I've written a new email form. I've implemented stuff suggested by some good folk around here and so I tried my best to make it both simple and secure, though I'm not sure if I succeeded in the latter considered that I'm stuck with older MySQL API for now. I feel like I have to explain why. It's because the whole site is using mysql and I have no time to switch to PDO, at least not for now.
I didn't run password through !preg_match
though, not sure if that makes the input vulnerable to some kind of attack? I got a sense that when using !password_verify
I can just sit back and relax.
Login form uses nickname, email and password to sign in.
Here's my code:
if (@$_POST['login']) {
$nickname = mysql_real_escape_string($_POST['nickname']);
$email = $_POST['email'];
$password_input = $_POST['password'];
// validation 1 ------- //
else if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
$error = "Wrong nickname password or email.";
}
else if (!preg_match("/^[a-zA-Z0-9]{3,30}$/",$_POST['nickname'])) {
$error = "Wrong nickname password or email.";
}
// validation 2 ------- //
else { //password check
$password_query = mysql_query ("SELECT password FROM userbase WHERE email='$email' && nickname='$nickname'");
$password_actual = mysql_result ($password_query, 0);
if (!password_verify($password_input, $password_actual)) {
$error = "Wrong nickname, password or email.";
}
else {
LOGIN SUCCESSFUL
Is !preg_match
for $_POST['nickname']
needed if it's escaped by mysql_real_escape_string
? (security vise)