My Code: Connectivity(php)
<?php
$conn=mysqli_connect("localhost","root","","webchat_data");
//if($conn)
//{
// echo "hi";
//}
if(!$conn){
die("CONNECTION FAILED" .mysqli_connect_error());
}
?>
Signup
<?php
include 'connectivity.php';
$uname=($_POST['uname']);
$email=($_POST['Email']);
$pass=($_POST['Password']);
$sql = "INSERT INTO `sign-up`(USERNAME,EMAIL_ID,PASSWORD) VALUES('$uname','$email','$pass')";
//$result=$conn->query($sql);
$result = mysqli_query($conn, $sql);
//$query=mysqli_query($conn,$sql);
header("Location:index.php");
?>
Someone told me that my query is good for a learner, but not for real world applications. Please make some recommendations to make this code more suitable for real world scenarios.
-
8\$\begingroup\$ Two words: SQL injection \$\endgroup\$Glorfindel– Glorfindel2019年05月17日 20:57:28 +00:00Commented May 17, 2019 at 20:57
-
2\$\begingroup\$ Based on the size of the code this isn't really a question for code review, but there are 28 answers to this question at stackoverflow.com/questions/60174/…. As @Glorfindel indicated this is wide open for a SQL Injection attack. \$\endgroup\$pacmaninbw– pacmaninbw ♦2019年05月17日 21:02:48 +00:00Commented May 17, 2019 at 21:02
-
\$\begingroup\$ There's so many bad practices at play here that I don't even know where to start. You may want to learn more about PHP before working with real user data. Start with the most common PHP questions at Stack Overflow. \$\endgroup\$John Conde– John Conde2019年05月18日 00:45:40 +00:00Commented May 18, 2019 at 0:45
-
\$\begingroup\$ I would NOT like to register an account with the site that is using the posted code. \$\endgroup\$mickmackusa– mickmackusa2019年05月18日 04:13:30 +00:00Commented May 18, 2019 at 4:13
2 Answers 2
Like it was said in the comments, this code needs not a review but just some basic practices. That said, good basic practices are a rare specimen in the wild, so you cannot be blamed, given the number of awful tutorials out there. Luckily I am the renowned collector of good practices and here you are
Connectivity
There ate many things that could be improved in your connectivity file. To name a few
- the connection character set must be configured to avoid issues with characters
- the proper error reporting mode for mysqli must be set
- the connection error smust be not bluntly echoed out
All these issues are covered in my article How to connect properly using mysqli: so let's take the code from there:
$host = '127.0.0.1';
$db = 'webchat_data';
$user = 'root';
$pass = '';
$charset = 'utf8mb4';
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
$conn = new mysqli($host, $user, $pass, $db);
$conn->set_charset($charset);
} catch (\mysqli_sql_exception $e) {
throw new \mysqli_sql_exception($e->getMessage(), $e->getCode());
}
Password hashing
In two words, never store passwords in plain text. Use password_hash() function instead. This topic is thoroughly explained in the question: https://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely
Prepared statements
Just never add a variable to SQL query directly, but mark its place with a question mark instead. Then bind the actual variable and finally call execute()
In detail this matter is explained in this question: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
So here is your signup code reviewed
<?php
include 'connectivity.php';
$uname = $_POST['uname'];
$email = $_POST['Email'];
$pass = password_hash($_POST['Password'], PASSWORD_DEFAULT);
$sql = "INSERT INTO `sign-up`(USERNAME,EMAIL_ID,PASSWORD) VALUES(?,?,?)";
$stmt = $conn->prepare($sql);
$stmt->bind_param("sss", $uname,$email,$pass);
$stmt->execute();
header("Location:index.php");
The most important points:
Never use User-Input in unsecured queries. Use prepared statements!
Never save passwords in cleartext. A common form is hashing.
Unfortunately, these topics would exceed this format.