Menu
I clean the username input like so:
function clean($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
I am using prepared statements in PDO format and hashing the passwords, so is it still advisable to also clean password input?
Below is the code. Beware, it is unfinished as of this very moment and also very messy.
<?php
// start session
session_start();
?>
<!DOCTYPE html>
<head>
<link href='css/verify-id.css' rel='stylesheet'>
</head>
<body>
<?php
function clean($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// set or enter password
if (isset($_POST['password']) && empty($_POST['password'])) {
$error = 'A password is required.';
$identity = '';
$tip = '';
$prompt = '';
} else if (isset($_POST['password']) && !empty($_POST['password'])) {
//echo '<br>SESSION idPersist<br>'.$_SESSION['idPersist'];
//echo '<br><br>POST password<br>'.$_POST['password'];
$password = $_SESSION['password'];
$idPersist = $_SESSION['idPersist'];
include 'include/database-connection.php';
if ($_SESSION['prompt'] === 'Enter Password') {
//echo '<br><br>SESSION prompt is Enter Password';
// compare password
$sql = 'SELECT pass FROM guests WHERE id = :id';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $idPersist);
$conn->exec($sql);
} else if ($_SESSION['prompt'] === 'Set Password') {
echo '<br><br>SESSION prompt is Set Password';
/*
// set password
$sql = 'INSERT INTO guests (pass)
VALUES (:password)';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':password', $password);
//$conn->exec($sql);
*/
}
$conn = null;
/*
$error = '';
$identity = '';
$tip = '';
$prompt = '';
*/
}
// enter id
if (!isset($_POST['password']) && empty($_POST['id'])) {
$error = 'An ID is required.';
} else if (!isset($_POST['password']) && !empty($_POST['id'])) {
include 'include/database-connection.php';
$id = clean($_POST['id']);
$sql = 'SELECT id, pass FROM guests WHERE id = :id';
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result) {
$_SESSION['idPersist'] = $id;
$identity = 'password';
$tip = 'Password';
$error = '';
if (is_null($result['pass'])) {
$prompt = 'Set Password';
$_SESSION['prompt'] = 'Set Password';
} else {
$prompt = 'Enter Password';
$_SESSION['prompt'] = 'Enter Password';
}
} else {
$prompt = 'Enter Valid ID';
}
$conn = null;
}
}
?>
<form
accept-charset ='UTF-8'
action ='<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>'
autocomplete ='off'
enctype ='application/x-www-form-urlencoded'
method ='post'
target ='_self'>
<input
autofocus
id ='<?php
if (empty($identity)) {
echo 'id';
} else {
echo $identity;
}
?>'
name ='<?php
if (empty($identity)) {
echo 'id';
} else {
echo $identity;
}
?>'
placeholder ='<?php
if (empty($tip)) {
echo 'ID';
} else {
echo $tip;
}
?>'
required
size ='25'
title ='<?php
if (empty($tip)) {
echo 'ID';
} else {
echo $tip;
}
?>'
type ='text'>
<span><?php echo $error; ?></span>
<input
id ='submit'
name ='submit'
type ='submit'
value ='<?php
if (empty($prompt)) {
echo 'Enter ID';
} else {
echo $prompt;
}
?>'>
</form>
</body>
</html>
278
NO.
Do not mess with users password. There is no need to clean and sanitize users password.
It can do no harm because password should always be hashed. It should never be stored in it's original form.
Hashed password like $2y$10$36PQzf67DtRPrn3ViqNFS.iswIU9AyIPRWV23KzmSXWD66RD7frIm can do no harm.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
