In this video / article on PHP Security I will show you how to create more secure new user registration scripts. I’ll show you how to:
Fight off SQL Injection by thinking about your queries
Set up a CAPTCHA system that will protect you from brute force attacks
Lock down authentication hacks by forcing proper user ids and passwords
This is a continuation of the code we created in PHP Security Pt 2. You should watch that video before you proceed. You will also find it easier to follow along if you print out the code that follows the video below.
The page where you can get the Captcha code is here reCaptcha. The code that follows the video is much more secure and you can use it however you like. I’m not claiming it is 100% secure, just that it is much more secure than most registration scripts I have seen.
If you have any questions or comments leave them below.
Code From the Video
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
if (isset($_POST[‘submitted’])) { // Handle the form.
// Check for a first name.
// Unquote a quoted string with stripslashes
if (preg_match (‘%^[A-Za-z\.\’ \-]{2,15}$%’, stripslashes(trim($_POST[‘first_name’])))) {
$fn = escape_data($_POST[‘first_name’]);
} else {
$fn = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter your first name!</font></p>’;
}
// Check for a last name.
if (preg_match (‘%^[A-Za-z\.\’ \-]{2,30}$%’, stripslashes(trim($_POST[‘last_name’])))) {
$ln = escape_data($_POST[‘last_name’]);
} else {
$ln = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter your last name!</font></p>’;
}
// Check for an email address.
if (preg_match (‘%^[A-Za-z0-9._\%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$%’, stripslashes(trim($_POST[’email’])))) {
$e = escape_data($_POST[’email’]);
} else {
$e = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid email address!</font></p>’;
}
// Check for a street.
if (preg_match (‘%^[A-Za-z0-9\.\’ \-]{5,30}$%’, stripslashes(trim($_POST[‘street’])))) {
$s = escape_data($_POST[‘street’]);
} else {
$s = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter your street address!</font></p>’;
}
// Check for a city.
if (preg_match (‘%^[A-Za-z\.\’ \-]{2,25}$%’, stripslashes(trim($_POST[‘city’])))) {
$c = escape_data($_POST[‘city’]);
} else {
$c = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid city!</font></p>’;
}
// Check for a state.
if (preg_match (‘%^(A[KLRZ]|C[AOT]|D[CE]|FL|GA|HI|I[ADLN]|K[SY]|LA|M[ADEINOST]|N{CDEHJMVY]|O[HKR]|PA|RI|S[CD]|T[NX]|UT|V[AT]|W[AIVY])$%’, stripslashes(trim($_POST[‘state’])))) {
$st = escape_data($_POST[‘state’]);
} else {
$st = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid state!</font></p>’;
}
// Check for a zip code.
if (preg_match (‘%^[0-9]{5}$%’, stripslashes(trim($_POST[‘zip’])))) {
$z = escape_data($_POST[‘zip’]);
} else {
$z = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid 5 digit zip code!</font></p>’;
}
// Check for a phone number.
// ‘)”;delete from users where user_id=”9″;
if (preg_match (‘%^([0-9]( |-)?)?(\(?[0-9]{3}\)?|[0-9]{3})( |-)?([0-9]{3}( |-)?[0-9]{4}|[a-zA-Z0-9]{7})$%’, stripslashes(trim($_POST[‘work_phone’])))) {
$ph = escape_data($_POST[‘work_phone’]);
} else {
$ph = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid phone number!</font></p>’;
}
// Check for a valid userid
if (preg_match (‘%\A(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{8,}\z%’, stripslashes(trim($_POST[‘userid’])))) {
$ui = escape_data($_POST[‘userid’]);
} else {
$ui = FALSE;
echo ‘<p><font color=”red” size=”+1″>Please enter a valid userid!</font></p>’;
}
// Check for a password and match against the confirmed password.
