Home arrow PHP arrow Page 3 - Database and Password Security for Web Applications

The Code - PHP

In this article we will discuss security for databases accessed through the Internet. We will also examine the issue of password management, since handling that task properly will help us make our web site and its applications more secure. This is the seventh part of an eight-part series that shows you how to build security into an application for an Internet cafe.

TABLE OF CONTENTS:
  1. Database and Password Security for Web Applications
  2. The Password Management Script
  3. The Code
  4. Code continued
By: David Web
Rating: starstarstarstarstar / 4
November 03, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

The script first checks to see if the form has been submitted:


if(isset($_POST['key'])){


If the form has been submitted, the form data is filtered. The process of filtering starts by checking to see if the submitted form data actually contains any values:


//1. Check if form fields are filled in

if(!filledin($_POST)){

//print "Please enter your username and email.";

$errmsg=”Please make sure that all required form fields are filled in”;

$error=true;

}


Next, the type of data is tested. We expect only string values for the name and email values. So we check the data type by using the is_numeric() function of PHP. This function checks to see if the value that it is fed is a number:


//check that the username and email address is string

if( is_numeric($_POST['name']) && (is_numeric($_POST['email]))){

//print "Please enter a valid username and email address.";

$errmsg=" Please enter a valid username and email address.";

$error=true;

}


We use regular expressions to test the format of the email address that the user entered into the form and set the appropriate error messages if the format is invalid:


//Check if email address has correct format

if(!eregi("^[a-z0-9]+[a-z0-9_-]*(.[a-z0-9_-]+)*@[a-z0-9_-]+(.[a-z0-9_-]+)*.(

[a-z]+){2,}$", $_POST['email'])) {

$errmsg=" Please enter a valid email address.";

$error=true;

}


if no errors were found, the form values are transferred to shorter variables:


if(!$error){

$name=$_POST['name'];

$em=$_POST['mail'];


Then we check to see if the username that the user entered exists in the database. This is very important, because we will not be able to retrieve the database without this piece of information. Also, it is a good way to make sure that no unauthorized person gets the password:


//2. Check if entered name exist


$query="Select pw from users where uname='$name'" or die(mysql_error());

$result= mysql_query($query);


if(mysql_num_rows($result)>0){

for ($i=0; $i<mysql_num_rows($result); $i++) {

$row = mysql_fetch_assoc($result);



 
 
>>> More PHP Articles          >>> More By David Web
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: