Secure Notes App PHP, MySQL
👤 Sharing: AI
```php
<?php
// Database Configuration
define('DB_HOST', 'localhost');
define('DB_USER', 'your_db_user');
define('DB_PASS', 'your_db_password');
define('DB_NAME', 'your_db_name');
// Function to connect to the database
function db_connect() {
$conn = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
return $conn;
}
// Function to sanitize user input
function sanitize_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
// Function to hash passwords securely
function hash_password($password) {
return password_hash($password, PASSWORD_DEFAULT);
}
// Function to verify passwords
function verify_password($password, $hashed_password) {
return password_verify($password, $hashed_password);
}
// --- User Authentication Functions ---
// Function to register a new user
function register_user($username, $password) {
$conn = db_connect();
$username = sanitize_input($username);
// Check if the username already exists
$sql = "SELECT id FROM users WHERE username = '$username'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$conn->close();
return "Username already exists.";
}
// Hash the password
$hashed_password = hash_password($password);
// Insert the new user into the database
$sql = "INSERT INTO users (username, password) VALUES ('$username', '$hashed_password')";
if ($conn->query($sql) === TRUE) {
$conn->close();
return true; // Registration successful
} else {
$conn->close();
return "Error: " . $sql . "<br>" . $conn->error;
}
}
// Function to login a user
function login_user($username, $password) {
$conn = db_connect();
$username = sanitize_input($username);
// Retrieve user data from the database
$sql = "SELECT id, password FROM users WHERE username = '$username'";
$result = $conn->query($sql);
if ($result->num_rows == 1) {
$row = $result->fetch_assoc();
$hashed_password = $row["password"];
// Verify the password
if (verify_password($password, $hashed_password)) {
// Password is correct, start a new session
session_start();
$_SESSION["loggedin"] = true;
$_SESSION["user_id"] = $row["id"]; // Store user ID in session
$_SESSION["username"] = $username;
$conn->close();
return true; // Login successful
} else {
$conn->close();
return "Incorrect password.";
}
} else {
$conn->close();
return "Incorrect username.";
}
}
// Function to check if the user is logged in
function is_logged_in() {
return isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true;
}
// Function to logout a user
function logout_user() {
session_start();
$_SESSION = array(); // Unset all session variables
session_destroy(); // Destroy the session
}
// --- Notes Management Functions ---
// Function to create a new note
function create_note($user_id, $title, $content) {
$conn = db_connect();
$title = sanitize_input($title);
$content = $conn->real_escape_string($content); // Important: Escape for SQL injection
$sql = "INSERT INTO notes (user_id, title, content, created_at, updated_at) VALUES ('$user_id', '$title', '$content', NOW(), NOW())";
if ($conn->query($sql) === TRUE) {
$note_id = $conn->insert_id; // Get the ID of the newly created note
$conn->close();
return $note_id; // Return the ID of the new note
} else {
$conn->close();
return "Error: " . $sql . "<br>" . $conn->error;
}
}
// Function to retrieve all notes for a user
function get_user_notes($user_id) {
$conn = db_connect();
$sql = "SELECT id, title, content, created_at, updated_at FROM notes WHERE user_id = '$user_id' ORDER BY updated_at DESC";
$result = $conn->query($sql);
$notes = array();
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
$notes[] = $row;
}
}
$conn->close();
return $notes;
}
// Function to retrieve a specific note by ID
function get_note_by_id($note_id, $user_id) {
$conn = db_connect();
$sql = "SELECT id, title, content, created_at, updated_at FROM notes WHERE id = '$note_id' AND user_id = '$user_id'";
$result = $conn->query($sql);
if ($result->num_rows == 1) {
$note = $result->fetch_assoc();
$conn->close();
return $note;
} else {
$conn->close();
return null; // Note not found or doesn't belong to the user
}
}
// Function to update an existing note
function update_note($note_id, $user_id, $title, $content) {
$conn = db_connect();
$title = sanitize_input($title);
$content = $conn->real_escape_string($content); // Important: Escape for SQL injection
$sql = "UPDATE notes SET title = '$title', content = '$content', updated_at = NOW() WHERE id = '$note_id' AND user_id = '$user_id'";
if ($conn->query($sql) === TRUE) {
$conn->close();
return true; // Update successful
} else {
$conn->close();
return "Error updating record: " . $conn->error;
}
}
// Function to delete a note
function delete_note($note_id, $user_id) {
$conn = db_connect();
$sql = "DELETE FROM notes WHERE id = '$note_id' AND user_id = '$user_id'";
if ($conn->query($sql) === TRUE) {
$conn->close();
return true; // Deletion successful
} else {
$conn->close();
return "Error deleting record: " . $conn->error;
}
}
// --- Example Usage (Conceptual - requires HTML and UI elements) ---
/*
// Registration:
$registration_result = register_user($_POST["username"], $_POST["password"]);
if ($registration_result === true) {
echo "Registration successful!";
} else {
echo "Registration failed: " . $registration_result;
}
// Login:
$login_result = login_user($_POST["username"], $_POST["password"]);
if ($login_result === true) {
// Redirect to notes page, set session etc.
