added validation on a server side and improved validation for front

admin/atask/add.php

@@ -1,6 +1,7 @@
 
 <?php
 require("../../tasks/passw.php");
+require("../../tasks/validate.php");
 session_start();
 if(!isset($_SESSION["aid"]))
 {
@@ -13,6 +14,12 @@
   $uemail=htmlspecialchars($_POST["email"], ENT_QUOTES, 'UTF-8');
   $upass=$_POST["password"];
 
+     //validate
+     if(!(validateEmail($uemail) && validatePass($upass)))
+     {
+         exit("Invalid input detected!");
+     }
+
      //check token 
      if(isset($_SESSION["c-token"]) && isset($_POST["csrf-token"]))
      {
@@ -126,7 +133,7 @@
     <label>email</label><br>
     <input type="email" name="email" required><br>
     <label>password</label><br>
-    <input type="password" name="password" required>
+    <input type="password" name="password" required pattern=".{8,}" title="Minimum 8 digit">
     <input type="text" name="csrf-token" value="<?php echo $tok; ?>" hidden>
     <input class="addbutton" type="submit" value="add">
     </form>

admin/atask/setting.php

@@ -2,6 +2,7 @@
 <?php  
 session_start();
 require("../../tasks/passw.php");
+require("../../tasks/validate.php");
 if(!isset($_SESSION["aid"]))
 {
 	header("location:../adminlogin.html");
@@ -23,12 +24,14 @@
 	{
 	$echanged=true;
 	$newemail=htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
+	$valide=validateEmail($newemail);
 	} 
 	//is pass ^^
 	if(isset($_POST['password']) && $_POST['password']!="")
 	{
 	$pchanged=true;
 	$newpass=$_POST['password'];
+	$strongpass=validatePass($newpass);
 	$newpass=hashPass($newpass,$_SESSION["salt"]);
 	} 
 	if(isset($_POST['oldpass']) && $_POST['oldpass']!="")
@@ -41,7 +44,7 @@
 $id=$_SESSION["aid"];
 $rpass = $_SESSION["password"];  //actual pass
 
-if ($pchanged && $oldpass == $rpass) {
+if ($pchanged && $oldpass == $rpass && $oldpass!=$newpass && $strongpass) {
     // change the password 
     $q = "UPDATE admin SET password=? WHERE admin_id=?";
     $stmt = mysqli_prepare($dbcon, $q);
@@ -55,7 +58,14 @@
     echo "incorrect attempt! <br>";
 }  
 
-if ($echanged && $oldpass == $rpass) {
+if(isset($strongpass) && !$strongpass)
+{
+	echo "weak password!";
+} else if (isset($valide) && !$valide) {
+  echo "Invalid input detected, please try again!";
+}
+
+if ($echanged && $oldpass == $rpass && $valide) {
     $q = "UPDATE admin SET email=? WHERE admin_id=?";
     $stmt = mysqli_prepare($dbcon, $q);
     mysqli_stmt_bind_param($stmt, "si", $newemail, $id);
@@ -106,7 +116,7 @@
 		<label >email</label><br>
     <input type="email" name="email"  placeholder="unchanged"><br>
 	<label >new password</label><br>
-	<input type="password" name="password" placeholder="unchanged"><br>
+	<input type="password" name="password" placeholder="unchanged" pattern=".{8,}" title="minimum of 8 digits"><br>
 	<label >old password</label><br>
 	<input type="password" name="oldpass" required title="old password required to save changes" ><br>
 	<input type="submit" id="submitb" value="save changes">

admin/login.php

@@ -2,7 +2,10 @@
 include("../tasks/condb.php");
 include("../tasks/passw.php");
 if(!isset($_POST["email"]))
-header("location:adminlogin.html");
+{
+  header("location:adminlogin.html");
+  exit();
+}
 //handle the form 
 $uemail=$_POST["email"];
 $upass=$_POST["password"];

index.PHP

@@ -3,12 +3,13 @@ session_start();
 if(isset($_SESSION["id"]))
 {
 	header("location:user/home.php");
+	exit();
 }
 
  if(isset($_SESSION["aid"]))
  {
 	 header("location:admin/home.php");
-
+	 exit();
  }
 ?>
 

login.php

@@ -3,6 +3,7 @@
 if(isset($_SESSION["id"]))
 {
 	header("location:user/home.php");
+  exit();
 }
 
 require("tasks/condb.php");

signup.html

@@ -32,9 +32,9 @@
 
 				<label id="info">please fill the form carefully</label><br>
 				<label for="na">first name</label><br>
-				<input type="name" name="fname" id="na" autofocus required><br>
+				<input type="text" name="fname" id="na" autofocus required><br>
 				<label for="na">last name</label><br>
-				<input type="name" name="lname" id="na" required><br>
+				<input type="text" name="lname" id="na" required><br>
 				<label for="em">email</label><br>
 				<input type="email" name="email" id="em" required><br>
 				<label for="pw">password</label><br>

signup.php

@@ -1,6 +1,7 @@
 <?php
 include("tasks/condb.php");
 include("tasks/passw.php");
+include("tasks/validate.php");
 //handle the form 
 $uemail=htmlspecialchars($_POST["email"], ENT_QUOTES, 'UTF-8');
 $upass=$_POST["password"];
@@ -21,6 +22,13 @@
 $uelevel=mysqli_real_escape_string($dbcon,$uelevel);
 $ucity=mysqli_real_escape_string($dbcon,$ucity);
 
+//validate 
+if(!validateSignup($uemail,$upass,$ufname,$ulname,$ugender,$ubdate,$ucity))
+{
+    echo("<p style='color:red;text-align:center;font-size:20px;'>invalid input detected please re-enter the form correctly! </p>");
+    require("signup.html");
+    exit();
+}
 
 $lseen=date("Y/m/d/H/i/s");
 //using mysql now() 2nd alt 

tasks/validate.php

@@ -14,12 +14,12 @@ function validateText($text)
 
 function validateDate($date)
 {
-    echo boolval(strtotime($date));
+    return boolval(strtotime($date));
 }
 
 function validateGender($gender)
 {
-    if ($gender == "male" || $gender == "female")
+    if ($gender == "male" || $gender == "female" || $gender == "other")
         return true;
     else
         return false;

user/home.php

@@ -4,6 +4,7 @@
 if(!isset($_SESSION["id"]))
 {
 	header("location:../login.html");
+	exit();
 }
 ?> 
 

user/profile.php

@@ -4,6 +4,7 @@
 if(!isset($_SESSION["id"]))
 {
 	header("location:../login.html");
+	die();
 }
 ?> 
 

user/setting.php

@@ -1,76 +1,86 @@
 <?php
 require("../tasks/condb.php");
 require("../tasks/passw.php");
+require("../tasks/validate.php");
 session_start();
-if(!isset($_SESSION["id"]))
-{
-	header("location:../login.html");
+if (!isset($_SESSION["id"])) {
+  header("location:../login.html");
+  exit();
 }
 
 
 
