<?php 
    if (isset ($_POST['submit'])) {
            try {
                $picture = "../images/default-picsss.png";
                $sql = "
                        INSERT INTO user (username, password, fullname, address, mobile, email, picture)
                            VALUES (:username, :password, :fullname, 
                                :address, :mobile, :email, :picture );
                        INSERT INTO user_balance (username) VALUE (:username);
                ";
                $stmt = $PDO->prepare($sql);
                $stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
                $stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
                $stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
                $stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
                $stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
                $stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
                $stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
                $stmt->execute();
                echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";
            }
            catch (PDOException $e) {
                echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";
            }
        }
    ?> 

No, from SQL injection you're safe with prepared statements, but you are exposed to an XSS attack, here:

echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";

echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";

$_POST is not sanitized, so I could inject javascript or an iframe. The Google Chrome XSS Auditor in this case will raise an alert, which is visible in the developer console.

Use filter_input() if you want to return the contents to the page:

commented: Good point. I would have missed that. +13
commented: Great explanation of XSS +0

Thanks a lot.

Now is it ok?

<?php 
    if (isset ($_POST['submit'])) {
            try {
                $picture = "../images/default-picsss.png";
                $user = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);

                $sql = "
                        INSERT INTO user (username, password, fullname, address, mobile, email, picture)
                            VALUES (:username, :password, :fullname, 
                                :address, :mobile, :email, :picture );
                        INSERT INTO user_balance (username) VALUE (:username);
                ";
                $stmt = $PDO->prepare($sql);
                $stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
                $stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
                $stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
                $stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
                $stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
                $stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
                $stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
                $stmt->execute();
                echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>$user</b></div>";
            }
            catch (PDOException $e) {
                echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$user</b></div>";
            }
        }
    ?> 

`

Member Avatar for diafol

Not sure $user will be passed to the catch branch. You make no use of $e. No exceptions thrown to pass data in the try branch.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.