM members WHERE email = :email');
$stmt->execute(array(':email' => $emailxx));
$row = $stmt->fetch(PDO::FETCH_ASSOC);

if(!empty($row['email'])){
$error[] = 'Email provided is already in use.';
}

}


//if no errors have been created carry on
if(!isset($error)){

//hash the password
$hashedpassword = $user->password_hash($_POST['password'], PASSWORD_BCRYPT);
$thedate = date("Y-m-d H:i:s"wink;
$thepause = "pause";
$thecomment = "Please call me on and after payment. Dont forget to upload the details of your payment.";
//create the activasion code
$activasion = md5(uniqid(rand(),true));

try {

//insert into database with a prepared statement
$stmt = $db->prepare('INSERT INTO members (username,password,email,active,sponsor,referral,bankaccount,surname,name,bankname,phone,country,joindate,pause,downlinemsg) VALUES (:username, :password, :email, :active, :sponsor, :referral, :bankaccount, :surname, :name, :bankname, :phone, :country, :joindate, :pause, :downlinemsg)');
$stmt->execute(array(
':username' => $username,
':password' => $hashedpassword,
':email' => $email,
':active' => $activasion,
':sponsor' => $sponsor,
':referral' => $referral,
':bankaccount' => $bankaccount,
':surname' => $firstname,
':name' => $lastname,
':bankname' => $bankname,
':phone' => $phonenumber,
':country' => $country,
':joindate' => $thedate,
':pause' => $thepause,
':downlinemsg' => $thecomment
));
$id = $db->lastInsertId('memberID');

//send email
$emailxxx = test_input($_POST['email']);
$to = $emailxxx;
$subject = "Registration Confirmation";
$body = "<p>Thank you for registering at our site.</p>
<p>To activate your account, please click on this link: <a href='".DIR."activate.php?x=$id&y=$activasion'>".DIR."activate.php?x=$id&y=$activasion</a></p>
<p>Regards Site Admin</p>";

$mail = new Mail();
$mail->setFrom(SITEEMAIL);
$mail->addAddress($to);
$mail->subject($subject);
$mail->body($body);
$mail->send();

//redirect to index page
header('Location: register.php?action=joined');
exit;

//else catch the exception and show the error.
} catch(PDOException $e) {
$error[] = $e->getMessage();
}

}

}

//define page title
$title = 'Register';

//include header template
require('layout/header.php');
?>
<!-- jQuery Form Validation code -->
<script type="text/javascript" language="JavaScript">
<!--
// Password check
$.validator.addMethod("pwcheck", function (value) {
return /[a-z]/.test(value) && /[0-9]/.test(value) && /[A-Z]/.test(value)
});

$.validator.addMethod("firstnamev", function (value) {
return /^[a-z .]+$/i.test(value)
});
$.validator.addMethod("lastnamev", function (value) {
return /^[a-z .]+$/i.test(value)
});

$.validator.addMethod("banknamev", function (value) {
return /^[a-z .]+$/i.test(value)
});
$.validator.addMethod("countryv", function (value) {
return /^[a-z .]+$/i.test(value)
});
$.validator.addMethod("usernamev", function (value) {
return /[a-zA-Z]/.test(value) && /^[a-zA-Z0-9]+$/i.test(value)
});

$.validator.addMethod("phonenumberv", function (value) { return (value.match(/^((\+)?[1-9]{1,2})?([-\s\.])?((\(\d{1,4}\))|\d{1,4})(([-\s\.])?[0-9]{1,12}){1,2}(\s*(ext|x)\s*\.?:?\s*([0-9]+))?$/)); });


$.validator.addMethod('bankaccountv', function (value) {
return /^[0-9]+$/.test(value);
}),

// Removes Error Message When reCaptcha is Checked Valid
function recaptchaCallback() {
$('#hiddenRecaptcha').valid();
};

$(function () {

$("#RegisterForm"wink.validate({
ignore: ".ignore",

invalidHandler : function() {
$('html, body').animate({
scrollTop: $("#RegisterForm"wink.offset().top // scroll top to your form on error
}, 'slow' );
}

(1) (Reply)

How Do I Upload Viral Video To My Youtube Channel Without Being Ban / Professional Web Designer Needed. Must Reside In Ibadan / How-to-protect-your-home-appliances-from-electrical-power-surges

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2021 Oluwaseun Osewa. All rights reserved. See How To Advertise. 78
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.