Code
Breakdown
1. Database
Connection
require 'db_connection.php';
o
Includes the db_connection.php file, which is
expected to establish a connection to the database.
2. Fetching
Form Data
$name = $_POST['name'];
$email = $_POST['email'];
$password
= password_hash($_POST['password'], PASSWORD_DEFAULT);
$dob = $_POST['dob'];
$gender =
$_POST['gender'];
$course_id
= $_POST['course_id'];
$semester_id
= $_POST['semester_id'];
$section_id
= $_POST['section_id'];
$skills =
implode(', ', $_POST['skills']);
o
Retrieves form data sent via the POST method:
§ Name,
Email, DOB, Gender: Simple text or numeric values.
§ Password: Hashed
using password_hash() for secure storage.
§ Skills: The implode()
function converts the array of selected skills into a comma-separated string.
o
Input sanitization is missing, making this
vulnerable to SQL injection attacks.
3. Handling
Image Upload
$image = $_FILES['image'];
$uploadDir
= 'uploads/';
if (!is_dir($uploadDir))
{
if (!mkdir($uploadDir, 0777, true)) {
die("Failed to create upload
directory.");
}
}
$imagePath
= $uploadDir . basename($image['name']);
if (!move_uploaded_file($image['tmp_name'],
$imagePath)) {
die("Failed to upload image.");
}
o
File Input: The uploaded file is accessed
via the $_FILES superglobal.
o
Upload Directory: Ensures the uploads/ directory
exists. If not, it attempts to create it with appropriate permissions.
o
Image Path: The full path where the image
will be saved.
o
File Upload: move_uploaded_file() moves the
uploaded image from the temporary location to the target directory. Errors
during upload are handled with a termination message.
4. Inserting
Data into Database
$query = "INSERT INTO users (name, email, password, dob, gender, course_id, semester_id, section_id, skills, image_path)
VALUES ('$name', '$email', '$password',
'$dob', '$gender', $course_id, $semester_id, $section_id, '$skills', '$imagePath')";
if ($conn->query($query)
=== TRUE) {
echo "Registration successful!";
} else {
echo "Error: " . $conn->error;
}
o
SQL Query: Constructs an INSERT statement
to save user data in the users table.
o
Query Execution: $conn->query() executes the
SQL query.
o
Error Handling: If the query fails, the error
is displayed. For production, this should be replaced with a generic error
message.
Key
Features and Functions
- password_hash():
- Encrypts
the password for secure storage.
- A
safer alternative to storing plain text passwords.
- move_uploaded_file():
- Ensures
the uploaded file is safely moved to the server's filesystem.
- Error
Handling:
- Uses
die() for critical errors like directory creation or file upload
failures.
Potential
Improvements
1. Validation
& Sanitization:
o
Use filter_var() for email validation.
o
Sanitize input to prevent SQL injection and XSS
attacks.
$name = $conn->real_escape_string($_POST['name']);
2. Prepared
Statements:
o
Replace raw queries with prepared statements to
protect against SQL injection.
php
Copy code
$stmt = $conn->prepare("INSERT
INTO users (name, email, password, dob, gender, course_id, semester_id,
section_id, skills, image_path) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param("sssssiisss",
$name, $email, $password, $dob, $gender, $course_id, $semester_id, $section_id,
$skills, $imagePath);
$stmt->execute();
3. File
Security:
o
Validate the uploaded file type and size to prevent
malicious uploads.
$allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($image['type'],
$allowedTypes)) {
die("Invalid file type.");
}
4. Error
Logging:
o
Log errors instead of displaying them to users.
error_log("Database Error: " . $conn->error);
5. Directory
Permissions:
o
Limit the upload directory's permissions to prevent
unauthorized access.
How it
Works
1. Form data
and uploaded file are received via the POST and FILES methods.
2. Data is
processed, validated, and saved in a database.
3. Uploaded
images are stored in a server directory, and their path is recorded in the
database.
4. The user
gets feedback on successful registration or any errors encountered.
Security
Concerns
- SQL
Injection: Use prepared statements to prevent this.
- Sensitive
Data: Avoid displaying database errors to users.
- File
Upload: Always validate file types and sizes.