-if(isset($_POST["ch-info"]))
-{
-   $fname=htmlspecialchars($_POST["fname"],ENT_QUOTES,"UTF-8");
-   $lname=htmlspecialchars($_POST["lname"],ENT_QUOTES,"UTF-8");
-   $email=htmlspecialchars($_POST["email"],ENT_QUOTES,"UTF-8");
-   $city=htmlspecialchars($_POST["city"],ENT_QUOTES,"UTF-8");
-   $id=$_SESSION["id"];
-
-    //check token 
-    if(isset($_SESSION["c-token"]) && isset($_POST["csrf-token"]))
-    {
-      $tok=$_POST["csrf-token"];
-      if($_SESSION["c-token"]!=$tok)
-      {
-        exit("action denied!");
-      }
-    } else {
-        exit("action denied!");
+if (isset($_POST["ch-info"])) {
+  $fname = htmlspecialchars($_POST["fname"], ENT_QUOTES, "UTF-8");
+  $lname = htmlspecialchars($_POST["lname"], ENT_QUOTES, "UTF-8");
+  $email = htmlspecialchars($_POST["email"], ENT_QUOTES, "UTF-8");
+  $city = htmlspecialchars($_POST["city"], ENT_QUOTES, "UTF-8");
+  $id = $_SESSION["id"];
+
+  //validate
+  if (!validateUserInfo($email, $fname, $lname, $city)) {
+    echo "Invalid input detected please fill the form correctly";
+    require("setting.html");
+    $fn = $_SESSION["fname"];
+    $ln = $_SESSION["lname"];
+    $email = $_SESSION["email"];
+    $city = $_SESSION["city"];
+    echo "<script> fill('$fn','$ln','$email','$city')</script>";
+    $tok = $_SESSION["c-token"] = generateSalt();
+    echo "<script>setToken('$tok')</script>";
+    exit();
+  }
+
+  //check token 
+  if (isset($_SESSION["c-token"]) && isset($_POST["csrf-token"])) {
+    $tok = $_POST["csrf-token"];
+    if ($_SESSION["c-token"] != $tok) {
+      exit("action denied!");
     }
-
-
-   //no validation from server side 
-   $query="update users set fname=?,lname=?,email=?,city=? where id=?";
-   $st=$dbcon->prepare($query);
-   $st->bind_param("sssss",$fname,$lname,$email,$city,$id);
-   $st->execute();
-   $_SESSION["fname"]=$fname;
-   $_SESSION["lname"]=$lname;
-   $_SESSION["email"]=$email;
-   $_SESSION["city "]=$city;
-   echo "your info changed!";
+  } else {
+    exit("action denied!");
+  }
+
+
+  $query = "update users set fname=?,lname=?,email=?,city=? where id=?";
+  $st = $dbcon->prepare($query);
+  $st->bind_param("sssss", $fname, $lname, $email, $city, $id);
+  $st->execute();
+  $_SESSION["fname"] = $fname;
+  $_SESSION["lname"] = $lname;
+  $_SESSION["email"] = $email;
+  $_SESSION["city "] = $city;
+  echo "your info changed!";
 }
 
 
 
-if(isset($_POST["ch-pass"]))
-{
-  $cpass=hashPass($_POST["cpass"],$_SESSION["salt"]);
-  $newpass=hashPass($_POST["newpass"],$_SESSION["salt"]);
-  $oldpass=hashPass($_POST["oldpass"],$_SESSION["salt"]);
- if($oldpass==$_SESSION["password"] && $newpass==$cpass && $oldpass!=$newpass)
- {
- //hange 
-$id=$_SESSION["id"];
-$query="update users set password=? where id=$id";
-$st=$dbcon->prepare($query);
-$st->bind_param("s",$newpass);
-$st->execute();
-$_SESSION["password"]=$newpass;
-echo "password changed successfully!";
-} else {
-  echo "something want wrong. please try again!";
-}
+if (isset($_POST["ch-pass"])) {
+  $strong_pass=validatePass($_POST["newpass"]);
+  $cpass = hashPass($_POST["cpass"], $_SESSION["salt"]);
+  $newpass = hashPass($_POST["newpass"], $_SESSION["salt"]);
+  $oldpass = hashPass($_POST["oldpass"], $_SESSION["salt"]);
+  if ($oldpass == $_SESSION["password"] && $newpass == $cpass && $oldpass != $newpass && $strong_pass) {
+    //hange 
+    $id = $_SESSION["id"];
+    $query = "update users set password=? where id=$id";
+    $st = $dbcon->prepare($query);
+    $st->bind_param("s", $newpass);
+    $st->execute();
+    $_SESSION["password"] = $newpass;
+    echo "password changed successfully!";
+  } else {
+    echo "something want wrong. please don't forget to insert minimum 8 character!";
+  }
 }
 
 require("setting.html");
-$fn=$_SESSION["fname"];
-$ln=$_SESSION["lname"];
-$email=$_SESSION["email"];
-$city=$_SESSION["city"];
+$fn = $_SESSION["fname"];
+$ln = $_SESSION["lname"];
+$email = $_SESSION["email"];
+$city = $_SESSION["city"];
 echo "<script> fill('$fn','$ln','$email','$city')</script>";
-$tok=$_SESSION["c-token"]=generateSalt();
+$tok = $_SESSION["c-token"] = generateSalt();
 echo "<script>setToken('$tok')</script>";
 $dbcon->close();