2 Replies - 424 Views - Last Post: 22 April 2013 - 08:05 PM Rate Topic: -----

#1 msz_900  Icon User is offline

  • New D.I.C Head

Reputation: -2
  • View blog
  • Posts: 35
  • Joined: 09-February 11

filter user password and name

Posted 22 April 2013 - 08:04 AM

hy to every one..
iam going to filter user input data using

if(!filter_input(INPUT_POST,'$username')||!filter_input(INPUT_POST,'$password'))
        {
            echo "username or password already exists....";
            
        }
        
        else
        {
$sql = "INSERT INTO users (Username,Password) VALUES (:username,:password)";
$q=$dbh->prepare($sql);
$q->execute(array(':username'=>$username,':password'=>$password));
$count=$q->rowCount();
echo "inserted $count rows.\n";


but it show an error...
the error is that it simply show the message
username or password already exists


if the username or password is not exists it show the same message?

Is This A Good Question/Topic? 0
  • +

Replies To: filter user password and name

#2 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3001
  • View blog
  • Posts: 10,393
  • Joined: 08-August 08

Re: filter user password and name

Posted 22 April 2013 - 11:32 AM

When you put a variable in single quotes PHP will not evaluate the variable but instead treat it as a string.

Look at this. It uses three different treatments and has two different results:
$x="some value";
echo '$x'."<br>".$x."<br>$x";

Was This Post Helpful? 2
  • +
  • -

#3 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,991
  • Joined: 08-June 10

Re: filter user password and name

Posted 22 April 2013 - 08:05 PM

Here is what I don't get. How does a failed filter_input() call on the "$username" or "$password" POST elements with the default filter translate to the username or password already existing? All you've checked there is that they weren't submitted properly, not that they already exist. Your logic should be:
IF input is valid:
	IF username exist:
		Print "Username already exists" error.
	ELSE:
		Create user.
ELSE:
	Print "Invalid input" error.


But all you do is this:
IF input is invalid:
	Print "Username already exists" error.
ELSE:
	Create user.



I suppose you could set up a callback filter, but that probably wouldn't be all that efficient, seeing as you have to call the filter function for each variable. You need to check them together.


Also, you seem to be storing the password in their plain-text form. That should not be done. All passwords should be either encrypted or (preferably) hashed. See Safe Password Hashing in the manual for the basics.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1