Commit 976462b2 by sopham

sanitize inpu

parent a38ee877
Showing with 13 additions and 49 deletions
<?php
session_start();
//include the database connection data
require_once "dbconnection.php";
//make the query
if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
//bind user input to query
$stmt->bind_param('s', $_POST['username']);
//execute query
$stmt->execute();
//transfer a result set from last query
$stmt->store_result();
if ($stmt->num_rows > 0) {
//bind variables to a prepared statement for result storage
$stmt->bind_result($id, $password);
//fetch results from the prepared statement to bound variables
$stmt->fetch();
//if password is correct, establish session
if ($_POST['password'] === $password) {
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username'];
$_SESSION['id'] = $id;
header('Location:index.php');
} else {
echo "Incorrect password";
}
}
else echo 'Incorrect username';
//close the statement
$stmt->close();
}
//close the connection
$link->close();
?>
...@@ -4,6 +4,10 @@ session_start(); ...@@ -4,6 +4,10 @@ session_start();
//include database connection data //include database connection data
include_once "dbconnection.php"; include_once "dbconnection.php";
//sanitize user input
include_once "sanitize.php";
$task = sanitizeInputVar($link, $_POST['task']);
//make the query //make the query
$query = "INSERT INTO toDoList (task, userID) VALUES (?,?) "; $query = "INSERT INTO toDoList (task, userID) VALUES (?,?) ";
...@@ -11,7 +15,7 @@ $query = "INSERT INTO toDoList (task, userID) VALUES (?,?) "; ...@@ -11,7 +15,7 @@ $query = "INSERT INTO toDoList (task, userID) VALUES (?,?) ";
$query = $link->prepare($query); $query = $link->prepare($query);
//bind variables to the prepared query //bind variables to the prepared query
$query -> bind_param('si', $_POST['task'], $_SESSION['id']); $query -> bind_param('si', $task, $_SESSION['id']);
//execute the query //execute the query
$query -> execute(); $query -> execute();
......
...@@ -7,13 +7,18 @@ require_once "dbconnection.php"; ...@@ -7,13 +7,18 @@ require_once "dbconnection.php";
//define error variable //define error variable
$err = ""; $err = "";
//sanitize user input
include_once "sanitize.php";
$username = sanitizeInputVar($link, $_POST['username']);
$pass = sanitizeInputVar($link, $_POST['password']);
if($_SERVER["REQUEST_METHOD"] == "POST") { if($_SERVER["REQUEST_METHOD"] == "POST") {
//make the query //make the query
if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) { if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
//bind user input to query //bind user input to query
$stmt->bind_param('s', trim($_POST['username'])); $stmt->bind_param('s', trim($username));
//execute query //execute query
if($stmt->execute()){ if($stmt->execute()){
...@@ -31,10 +36,10 @@ if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) { ...@@ -31,10 +36,10 @@ if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
$stmt->fetch(); $stmt->fetch();
//if password is correct, establish session //if password is correct, establish session
if (trim($_POST['password']) === $password) { if (trim($pass) === $password) {
session_regenerate_id(); session_regenerate_id();
$_SESSION['loggedin'] = TRUE; $_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username']; $_SESSION['name'] = $username;
$_SESSION['id'] = $id; $_SESSION['id'] = $id;
header('Location:index.php'); header('Location:index.php');
} else { } else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment