Josh Evans Josh Evans - 1 year ago 95
PHP Question

How to properly take input from user to HTML form?

I have a simple website hosted on 000webhost that consists of index.html and register.php. I now have a functional registration system that allows users to input information, and have the database query the info.

On 000webhost, within public_html I have:
php: register.php ,
.htaccess ,
index.html

index.html simply contains a button that links to the register page, and register.php contains:

<?php

session_start();

if (isset($_POST['register_btn'])){
if ($_POST['email1'] != $_POST['email2']){
exit("Emails did not match.");
}

//connect to database
$connect = mysqli_connect("localhost", "someUser", "somepassword", "somedb");
if(mysqli_connect_error()){
echo mysqli_connect_error();
exit();
}

//write the paramaterized query
$query = "INSERT INTO test_table(username, email) VALUES(?, ?)";

//prepare the statement
$stmt = mysqli_prepare($connect, $query);

if ($stmt){
//bind
mysqli_stmt_bind_param($stmt, 'ss', $_POST['username'], $_POST['email']);

//execute the query
mysqli_stmt_execute($stmt);

} else{
echo "Error creating statement object";
}

}

?>

<!DOCTYPE html>
<html>
<head>
<title>Register</title>
</head>
<body>
<div class="header">
<h1>Register</h1>
</div>

<form method="post" action="register.php">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="username" class="textInput"></td>
</tr>
<tr>
<td>Email:</td>
<td><input type="text" name="email1" class="textInput"></td>
</tr>
<tr>
<td>Re-enter Email:</td>
<td><input type="text" name="email2" class="textInput"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="register_btn" value="Register"></td>
</tr>
</table>
</form>
</body>
</html>


EDIT
Changed the focus of the question from proper password registration to simple data entry.

Answer Source

There's a lot going wrong here, but I don't mean to blame you specifically. Many of the things that make PHP popular, like it's long history of support on shared hosting providers and how it's easy to pick up and get going, are also a huge liability: There's a lot of dangerously old advice out there, and many tutorials are written by people who really do not know what they're doing. It is a minefield to navigate, especially if you have never done this sort of thing before.

To side-step all of that you can use a development framework where modern PHP coding practices are on display. The best of these organize the code so that there's a very minimal amount of raw PHP code in the web root, that is the files that are accessible to the public. Many have just one stub, index.php, which everything is routed through. All the other URLs are, in essence, faked out by routing. There's no literal file to back them up. This is good because it decouples URLs from links to files and instead turns them into abstract resources.

This is how they manage to keep the application code from leaking out: The code put in the public web root is extremely minimal by design. If your server ends up misconfigured for whatever reason and starts spewing out .php files as raw source there's no harm, all they get is the boilerplate index.php stub that comes with every application of that type. No credentials, no database configuration information, nothing.

Laravel is a good example to study, it even includes an authentication system so there's no need to code your own. The database config in this case is just a regular PHP file, but other systems use JSON, YAML, or an old-fashioned INI file.

The biggest problem here is the use of string interpolation to compose your queries. If you make a mistake, forget to escape something, you'll open up a huge SQL injection hole. From there it's possible that someone can inject arbitrary SQL code into your site, and with that, grab the whole database or worse, maybe download the application's code as well if the database is running on the same physical machine.

At the absolute least use something like PDO. Even better, use an ORM that encapsulates your database operations in a much easier to use object-oriented wrapper. Doctrine, Propel and Eloquent are all good examples of these.

The most important thing to note is that making a secure site in 2017 is not easy if you're building from the ground up using just core PHP. There's so many things to consider: CSRF, XSS, SQL injection, password hashing, email verification, password guess rate limiting, caching, database migrations, and a host of other things. Fully understanding and implementing a coherent strategy for any one of those might months. It's beyond the scope of a single developer to realistically achieve, though I do encourage you to at least understand them on an academic level, the theory and implications of each.

PHP is lucky it has a lot of very good, well supported frameworks that come in a variety of forms. Find one you really like, learn it well, and use that for your projects. You'll be able to focus on writing code that makes your application unique instead of wasting a good chunk of that time badly re-implementing the wheel.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download