sanitize inpu

976462b2 · sopham · a38ee877 · a38ee877 · 976462b2 · 976462b2
Commit 976462b2 authored May 14, 2019 by sopham
Showing with 13 additions and 49 deletions
authentication.php
insert.php
login_page.php
--- a/authentication.php
+++ b/authentication.php
-<?php
-session_start();
-
-//include the database connection data
-require_once "dbconnection.php";
-
-//make the query
-if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
-  
-  //bind user input to query
-  $stmt->bind_param('s', $_POST['username']);
-  
-  //execute query
-  $stmt->execute();
-
-  //transfer a result set from last query
-  $stmt->store_result();
-  
-  if ($stmt->num_rows > 0) {
-
-    //bind variables to a prepared statement for result storage
-    $stmt->bind_result($id, $password);
-
-    //fetch results from the prepared statement to bound variables
-    $stmt->fetch();
-
-    //if password is correct, establish session
-    if ($_POST['password'] ===  $password) {
-      session_regenerate_id();
-      $_SESSION['loggedin'] = TRUE;
-      $_SESSION['name'] = $_POST['username'];
-      $_SESSION['id'] = $id;
-      header('Location:index.php');
-    } else {
-      echo "Incorrect password";
-    }    
-  }
-  else echo 'Incorrect username';
-  //close the statement
-  $stmt->close();
-}
-
-//close the connection
-$link->close();
-?>
--- a/insert.php
+++ b/insert.php
@@ -4,6 +4,10 @@ session_start();
 //include database connection data
 include_once "dbconnection.php";

+//sanitize user input
+include_once "sanitize.php";
+$task = sanitizeInputVar($link, $_POST['task']);
+
 //make the query
 $query = "INSERT INTO toDoList (task, userID) VALUES (?,?) ";

@@ -11,7 +15,7 @@ $query = "INSERT INTO toDoList (task, userID) VALUES (?,?) ";
 $query = $link->prepare($query);

 //bind variables to the prepared query
-$query -> bind_param('si', $_POST['task'], $_SESSION['id']);
+$query -> bind_param('si', $task, $_SESSION['id']);

 //execute the query
 $query -> execute();

--- a/login_page.php
+++ b/login_page.php
@@ -7,13 +7,18 @@ require_once "dbconnection.php";
 //define error variable
 $err = "";

+//sanitize user input
+include_once "sanitize.php";
+$username = sanitizeInputVar($link, $_POST['username']);
+$pass = sanitizeInputVar($link, $_POST['password']);
+
 if($_SERVER["REQUEST_METHOD"] == "POST") {

 //make the query
 if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
  
  //bind user input to query
-  $stmt->bind_param('s', trim($_POST['username']));
+  $stmt->bind_param('s', trim($username));
  
  //execute query
  if($stmt->execute()){
@@ -31,10 +36,10 @@ if ($stmt = $link->prepare('SELECT ID,password FROM users WHERE username= ?')) {
      $stmt->fetch();

      //if password is correct, establish session
-      if (trim($_POST['password']) ===  $password) {
+      if (trim($pass) ===  $password) {
        session_regenerate_id();
        $_SESSION['loggedin'] = TRUE;
-        $_SESSION['name'] = $_POST['username'];
+        $_SESSION['name'] = $username;
        $_SESSION['id'] = $id;
        header('Location:index.php');
      } else {