1

I'm trying to create a user registration script for my website, and although my current code works, I'm wondering if the syntax is correct, and if there are modifications that I need to make to increase security and avoid mistakes.

My registration form has multiple fields, some of which cannot be null (ex. email and password), and some of which can be null (ex. birthdate). Each field has jquery / client-side validation, and the form cannot be submitted until the required fields are set. After checking if the registration form has been submitted, I'm saving up the information in different variables as follows:

$email=isset($_POST['email']) ? $database->escape($_POST['email']) : "";
$birthdate=isset($_POST['birthdate']) ? $database->escape($_POST['birthdate']) : "";

I know I need to escape the information before saving, which is what the escape function does in this case, but other than that, I'm wondering if my approach/logic is wrong?

Should I be checking both isset and empty for each field, or should I have a different approach for fields that can be null and those that can't?. Ex:

$email=isset($_POST['email'])&&!empty($_POST['email']) ? $database->escape($_POST['email']) : "";

Or is checking for !empty enough in such case?

$email=!empty($_POST['email']) ? $database->escape($_POST['email']) : "";

Before the sql insertion I'm checking if(empty($email)) in which case the registration doesn't go through, so I'm confused as to if I do need both the isset and empty checks when first retrieving the information and saving it to variables.

Thanks for any help/advice you can give me on this topic. I graduated 2 years ago and have mostly worked on frontend web design, I learned php and mysql in school during my last two years, but nowhere in my notes or practice files do I see a mention of isset to check if a value is received, they all save the post or get straight to the variable, and there was no mention of mysqli or pdo, just mysql which I know has been deprecated (and apparently there were warnings of this happening before they even thought me about it). Looks like my teachers were behind on this practices, I've learned so much about php and mysqli in the last few days only while working on this project, I'm still confused by a lot of things although I think I'm getting the hang of it.

Improve this question
4
  • since you're using (or know) mysqli, you can use prepared statements instead of manually escaping every variable you plan on using in a query. Commented Jul 11, 2014 at 23:44
  • @skrilled thanks for the advice! I've been reading about prepared statements but I'm a little confused with this. In this case, should I use two different statements, one to check if the email is already in the system, and a second one to insert the data? Commented Jul 12, 2014 at 2:51
  • you can do an insert where not exists type command to solve this all within one statement - bogdan.org.ua/2007/10/18/mysql-insert-if-not-exists-syntax.html Commented Jul 14, 2014 at 18:49
  • as far as prepared statements they have a good example @ php.net/manual/en/mysqli.quickstart.prepared-statements.php - prepared statements still require you to write out the query, it just handles the escaping and dynamic insertion of variables so that you don't have to focus on injection security Commented Jul 14, 2014 at 18:50

2 Answers 2

Reset to default
1

You must only use empty() for mandatory fields then escape all fields. Don't forget to hash passwords!

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! I'm escaping each field and hashing the password with md5 $password=isset($_POST['password']) ? $database->escape($_POST['password']) : ""; $passw=md5($password);
Not isset($_POST['password), but empty($_POST['password')
0

If you use isset and you create registration:

    <?php
    $login = $_POST['login'];
    $pass = $_POST['pass'];
    $pass2 = $_POST['pass2'];
    $age = $_POST['age'];


        if(isset($login)){
        if(!empty($login) AND !empty($pass) AND !empty($pass2) AND !empty($age) AND $pass == $pass2){

        // Check lenght of variables...
        // AND Check login in base (1 login == 1 account) :D
        } else {
echo "Please check empty variables!";
}
        }
    ?>

Good Luck!

Improve this answer

2 Comments

You need to check if $_POST variables are set, since you're declaring $login it's always going to be set but not checking for login in post will cause an error if it's not set there
Ohh... srry, but I write from Phone and this is short ver.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.