User Management Explained: Overview (
Page 1 of 4 )
In this article we will look at how to create a secure user management module. No user authentication or user management script can ever be one hundred percent secure, but we can try to use the tools that are available to us to their maximum, and thereby make it difficult for malicious users to hack our scripts. Among the topics that we will be looking at are:
Data Validation
You’ve probably heard a lot about data validation if you’ve been developing websites for a while. Basically data validation involves making sure that the data is what you expect it to be. Most of the data that enters an application comes through an HTML form. This data is usually put into the form by a user.
Most websites will take some kind of user input, and contrary to popular belief, this data is not always accurate and can be downright be dangerous to your website and application. For this reason, you should not trust any data that comes from outside your application; in addition, you should make provisions for this kind of data by making sure that appropriate validation methods are available if a user does input "faulty" data. For example, take a look at the following form:
<?php
//validate data
//1. Check if the name field is filled in:
//2. Check if it is the correct length
//3.Check if it is valid i.e it contains only letters
if(isset($_POST['Submit'])){
$err=FALSE;
$error="<ul>";
if(empty($_POST['name'])){
$err=true;
$error .="<li>Please enter a name.</li>";
}
if((strlen($_POST['name']))< 8){
$err=true;
$error .="<li>Please enter a valid name.</li>";
}
if(!eregi('^[[:alpha:].'-]{2,8}$',$_POST['name'])){
$err=TRUE;
$error="<li>The name should only contain letters.</li>";
}
if(empty($_POST['age'])){
$err=true;
$error .="<li>Please enter a age.</li>";
}
if(!is_numeric($_POST['age'])){
$err=true;
$error .="<li>The age that you entered is not a number. Please check and try again</li></ul>";
}
}//end submit
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style2 {font-size: 36px}
-->
</style>
</head>
<body>
<form id="form1" name="form1" method="post" action="form.php">
<table width="100%" border="1">
<tr>
<td colspan="2"><?php
if(isset($error)){
echo "<b>The following errors occurred:</b><br>".$error;
}
?></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td colspan="2"><span class="style2">Please enter your name and age below: </span></td>
</tr>
<tr>
<td width="9%"> </td>
<td width="91%"> </td>
</tr>
<tr>
<td><strong>Name:</strong></td>
<td><label>
<input name="name" type="text" id="name" size="40" value="<?php
if(isset($_POST['name'])){
echo $_POST['name'];
}?>"/>
</label></td>
</tr>
<tr>
<td><strong>Age:</strong></td>
<td><label>
<input name="age" type="text" id="age" size="40" value="<?php
if(isset($_POST['age'])){
echo $_POST['age'];
}?>"/>
</label></td>
</tr>
<tr>
<td> </td>
<td><label>
<input type="submit" name="Submit" value="Submit" />
</label></td>
</tr>
</table>
</form>
</body>
</html>