if (preg_match (‘%\A(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{8,}\z%’, stripslashes(trim($_POST[‘password1’])))) {
if (($_POST[‘password1’] == $_POST[‘password2’]) && ($_POST[‘password1’] != $_POST[‘userid’])) {
echo ‘<br /><br /><h1>Thank you for registering! A confirmation email has been sent to your address. Please click on the link in that email in order to activate your account.</h1>’;
exit();
} else { // If it did not run OK.
echo ‘<p><font color=”red” size=”+1″>You could not be registered due to a system error. We apologize for any inconvenience.</font></p>’;
}
} else { // The email address is not available.
echo ‘<p><font color=”red” size=”+1″>That email address has already been registered. If you have forgotten your password, use the link to have your password sent to you.</font></p>’;
<p><b>State:</b> <input type=”text” name=”state” size=”2″ maxlength=”2″ value=”<?php if (isset($_POST[‘state’])) echo $_POST[‘state’]; ?>” /> <small>Use only the two letter initials</small></p>
<p><b>User ID:</b> <input type=”password” name=”userid” size=”20″ maxlength=”20″ /> <small>Must contain a letter of both cases, a number and a minimum length of 8 characters.</small></p>
<p><b>Password:</b> <input type=”password” name=”password1″ size=”20″ maxlength=”20″ /> <small>Must contain a letter of both cases, a number and a minimum length of 8 characters.</small></p>
I have been working to get the login scripts working to provide a secure login area on my sites. I thought I had it when I completed the registration form and received the email. This line in the above script references a file I did not find in your zip file:
// Attach the random activation code in the link sent to the email
$body .= “http://localhost/activate.php?x=” . mysql_insert_id() . “&y=$a”;
Here is the code that would be needed to activate the account. Make sure you change the backquotes into normal quotes in the code below with a find and replace
0) && (strlen($y) == 32)) {
$query = “UPDATE users SET active=NULL WHERE (user_id=$x AND active='” . escape_data($y) . “‘) LIMIT 1”;
Thank you. I have all of the code in that tutorial series. It works, but you have to change all of the back quotes into normal quotes because of a past security system I used.
I used your php security code to verify my text fields (such as pass, username, first name) in the form, it works, BUT after it verifies the first text field in the form it submits the form without checking and making sure if the rest of the field are OK.
And One more question? do you need to bee on the server to verify email conformation or you
can do this on MAMP?
Sorry I don’t use MAMP. I always wondered why Mac users use MAMP? Apache, mysql, and everything else is installed by default without MAMP. Your web server is located at /Library/WebServer/Documents on all Macs as far as I know
Hello I was wondering is the any extra security required when you let the visitors upload pictures, vidioes
And if yes if you please make a tutorial about.
I would really appreciate that.
By the way your tutorials are very usefull,
I would say I am new to web development
And I learnning alot from your tutorials.
If you allow people to upload anything to your site you’re creating a potential security issue. Anything uploaded must undergo a name change, it has to be secured in a folder that has no access to important information on your server. You then must refer to it using a completely different hard to guess name from there after.
I plan to cover how you can verify that an image really is an image in the future. I’ll also cover how to secure uploads. An encryption tutorial is also in the works
Derek, do you have a pagination tutorial with a form enabling the end user to search for a particular item. The reason I ask is I have the pagination sorted and working http://goo.gl/yHpOZ and in a separate project I have the search form working http://goo.gl/88H2V but I cannot seem to integrate the two. If you havent got a tutorial on this maybe you would consider it for a future project? Thanks
I’m sorry, but I haven’t made a pagination tutorial aside from what I did with the tools used in wordpress. I’m planning on making a pHP tutorial that lives up to the standards of my Java tutorial. I have to finish my Java tutorial first though. I’ll do my best to slip in that tutorial if possible
I have been working to get the login scripts working to provide a secure login area on my sites. I thought I had it when I completed the registration form and received the email. This line in the above script references a file I did not find in your zip file:
// Attach the random activation code in the link sent to the email
$body .= “http://localhost/activate.php?x=” . mysql_insert_id() . “&y=$a”;
Do you have a link to the activate.php file?
