Questions & Answers

PHP Basic Security IF

folks. I'm just starting with PHP and I'd like to get some guidance on developing a register/login system. I've read that I should check if the method used to submit a form was POST. The PHP code that is going to process the signup form should have a verification similar to:

if (strtoupper($_SERVER['REQUEST_METHOD']) == 'POST') {...
    if (isset($_POST['dosignup'])) { ... // submit button (working fine)
        another if to check the integrity of the csrf token (working fine)
        another if for header injection (working fine)
        another if to check fields and do some validation, etc

I'm just not sure if that is not overkill nowadays. Also, would it be proper to use $_POST=array(); and maybe unset any unnecessary $_SESSION variables after everything are saved on the database?


Since I'm just a dumb beginner I'm not sure what is okay and whatnot.

2023-01-07 20:30:42
A couple of good tutorials from a reputable source would get you a long way. As it is, way too many questions (and too little code) in one post. But basically. You want to verify that any expected data, that you take action on, exists and is in a valid form. Otherwise you end up with crap data and bugs when you try to use it. If you use CSRF tokens, you want to verify them. Otherwise why use them. If you're sending headers with user data included, you definitely want to validate that data. Don't trust any user input, anywhere, ever. No real need to unset stuff just for security.
2023-01-07 20:30:42
The most common weakest links of any auth system are going to be SQL injection and improper password storage. Without seeing how your code handles database interaction for those two cases, it's hard to comment further.
Answers(0) :