yesganesh yesganesh -3 years ago 118
MySQL Question

Validation Display in Registration form with Bootstrap

In the following code in crudindex.php if I enter password with length less than 6 characters error message is not showing using the span command.Required pattern is working. But messages using span command is not displaying ex : if i enter length less than 6 in password no error message displays

What is wrong in this code?

<?php
$con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql") or die("Error " . mysqli_error($con));
$error=false;
if (isset($_POST) && (!empty($_POST))){
$uname=mysqli_real_escape_string($con,$_POST["uname"]);
$pwd=mysqli_real_escape_string($con,$_POST["pwd"]);
$cpwd=mysqli_real_escape_string($con,$_POST["cpwd"]);
$password_error="";
$cpassword_error="";
if(strlen($pwd) < 6) {
$error = true;
$password_error = "Password must be minimum of 6 characters";
}
if($pwd != $cpwd) {
$error = true;
$cpassword_error = "Password and Confirm Password doesn't match";
}

if (isset($_POST['register'])) {
# Register-button was clicked


$createsql1="INSERT INTO cruduser(id,username,password) VALUES
('','$uname','$pwd')";

if (mysqli_query($con,$createsql1)) {
echo "Insert Successful in Table cruduser";
mysqli_close($con);
//Redirect because we need to consider the post request from crudadd.php
header( 'Location: crudaddusr.php' ) ;
//include ("crudadd.php");
}
else
{
die(mysqli_error($con));
}
}
if (isset($_POST['login'])) {
# Login-button was clicked
session_start();
$SESSION['suname']=$uname;
$SESSION['spwd']=$pwd;
if ($uname=='admin' && $pwd=='admin') {
include('crudview.php');
}
else
{
header( "Location: crudeditusr.php?suname=$uname&spwd=$pwd");
}
}
mysqli_close($con);
}
?>
<!--DocType HTML -->
<! bootstrap link is downloaded from bootstrapcdn.com for css and js -->
<! col-mod-6 col-mod-offset are bootstrap related-->
<HTML>
<head>
<title>"Add records in CRUD Table"</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="row">
<form method="post" class="form-horizontal col-mod-6 col-mod-offset-3">
<h2>Create The table CRUD</h2>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Username : </label>
<div class="col-sm-10">
<input type="text" name="uname" required pattern="^[A-Za-z0-9]+" class="form-control" id="input1" placeholder="Username"/>
</div>
</div>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Password: </label>
<div class="col-sm-10">
<input type="password" name="pwd" required pattern="^[A-Za-z0-9]+" class="form-control" id="input1" placeholder="Password"/>
<span class="error"><?php if (isset($password_error)) echo $password_error;?></span>
</div>
</div>
<div class="form-group">
<label for="input" class="col-sm-2 control-label">Confirm Password : </label>
<div class="col-sm-10">
<input type="password" name="cpwd" required pattern="^[A-Za-z0-9]+" class="form-control" id="input1" placeholder="Confirm Password"/>
<span class="text-danger"><?php if (isset($cpassword_error)) echo $cpassword_error; ?></span>
</div>
</div>
<div class="row">

<div class="col-mod-6 col-mod-offset-3">
<button id="submit1" name="register" class="btn btn-primary pull-right">Register</button>
<button id="submit2" name="login" class="btn btn-secondary pull-right">Login</button>
</div>
</div>
</form>
</body>
</html>

Answer Source

This is a working example to display your errors and prevent some security problems. I have removed the required pattern from your html. You didn't properly set errors. You can handle errors with php and display them. Plus you didn't use action="path/to/handleform.php".

And your redirect should be in login: header( "Location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);

There are 3 security problems here:

  • SQL injection. SOLUTION=> prepared statement
  • Password saved as plain text. SOLUTION=> password_hash()
  • Cross-Site Request Forgery (CSRF). SOLUTION=> input hidden with a token

    <?php
    $con = mysqli_connect("127.0.0.1", "kkits996_ganesh", "", "kkits996_testmysql")  or die("Error " . mysqli_error($con));
    
    // Declare array for errors
    $error=array();
    
    //-----------------------------------------------------//
    //---------------------CSRF PROTECT--------------------//
    //-----------------------------------------------------//
    
    //generate a token/
    function generateToken( $formName )
    {   
        //secret_key change it
        $secretKey ='?@GEskki58668445744!Erpoejsj48';
       if ( !session_id() ) 
       {
           session_start();
       }
       $sessionId = session_id();
       return hash('sha512', $formName.$sessionId.$secretKey );
    }
    
    //check if the token is valid
    function checkToken( $token, $formName)
    {
       return $token === generateToken( $formName );
    }
    
