Creating database-driven user homepage based on register in php

Question

I've got a predicament that I'd love your help with if you have any insight. In Short, I'm currently doing a study portal type project and I'm looking to have it fully database driven so that when I register for a module, that particular module appears on the user's profile because as of right now, it doesn't matter if tom, dick or harry logs in, they all see the same three modules for a particular course.

So upon registering, a user would choose a course, a list of relevant modules would appear and then a user would choose their modules. From that, their homepage would be populated by the html & CSS code attached to that module.

There's 3 tables that interact with this section. UserDemo, course and module.

Here is the code I have to do with registering as a user currently (the course & modules must be added):

accounts\signup.php

<?php 
    include '../inc/db.php';
    include '../inc/functions.php';


    if (isset($_POST['signup'])) {
        $fName = p_s($_POST['fName']);
        $lName = p_s($_POST['lName']);
        $email = p_s($_POST['email']);
        $password = p_s($_POST['password']);
        $rpassword = p_s($_POST['rpassword']);
        $contentID = p_s($_POST['contentID']);
        if (!empty($fName) && !empty($lName) && !empty($email) && !empty($password) && !empty($contentID)) {
            if (strlen($password) === strlen($rpassword)) {

          $options = [
              'cost' => 12,
          ];
          $password = password_hash($password, PASSWORD_BCRYPT, $options);
          $created_at = date('Y-m-d G:i:s');

                $sql = "INSERT INTO usersDemo (fName, lName, email, password, contentID, status, created_at) VALUES ('$fName','$lName', '$email', '$password', '$contentID', 'approved', '$created_at')";
                if (mysqli_query($conn, $sql)) {
                    header('Location: ../signup.php?suc');exit();
                }
            }else{
                header('Location: ../signup.php?fidpass');exit();
            }
        }else{
            header('Location: ../signup.php?fempt');exit();
        }


    }

inc\signup.php

    <form action="accounts/signup.php" method="POST">

       <div id="fade-box">
         <h2>Register</h2>
      <div class="form-group">
        <input name="fName" type="text" class="form-control" id="fName" placeholder="Enter your first name" required>
      </div>
      <div class="form-group">
        <input name="lName" type="text" class="form-control" id="lName" placeholder="Enter your last name" required>
      </div>
      <div class="form-group">
        <input name="email" type="email" class="form-control" id="email" placeholder="Email" required>
      </div>
      <div class="form-group">
        <input name="password" type="password" class="form-control" id="password" placeholder="Password" required>
      </div>
      <div class="form-group">
        <input name="rpassword" type="password" class="form-control" id="rpassword" placeholder="Repeat Password" required>
      </div>
      <div class="form-group">
        <input name="contentID" type="text" class="form-control" id="contentID" placeholder="Enter your contentID" required>
      </div>
      <button name="signup" type="submit" class="btn btn-success">Register</button>
      </div>
    </form>

This is my current plan of attack:

Plan of attack:

Select module name, module description from db
Display on screen
Iterate through values and display
Copy code for UI into for loop

What would your opinions be on this plan of attack or does anyone know of an alternative (and maybe easier) way of accomplishing this.

Thanks in advance for your time and help :)

Your code is likely vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Mar 06 '18 at 15:51
Your check for the confirmation password simply ensures that its length is the same, which means somebody could provide `12345` and `ABCDE` and it would pass. It should check equivalency. — Alex Howansky, Mar 06 '18 at 15:53
Apologies, I also have another php file that contains global functions to validate this — user9445468, Mar 06 '18 at 16:11
function checkIfEmailExist($email){ global $conn; $data[]=array(); $sql = "SELECT userID FROM usersDemo WHERE email ='$email'"; $run = mysqli_query($conn, $sql); $rows =mysqli_num_rows($run); if ($rows == 0) { return false; }else{ return true; } } — user9445468, Mar 06 '18 at 16:12
function checkPassword($email, $password){ global $conn; $sql = "SELECT password FROM usersDemo WHERE email ='$email'"; $run = mysqli_query($conn, $sql); while ($rows = mysqli_fetch_assoc($run)) { $hashedDBPass = $rows['password']; } if (password_verify($password, $hashedDBPass)) { return true; }else{ return false; } } — user9445468, Mar 06 '18 at 16:12
Anyone else have any ideas on how to improve the method i'm taking? @AlexHowansky — user9445468, Mar 06 '18 at 17:18

score 0 · Answer 1 · answered Mar 06 '18 at 20:00

Use prepared statements, you are vulnerable to sql injections and prepared statement will prevent that.

<?php 
    include '../inc/db.php';
    include '../inc/functions.php';


    if (isset($_POST['signup'])) {
        $fName = p_s($_POST['fName']);
        $lName = p_s($_POST['lName']);
        $email = p_s($_POST['email']);
        $password = p_s($_POST['password']);
        $rpassword = p_s($_POST['rpassword']);
        $contentID = p_s($_POST['contentID']);
        if (!empty($fName) && !empty($lName) && !empty($email) && !empty($password) && !empty($contentID)) {
            if (strlen($password) === strlen($rpassword)) {

          $options = [
              'cost' => 12,
          ];
          $password = password_hash($password, PASSWORD_BCRYPT, $options);
          $created_at = date('Y-m-d G:i:s');

        $sql = "INSERT INTO usersDemo (fName, lName, email, password, contentID, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)"; 

    if($stmt = $conn->prepare($sql)){

       $stmt->bind_param('ssssiis',$fName,$lName,$email,$password,$contentID,'approved',$created_at); //s = string i = int

       /* execute query */
       $stmt->execute();
    }
       /* free results */
       $stmt->free_result();

    $stmt->close();
    
                if (mysqli_query($conn, $sql)) {
                    header('Location: ../signup.php?suc');exit();
                }
            }else{
                header('Location: ../signup.php?fidpass');exit();
            }
        }else{
            header('Location: ../signup.php?fempt');exit();
        }


    }

Hi, appreciate the help. Do you have any alternative methods for the way i'm trying to make my user profile database driven? @George — user9445468, Mar 07 '18 at 17:40

Creating database-driven user homepage based on register in php

1 Answers1