Edit1: Edited in response to Corbin's feedback
Thisthis is an update of my user registration code. This is continuation and implementation of feedback found in this thread: Previous codereview post.
I would love some feedback!! Just began to use the PDO object, I'm not sure if I'mi'm using it efficiently.
Are there any security issues? Is the myEncrypt"myEncrypt" function suitable enough or still a bit lacking?
initialise.php 'initialise.php' which is:
try {
$db = new PDO("mysql:host=$db_hostname;dbname=$db_database", $db_username, $db_password) or ;
die}
catch(PDOException $e);
{
echo "Failed to connect to server";
}
function myEncrypt($password){
$i = "$password"."$salt1";
$hash1 = md5($i);
$j = "$salt2"."$hash1";
$hash2 = md5($j);
return $hash2;
}
Registration.php 'Registration.php':
<?
require 'topmenu'initialise.php';
//View - Leaving this as is for now. Haven't learnt css/html in depth yet.
echo <<<_REGFORM
<form align=center action="registration.php" method ="post"><pre>
Register an account:
Username <input type="text" name="regusername"/>
Password <input type="password" name="regpassword"/>
Retype Password <input type="password" name ="checkregpassword"/>
<input type="submit" value="Register"/>
</pre></form>
_REGFORM;
//Checks inputs for length requirements, if two passwords are the same, if filter was successful
if ($_SERVER['REQUEST_METHOD'] === "POST") {
$usernamecleanfilter_input(INPUT_POST, =$_POST, mysql_escape_string($_POST['regusername']FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
$reg_password$usernameclean = mysql_escape_string($_POST['regpassword']);$_POST['regusername'];
$reg_checkpassword$password = mysql_escape_string($_POST['checkregpassword']);$_POST['regpassword'];
$checkpassword = $_POST['checkregpassword'];
if (isset($usernameclean$username, $reg_password$password, $reg_checkpassword$checkpassword))
{
if (strlen($usernameclean$username) < 5) {
$errors['username'][] = "Usernames must be at least 5 characters in length.";
}
if (strlen($usernameclean$username) > 32) {
$errors['username'][] = "Usernames have a maximum limit of 32 characters.";
}
if (strlen($reg_password$password) < 5) {
$errors['password'][] = "Passwords must be at least 5 characters in length.";
}
if ($reg_password$password <> $reg_checkpassword$checkpassword) {
$errors['password'][] = "Your passwords must be the same.";
}
}
else
{
$errors['values'][] = "Please fill out all the fields.";
}
if (!count($errors)) {
$hashedpassword = myEncrypt($reg_password$password); //function defined in initialise.php
$checkUsername_query = "SELECT user_id FROM users WHERE username='$usernameclean'";
$checkUsername_result = $db->query($checkUsername_query)->fetch();
if (!$checkUsername_result)
{
//SETS UP USER ACCOUNTS, DEFINES 5 FILE SLOTS
try {
$db->beginTransaction();
$createUser_query = "INSERT INTO users(username,password) VALUES('$usernameclean','$hashedpassword')";
$createUser_result = $db->exec($createUser_query);
$getuserid_query = "SELECT user_id FROM users WHERE username='$usernameclean'";
$getuserid = $db->query($getuserid_query);
$user_id = $getuserid->fetch();
//ASSIGNS 5 File slots into "files" (File-information)
for ($i = 1; $i <= 5; $i++) {
$assignfileslots = "INSERT INTO files(user_id) VALUES('$user_id[0]')";
$db->exec($assignfileslots);
}
$db->commit();
echo "Thanks " . htmlspecialchars($usernameclean) . ", your account has been created! Please login.<br/>";
} catch (PDOException $e)
{
$db->rollback();
$errors['database'][] =echo "You"Your account could not be created., Pleaseplease try again later.";
}
} else
{
$errors['username'][] = "Your usernameecho is"Username taken.Unavailable, Pleaseplease entertry another."; username";
}
}
if (count($errors)) {
echo '<ul>';
foreach ($errors as $elements => $errs) {
foreach ($errs as $err) {
echo '<li>' . htmlspecialchars($err) . '</li>';
}
}
echo '<ul>';
}
}
?>