    //Separate REGISTER AND LOGIN TO NOT BE CONFUSED//
    
    //-----------------------------------------------------//
    //---------------------REGISTRATION--------------------//
    //-----------------------------------------------------//
    if ( isset($_POST['register']) && checkToken( $_POST['csrf_token'], 'userFromRegistration' )  ) 
    {
        //if the username required
        if(!preg_match('/^[A-Za-z0-9]+$/',$_POST['uname']))
        {
             $error['username'] = "Username must have alphanumeric characters ";
        }
    
        //if password has less than 6 characters
        if(strlen($_POST['pwd']) < 6)
        {
             $error['password'] = "Password must be minimum of 6 characters";
        }
    
        //if password does not match
       if($_POST['pwd'] !== $_POST['cpwd'] OR empty($_POST['cpwd']) ) 
       {
             $error['passwordmatch'] = "Password and Confirm Password doesn't match";
       }
    
        //if empty error array
        if( !array_filter($error) )
        {
             //trim data
             $username = trim( $_POST['uname'] );
    
             // Hash you password, never save PASSWORD AS PLAIN TEXT!!!!!!!
             // MYSQL! : Allow your storage to expand past 60 characters (VARCHAR 255 would be good)
             $password = password_hash( $_POST['pwd'], PASSWORD_DEFAULT);
    
             //if the id is autoincremented leave id
             //----------USE PREPARED STATEMENT FOR SQL INJECTION---//
    
             $query = 'INSERT INTO cruduser (username, password) VALUES (?,?)';
             $stmt = $con->prepare($query);
             $stmt->bind_param("ss", $username, $password);
             $stmt->execute();
             $stmt->close();
             $con->close();
    
             //Redirect because we need to consider the post request from crudadd.php
             header( 'Location: crudaddusr.php' ) ;
         }
    }
    
    //-----------------------------------------------------//
    //------------------------LOGIN------------------------//
    //-----------------------------------------------------//
    if (isset($_POST['login']))
    {
         //what ever you want
         //Use password_verify() and session_regenerate_id() 
         //to compare passwords and to generate a session id to prevent session fixation.
          session_start();
          $uname = $_POST['uname'];
          $pwd = $_POST['pwd'];
    
          //if you don't need it delete it
          $SESSION['suname']=$unmane;
          $SESSION['spwd']=$pwd;
    
          if ($uname=='admin' && $pwd=='admin')
          {
              include('crudview.php');
          }
          else
          {
              header( "Location: crudeditusr.php?suname=".$uname."&spwd=".$pwd);
          }
        } 
    ?>
    
    <!--HTMl PART-->
    <!DOCTYPE html>
    <html>
        <head>
            <title>"Add records in CRUD Table"</title>
            <!-- bootstrap link is downloaded from bootstrapcdn.com for css and js -->
            <!-- col-mod-6 col-mod-offset are bootstrap related-->
            <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
            <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
        </head>
        <body>
        <div class="container"> 
            <div class="row">
                <form method="post" action="" class="form-horizontal col-mod-6 col-mod-offset-3">
                <input type="hidden" name="csrf_token" value="<?php echo generateToken('userFromRegistration'); ?>" required/>
                <h2>Create The table CRUD</h2>
                <div class="form-group">
                    <label for="input" class="col-sm-2 control-label">Username : </label>
                    <div class="col-sm-10 <?php if( !empty( $error['username'] ) ){ echo 'has-error';}  ?> ">
                        <input type="text" name="uname" class="form-control" id="input1" placeholder="Username"/>
                        <span class="help-block"><?php if (!empty($error['username'])) echo $error['username'];?></span>
                    </div>
                </div>
                <div class="form-group">
                    <label for="input" class="col-sm-2 control-label">Password: </label>
                    <div class="col-sm-10 <?php if( !empty( $error['password'] ) ){ echo 'has-error';}  ?>">
                        <input type="password" name="pwd"  class="form-control" id="input1" placeholder="Password"/>
                        <span class="help-block"><?php if (!empty($error['password'])) echo $error['password'];?></span>
                    </div>
                </div>
                <div class="form-group">
                    <label for="input" class="col-sm-2 control-label">Confirm Password : </label>
                    <div class="col-sm-10 <?php if( !empty( $error['passwordmatch'] ) ){ echo 'has-error';}  ?>">
                        <input type="password" name="cpwd" class="form-control" id="input1" placeholder="Confirm Password"/>
                        <span class="help-block"><?php if (!empty($error['passwordmatch'])) echo $error['passwordmatch'];?></span>
                    </div>
                </div>
                <div class="row">
    
                    <div class="col-mod-6 col-mod-offset-3">
                       <button id="submit1" name="register" class="btn btn-primary pull-right">Register</button>
                       <button id="submit2" name="login" class="btn btn-secondary pull-right">Login</button>
                   </div>
               </div>
           </form>
       </body>
    

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download