Skip to content

Commit 472776c

Browse files
Add XSS prevention to createaccount.php, clean up some code
1 parent 770c02a commit 472776c

File tree

2 files changed

+29
-6
lines changed

2 files changed

+29
-6
lines changed

Diff for: createaccount.php

+27-4
Original file line numberDiff line numberDiff line change
@@ -15,18 +15,41 @@
1515
}
1616

1717
// Remove after debug
18-
echo "Connected successfully";
18+
echo "<p>Connected successfully</p>";
19+
20+
// Placeholders for variables from form
21+
$username = $password = $first_name = $last_name = $company = $phone = "";
22+
23+
// Prevent XSS hacks / exploits by stripping the data
24+
if ($_SERVER["REQUEST_METHOD"] == "POST") {
25+
$username = test_input($_POST["username"]);
26+
$password = test_input($_POST["password"]);
27+
$first_name = test_input($_POST["first_name"]);
28+
$last_name = test_input($_POST["last_name"]);
29+
$company = test_input($_POST["company"]);
30+
$phone = test_input($_POST["phone"]);
31+
}
32+
33+
// Removes unwanted and potentially malicious characters
34+
// from the form data
35+
function test_input($data) {
36+
$data = trim($data);
37+
$data = stripslashes($data);
38+
$data = htmlspecialchars($data);
39+
return $data;
40+
}
1941

2042
// Adds a new user account with form data into the physician table of the database
21-
// -- To do: form checking (e.g., username already exists, etc.)
22-
$sql = "INSERT INTO physician (group_id, username, password, first_name, last_name, company, phone) VALUES (1, '".$_POST['username']."', '".$_POST['password']."', '".$_POST['firstN']."', '".$_POST['lastN']."', '".$_POST['company']."', '".$_POST['phone']."')";
43+
// -- To do: form checking (e.g., username already exists, security, etc.)
44+
$sql = "INSERT INTO physician (group_id, username, password, first_name, last_name, company, phone) VALUES (1, '".$username."', '".$password."', '".$first_name."', '".$last_name."', '".$company."', '".$phone."')";
2345

2446
// Probably keep even after debug
2547
if ($conn->query($sql) === TRUE) {
26-
echo "Account created successfully.";
48+
echo "<p>Account created successfully.</p>";
2749
} else {
2850
echo "Error: " . $sql . "<br />" . $conn->error;
2951
}
3052

53+
// Peace out
3154
$conn->close();
3255
?>

Diff for: newaccount.html

+2-2
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
<body>
88
<h1>HealthMate Physician Login</h1>
99
<form action="createaccount.php" method="post">
10-
<p>First name: <input type="text" name="firstN" size="16" maxlength="16" /></p>
11-
<p>Last name: <input type="text" name="lastN" size="16" maxlength="16" /></p>
10+
<p>First name: <input type="text" name="first_name" size="16" maxlength="16" /></p>
11+
<p>Last name: <input type="text" name="last_name" size="16" maxlength="16" /></p>
1212
<p>Username: <input type="text" name="username" size="16" maxlength="16" /></p>
1313
<p>Password: <input type="password" name="password" size="16" maxlength="16" /></p>
1414
<p>Confirm Password: <input type="password" name="confirm" size="16" maxlength="16" /></p>

0 commit comments

Comments
 (0)