I have managed to successfully set-up my own PHP/MySQL login system but would like to refine the registration process. Basically, I want all values submitted to be checked for empty values (and return an error if true) but also I want to have them sanitised at some point too. My code is below, just for the registration process - I've omitted everything else but this should be all anyone needs reference to.
<?php session_start();
include "connect.php";
$reg = array(
"regEmail" => filter_var(($_POST["email"]), FILTER_SANITIZE_EMAIL),
"regForename" => filter_var(($_POST["forename"]), FILTER_SANITIZE_SPECIAL_CHARS),
"regSurname" => filter_var(($_POST["surname"]), FILTER_SANITIZE_SPECIAL_CHARS),
"regPassword" => filter_var(($_POST["password"]), FILTER_SANITIZE_SPECIAL_CHARS),
);
foreach($reg as $value) {
if (empty($value)) {
header("location: error.php");
}
else {
$regUser = "INSERT INTO users (email,password,forename,surname) VALUES ('$reg['regEmail'], $reg['regPassword'], $reg['regForename'], $reg['surename']')";
if (isset($_POST["submit"])) {
if (mysqli_query($MySQL,$regUser)) {
header("location: registration-confirmation.php");
}
else {
header("location: error.php");
}
};
$MySQL->close;
};
};
?>
Can anyone assist with this? I can use some simple if/else conditions for each piece of form data but this seems a bit cumbersome and not very efficient.
I fully expect to be told that my code is a disaster but what's more important to me as a beginner is that I'm thinking in the right logical mind-set.
I am a beginner so just trying to learn as much as possible!
Thanks for looking.
Personally, I do just what you say. I have an if statement for each field, and add to an $errors array if there are any errors. If there are any errors, display them to the user.
(!is_numeric($adjustmentInputs[$i]['StartYear']) ? $errors['adjustmentInputs']="Start Year must be a numeric value. Please return to the input page and input only numbers and decimal points." : '');
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
$data = array(
'email' => $_POST["email"],
'forename' => $_POST["forename"],
'surname' => $_POST["surname"],
'password' => $_POST["password"],
);
foreach ($data as $key => $value) {
if (empty($value)) {
// Creates an array of the missing values so you can let the user know which
// fields they have missed out
$errors[] = $key;
}
if (isset($errors) && !empty($errors)) {
return 'You have missed the following fields ' . implode(',', $errors);
}
}
$stmt = $db->prepare("
INSERT INTO users (email, password, forename, surname)
VALUES (:email, :password, :forename, :surname)"
);
$stmt->bindValue(':email', $data['email'], PDO::PARAM_STR);
$stmt->bindValue(':password', $data['forename'], PDO::PARAM_STR);
$stmt->bindValue(':forename', $data['surname'], PDO::PARAM_STR);
$stmt->bindValue(':surname', $data['password'], PDO::PARAM_STR);
if (true === $stmt->execute()) {
header("location: registration-confirmation.php");
} else {
header("location: error.php");
}
Something like this would probably work (I haven't tested it). You really need to look at hashing your passwords, saving them as plain-text is really not a good idea.
Also you might want to look at better error handling. It's easier to debug if you know why a query failed rather than redirecting to a generic error page.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.