I’m traveling right now and don’t have access to my computer. As soon as I can I’ll send you that script.
Have you located the activate script?
Here is the code that would be needed to activate the account. Make sure you change the backquotes into normal quotes in the code below with a find and replace
0) && (strlen($y) == 32)) {
$query = “UPDATE users SET active=NULL WHERE (user_id=$x AND active='” . escape_data($y) . “‘) LIMIT 1”;
$result = mysql_query ($query) or trigger_error(“Query: $query\nMySQL Error: ” . mysql_error());
// Print a customized message.
if (mysql_affected_rows() == 1) {
echo “Your account is now active. You may now log in.”;
} else {
echo ‘Your account could not be activated. Please re-check the link or contact the system administrator.’;
}
// mysql_close();
} else { // Redirect.
// Start defining the URL.
$url = ‘http://’ . $_SERVER[‘HTTP_HOST’] . dirname($_SERVER[‘PHP_SELF’]);
// Check for a trailing slash.
if ((substr($url, -1) == ‘/’) OR (substr($url, -1) == ‘\\’) ) {
$url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= ‘/index.php’;
ob_end_clean(); // Delete the buffer.
header(“Location: $url”);
exit(); // Quit the script.
} // End of main IF-ELSE.
?>
First – awesome tutorials. thanks for taking the time to do this.
Secondly – is there a complete activation.php anywhere on the site or can you help out with what was cut from the script above?
Thank you. I have all of the code in that tutorial series. It works, but you have to change all of the back quotes into normal quotes because of a past security system I used.
Thank you. The front of the script seems to be missing, but I think I have it all now.
Thank you for all your tutorials.
I used your php security code to verify my text fields (such as pass, username, first name) in the form, it works, BUT after it verifies the first text field in the form it submits the form without checking and making sure if the rest of the field are OK.
And One more question? do you need to bee on the server to verify email conformation or you
can do this on MAMP?
Can you help?
Thank You
Sorry I don’t use MAMP. I always wondered why Mac users use MAMP? Apache, mysql, and everything else is installed by default without MAMP. Your web server is located at /Library/WebServer/Documents on all Macs as far as I know
Do you have a tutorial how to make them work, because i tried several times to make mysql to work and it does not seems to wont cooperate with me.
Hello I was wondering is the any extra security required when you let the visitors upload pictures, vidioes
And if yes if you please make a tutorial about.
I would really appreciate that.
By the way your tutorials are very usefull,
I would say I am new to web development
And I learnning alot from your tutorials.
Thank you.
If you allow people to upload anything to your site you’re creating a potential security issue. Anything uploaded must undergo a name change, it has to be secured in a folder that has no access to important information on your server. You then must refer to it using a completely different hard to guess name from there after.
I plan to cover how you can verify that an image really is an image in the future. I’ll also cover how to secure uploads. An encryption tutorial is also in the works
Derek, do you have a pagination tutorial with a form enabling the end user to search for a particular item. The reason I ask is I have the pagination sorted and working http://goo.gl/yHpOZ and in a separate project I have the search form working http://goo.gl/88H2V but I cannot seem to integrate the two. If you havent got a tutorial on this maybe you would consider it for a future project? Thanks
I’m sorry, but I haven’t made a pagination tutorial aside from what I did with the tools used in wordpress. I’m planning on making a pHP tutorial that lives up to the standards of my Java tutorial. I have to finish my Java tutorial first though. I’ll do my best to slip in that tutorial if possible
I have to say that you are giving so much help in developing our skills in web programming… Thanx a lot . RESPECT 🙂
Thank you very much 🙂 I’m very happy to hear that my videos are helping.
Where do I type in the code for changing permission of recaptchalib.php?
“Subo chmod 755 recaptchalib.php”
In a terminal in the folder that holds the file.