Okay- this script was coded for PHP4. I'm now on PHP 5.

I've searched and read many different tutorials, forums, blogs, etc about php security (password, addslashes,....) and am very confused because many people say this, others say no, this. Some say magic quotes must be ON, others say OFF. Good, bad, good, bad... blah blah blah.

I'M LOST.

Many examples I have seen is like this:

PHP Code:

$username = $_POST['username'];
$password = sha1($_POST['password']);

$DB->query('INSERT INTO users (username, password) VALUES (?, ?)', array($username, $password)); 


Below is the signup/register php code. As you can see, nothing below have $_POST or like the way many examples have shown.

So what need to be changed? Am I doing it wrong? To be honest, I don't know what is right or wrong since I'm confused thanks to many people.

PHP Code:

<?php
  $newusername = preg_replace("/[^a-zA-Z0-9]/", "", $username);
  $newegold = preg_replace("/[^0-9]/", "", $egold);

 if (isset($signup)){
  $err = "";
  if ((!$username) or (!$password) or (!$email)) { $err.="All fields are required!"; 
  } else {
    if (strlen($username)<4) { $err.="4+ characters required!<br />"; }
    if (strlen($password)<6) { $err.="6+ characters required!<br />"; }
    if ((substr_count($email, "@")==0) or (strlen($email)<3)) { $err.="Invalid e-mail address.<br />"; }
    if (strlen($egold)<1) { $err.="The minimum length of the egold id# is 1 number.<br />"; }
    if (strlen($pp)<1) { $err.="The minimum length of the PayPal email is 1 number.<br />"; }
    $eredm = mysql_query("SELECT * FROM `aff` WHERE username='$username'") or die(mysql_error());
    if (mysql_num_rows($eredm)>0) { $err.="This username is already taken.<br />"; }
  }
  if ($err) { errormess($err); print("<br />"); 
  } else {
   $eredm = mysql_query("INSERT INTO aff(username,password,email,egold,pp) VALUES('$newusername','$password','$email','$newegold','$pp')") or die(mysql_error());
   infomess("You've successfully registered an account."); print("<br />");
   $username=""; $password=""; $email=""; $egold=""; $pp="";
  }
 }
?>

It works? Dont touch it!

But in fact it is very bad when computer decides something for you until you asked it to. I mean those "automatic" quotes substitution, data recoding and so on. They all should be turned off.

Quote:

Originally Posted by mtishetsky

But in fact it is very bad when computer decides something for you until you asked it to. I mean those "automatic" quotes substitution, data recoding and so on. They all should be turned off.

Can you enlighten me about that?

I forgot to mentions that both register_globals and magic quotes are OFF. I don't know if that what you meant "automatic quotes substitution".

What is your question?

Never mind- I've figured it out myself.