First of all use what is called as Prepared Statements , which allows a query to the DBMS and can so to speak, to separate what the user enters the code itself, ie the engine knows what value is entered by the user, with the advantage that security pricipalmente can not inject arbitrary code in the query called SQL Injectio
's put an example of this would be a consultation with Prepared Statements, a query to a news article .
$ mysqli = new mysqli ('host' 'User', 'pass',' db ');
$ stmt = $ mysqli-> prepare ("SELECT * FROM NEWS WHERE ID =?");
$ stmt-> bind_param (' i ', $ _GET [' id ']);
$ stmt-> execute ();
In the first line we create an object mysqli, prepare the second query to send to the engine, note that the expected value is placed with the character? , third line adds the variable to the prepared statement, notice is i value, which means that what is expected to be an integer. We may also use s (string), d (double), b (binary data) depending on what is needed. In the fourth line
run the Prepared Statement. :) In this section
SQL Injection Prevention the OWASP , we have as a first measure of safety. The good thing is that the code is not as dirty, to filter all user input functions such as int (), settype (), is_numeric (), mysql_real_escape_string () etc.
Discharge created has the following characteristics: The password is md5 encrypted 3 times (which can be changed from the code) must be greater than 7 characters and must contain at least one uppercase and one number.
This is the codigo con el formulario en HTML y el PHP.
Keeping these restrictions in the password is aimed at high
<html>
Alta Usuario
<form action='' method='post'>
<br>
Nombre:
<br>
<input type='text' name='nombre'>
<br>
<br>
<input type='text' name='email'>
<br>
Usuario:
<br>
<input type='text' name='user'>
<br>
ContraseƱa: \u0026lt;input
type='password'
\u0026lt;br> name='pass'>
\u0026lt;br>
\u0026lt;input type='submit' value='Enviar' name='enviar'>
\u0026lt; / form>
pass_cript function ($ pass) {
for ($ i = 0, $ i <3;$i++){ pass="md5($pass);" stmt=" $mysqli"> prepare ("SELECT user FROM users WHERE user =?");
$ stmt-> bind_param ('s', $ user )
$ stmt-> execute ();
$ stmt-> bind_result ($ result);
third if
# if ($ stmt-> fetch () == false) {
verificar_pass ();}
else {echo "User already exists ";
}}
high function () {global $ mysqli
;
global $ user;
global $ password;
global $ email;
global $ name, $ password = pass_cript
($ password) ;
$ stmt = $ mysqli-> prepare ("INSERT INTO users (username, password, Email, Name) VALUES (?,", ", ?)");
/ / Bind your variables to replace the? s $
stmt-> bind_param ('ssss', $ user, $ password, $ email, $ name);
/ / Execute query
$ stmt-> execute ();
printf ("% d Row inserted. \\ n", $ stmt-> affected_rows)
/ / Close statement object
$ stmt-> close ();
echo "User". $ User. "Has been released!";}
verificar_pass function () {global $ password
;
if (strlen ($ password)> 7)
{if (preg_match ('/ [AZ] + [0-9 ]+/', $ password)
#Prepared Statements
$mysqli = new mysqli('host', 'user', 'pass', 'db');
if (mysqli_connect_errno())
{
printf("Can't connect to MySQL Server. Errorcode: %s\n", mysqli_connect_error());
exit;
}
#Primer if
if(!empty($_POST['enviar']))
{
#segundo if
if (isset($_POST['nombre']) && !empty($_POST['nombre']) && isset($_POST['email']) && !empty($_POST['email']) && isset($_POST['user']) && ! Empty ($ _POST ['user']) & & isset ($ _POST ['pass']) & &! Empty ($ _POST ['pass'])) {
$ name = $ _POST ['name'];
$ user = $ _POST ['user'];
$ password = $ _POST ['pass'];
$ email = $ _POST ['email'];
verificar_usuario ();}
# close second
else {if
echo "You must fill out camposs thank you";
}} # close first if
?>
I will explain what the code, I mean its sequence to be understood and then those who want to use to use to its high
XD or test.
At line 105 is where I verify that all form data are defined and that are not white, if so
take those values \u200b\u200band I verificar_usuario
function ()
.
, this feature does is check if the user you want to register exists in the database,
if there were to print a legend with
"User already exists"
, and would end the process . If no targets are
verificar_pass function ()
.
This function testing security of password which must satisfy that: must be greater than 7 characters and
must contain at least one capital letter and a number on it.
function ()
, in line 57,
the value of $ password is passed to a function
pass_cript ()
to encrypt it in an amount of 3 times MD5, and then basically is performed for the INSERT INTO
high:).
Here I give you some links to continue reading about Prepared Statesman
http://mattbango.com/notebook/web-development/prepared-statements-in-php-and-mysqli/
http://www.ultramegatech.com/blog/2009/07/using-mysql-prepared-statements-in-php/
http://www.hiteshagrawal.com/mysql/mysql-prepared-statement-in -php
Greetings
0 comments:
Post a Comment