Script Explained - PHP

In this article we will look at how to create a secure user management module. No user authentication or user management script can ever be one hundred percent secure, but we can try to use the tools that are available to us to their maximum, and thereby make it difficult for malicious users to hack our scripts.

TABLE OF CONTENTS:

By: David Web

Poor Best

Rating:

/ 7

November 17, 2008

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

To start with, the script lists the number of steps that you need to take when working with form data. The first step is of course to validate the form data. This includes:

Checking if the name field is filled in.
Checking if it is the correct length.
Checking if it is valid, i.e it contains only letters.

We can do this because we know what type of data we expect our application to be processing. Also we have put in some restrictions on the length that the name should be; in addition, we check to see if the value contains the right type of data. All of this is designed to ensure that any malicious user has a difficult time trying to carry out an attack.

//validate data

//1. Check if the name field is filled in:

//2. Check if it is the correct length

//3.Check if it is valid i.e it contains only letters

The code than checks to see if the form has been submitted:

if(isset($_POST['Submit'])){

Once the form has been submitted, the first checks are carried out. This includes checking to see if the values are empty. This is achieved by using the very useful empty() function:

$err=FALSE;

$error="<ul>";

if(empty($_POST['name'])){

$err=true;

$error .="<li>Please enter a name.</li>";

}

Then we check to see if the length of the name is eight characters long:

if((strlen($_POST['name']))< 8){

$err=true;

$error .="<li>Please enter a valid name.</li>";

}

The last check is to make sure that the value actually contains only letters. We use regular expressions (the eregi() function) to check:

if(!eregi('^[[:alpha:].'-]{2,8}$',$_POST['name'])){

$err=TRUE;

$error="<li>The name should only contain letters.</li>";

}

The age of the user is put through almost the same checks. Since we are dealing with a number, one of the checks includes testing the value to see if it is actually numeric. The is_numeric() function is used for this purpose:

if(empty($_POST['age'])){

$err=true;

$error .="<li>Please enter a age.</li>";

}

if(!is_numeric($_POST['age'])){

$err=true;

$error .="<li>The age that you entered is not a number. Please check and try again</li></ul>";

}

Next: Password Encryption Methods >>