Skip to content
Permalink
Browse files Browse the repository at this point in the history
Add XSS prevention to createaccount.php, clean up some code
  • Loading branch information
StevenElberger committed Feb 14, 2015
1 parent 770c02a commit 472776c
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 6 deletions.
31 changes: 27 additions & 4 deletions createaccount.php
Expand Up @@ -15,18 +15,41 @@
}

// Remove after debug
echo "Connected successfully";
echo "<p>Connected successfully</p>";

// Placeholders for variables from form
$username = $password = $first_name = $last_name = $company = $phone = "";

// Prevent XSS hacks / exploits by stripping the data
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = test_input($_POST["username"]);
$password = test_input($_POST["password"]);
$first_name = test_input($_POST["first_name"]);
$last_name = test_input($_POST["last_name"]);
$company = test_input($_POST["company"]);
$phone = test_input($_POST["phone"]);
}

// Removes unwanted and potentially malicious characters
// from the form data
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}

// Adds a new user account with form data into the physician table of the database
// -- To do: form checking (e.g., username already exists, etc.)
$sql = "INSERT INTO physician (group_id, username, password, first_name, last_name, company, phone) VALUES (1, '".$_POST['username']."', '".$_POST['password']."', '".$_POST['firstN']."', '".$_POST['lastN']."', '".$_POST['company']."', '".$_POST['phone']."')";
// -- To do: form checking (e.g., username already exists, security, etc.)
$sql = "INSERT INTO physician (group_id, username, password, first_name, last_name, company, phone) VALUES (1, '".$username."', '".$password."', '".$first_name."', '".$last_name."', '".$company."', '".$phone."')";

// Probably keep even after debug
if ($conn->query($sql) === TRUE) {
echo "Account created successfully.";
echo "<p>Account created successfully.</p>";
} else {
echo "Error: " . $sql . "<br />" . $conn->error;
}

// Peace out
$conn->close();
?>
4 changes: 2 additions & 2 deletions newaccount.html
Expand Up @@ -7,8 +7,8 @@
<body>
<h1>HealthMate Physician Login</h1>
<form action="createaccount.php" method="post">
<p>First name: <input type="text" name="firstN" size="16" maxlength="16" /></p>
<p>Last name: <input type="text" name="lastN" size="16" maxlength="16" /></p>
<p>First name: <input type="text" name="first_name" size="16" maxlength="16" /></p>
<p>Last name: <input type="text" name="last_name" size="16" maxlength="16" /></p>
<p>Username: <input type="text" name="username" size="16" maxlength="16" /></p>
<p>Password: <input type="password" name="password" size="16" maxlength="16" /></p>
<p>Confirm Password: <input type="password" name="confirm" size="16" maxlength="16" /></p>
Expand Down

0 comments on commit 472776c

Please sign in to comment.