<?php
if (isset ($_POST['submit'])) {
try {
$picture = "../images/default-picsss.png";
$sql = "
INSERT INTO user (username, password, fullname, address, mobile, email, picture)
VALUES (:username, :password, :fullname,
:address, :mobile, :email, :picture );
INSERT INTO user_balance (username) VALUE (:username);
";
$stmt = $PDO->prepare($sql);
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
$stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
$stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
$stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
$stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
$stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
$stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
$stmt->execute();
echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";
}
catch (PDOException $e) {
echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";
}
}
?>
Shabbir_1 0 Newbie Poster
cereal 1,524 Nearly a Senior Poster Featured Poster
No, from SQL injection you're safe with prepared statements, but you are exposed to an XSS attack, here:
echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>".$_POST['username']."</b></div>";
echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$_POST[username]</b></div>";
$_POST is not sanitized, so I could inject javascript or an iframe. The Google Chrome XSS Auditor in this case will raise an alert, which is visible in the developer console.
Use filter_input() if you want to return the contents to the page:
rubberman commented: Good point. I would have missed that. +13
diafol commented: Great explanation of XSS +0
Shabbir_1 0 Newbie Poster
Thanks a lot.
Shabbir_1 0 Newbie Poster
Now is it ok?
<?php
if (isset ($_POST['submit'])) {
try {
$picture = "../images/default-picsss.png";
$user = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_SPECIAL_CHARS);
$sql = "
INSERT INTO user (username, password, fullname, address, mobile, email, picture)
VALUES (:username, :password, :fullname,
:address, :mobile, :email, :picture );
INSERT INTO user_balance (username) VALUE (:username);
";
$stmt = $PDO->prepare($sql);
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
$stmt->bindParam(':password', $_POST['password'], PDO::PARAM_STR);
$stmt->bindParam(':fullname', $_POST['fullname'], PDO::PARAM_STR);
$stmt->bindParam(':address', $_POST['address'], PDO::PARAM_STR);
$stmt->bindParam(':mobile', $_POST['mobile'], PDO::PARAM_STR);
$stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
$stmt->bindParam(':picture', $picture, PDO::PARAM_STR);
$stmt->execute();
echo "<div class='alert alert-success' role='alert'>Well done! You successfully created user: <b>$user</b></div>";
}
catch (PDOException $e) {
echo "<div class='alert alert-danger' role='alert'>Oh snap! Failed to create new user: <b>$user</b></div>";
}
}
?>
`
diafol
Not sure $user will be passed to the catch branch. You make no use of $e. No exceptions thrown to pass data in the try branch.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.