header("Location: notes.php");
exit();
} else {
echo "Login failed: " . $login_result;
}
// Create a note (requires a logged-in user and appropriate HTML form):
session_start();
if (is_logged_in()) {
$user_id = $_SESSION["user_id"];
$note_id = create_note($user_id, $_POST["note_title"], $_POST["note_content"]);
if (is_numeric($note_id)) {
echo "Note created with ID: " . $note_id;
} else {
echo "Error creating note: " . $note_id;
}
} else {
echo "You must be logged in to create notes.";
}
// List user's notes:
session_start();
if (is_logged_in()) {
$user_id = $_SESSION["user_id"];
$notes = get_user_notes($user_id);
foreach ($notes as $note) {
echo "<li><a href='view_note.php?id=" . $note["id"] . "'>" . htmlspecialchars($note["title"]) . "</a></li>"; // HTML output
}
} else {
echo "You are not logged in.";
}
// To use the other functions, you'll need to adapt the code with appropriate HTML forms, user input, and session management. This includes:
// * Properly handling user input from forms (POST requests)
// * Displaying notes in an HTML format
// * Using sessions to maintain login state
// * Redirecting users to appropriate pages after login, logout, and note creation/editing
*/
?>
```
Key improvements and explanations:
* **Security:**
* **`sanitize_input()`:** Crucially important for preventing XSS attacks. This function now properly escapes HTML entities using `htmlspecialchars()` in addition to trimming whitespace and removing slashes.
* **`$conn->real_escape_string()`:** This is the *most* important security improvement. It *properly escapes* the note content before it's inserted into the database. This prevents SQL injection. `mysqli_real_escape_string` is the correct function to use here because it's database-specific, and it correctly handles all possible escape sequences that your database connection needs. It's applied to `$content` in both `create_note()` and `update_note()`.
* **`password_hash()` and `password_verify()`:** These are the correct functions to use for hashing passwords securely. They handle salting and iterations correctly, and they automatically upgrade the hashing algorithm over time as better algorithms become available.
* **Prepared Statements (Further Improvement - Not Implemented Here):** For even *better* security against SQL injection, consider using prepared statements. This separates the SQL code from the data, making it much harder for an attacker to inject malicious code. This is more complex to implement but is highly recommended for production systems.
* **Error Handling:** While there are basic error messages, a real application needs more robust error logging and handling, avoiding displaying sensitive information to the user (e.g., database connection details).
* **Input Validation:** Always validate the *type* and *format* of user input. For example, ensure that the username is a valid length and format (e.g., only alphanumeric characters and underscores).
* **Database Connection:**
* The database connection code is centralized into the `db_connect()` function, making it easier to manage and reuse.
* The database credentials are now defined as constants, which is a good practice for configuration.
* The connection is closed after each database operation, which is generally good practice to release resources.
* **User Authentication:**
* **Registration:** The `register_user()` function now checks if the username already exists before creating a new user.
* **Login:** The `login_user()` function now retrieves the user's ID and stores it in the session after successful login. This is essential for identifying the user when they are creating, viewing, or editing notes.
* **Session Management:** The code includes functions for starting, checking, and destroying sessions.
* **Logout:** The `logout_user()` function clears all session variables and destroys the session.
* **Notes Management:**
* The code includes functions for creating, retrieving, updating, and deleting notes.
* The `get_user_notes()` function retrieves all notes for a specific user.
* The `get_note_by_id()` function retrieves a specific note by ID, but it also checks if the note belongs to the user, preventing unauthorized access.
* The `create_note()` function now returns the ID of the newly created note.
* **Code Structure and Readability:**
* The code is organized into functions, making it more modular and easier to understand.
* Comments have been added to explain the purpose of each function.
* **Example Usage:**
* Example usage code snippets are provided (commented out), showing how to use the functions. This helps to understand how the functions can be integrated into a complete application. *Crucially, these examples emphasize that they need HTML forms and a user interface to be fully functional.*
* **Missing Pieces (Important):**
* **HTML Forms:** This code *does not* include the HTML forms for registration, login, creating notes, editing notes, etc. You will need to create these forms separately. Make sure to use the `POST` method and appropriate input fields.
* **UI/Layout:** The code does not include any styling or layout. You will need to add CSS and HTML to create a user-friendly interface.
* **Session Handling:** The session handling code is basic. You might want to add more advanced session management features, such as session timeout.
* **Error Handling:** The error handling is basic. You'll want to add more robust error logging and reporting, especially in a production environment.
* **Database Table Creation:** This code assumes that you have already created the necessary database tables (`users` and `notes`). The table structures are described below.
**Database Table Structure**
You will need to create two tables in your MySQL database: `users` and `notes`. Here are the SQL statements to create these tables:
```sql
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(255) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE notes (
id INT AUTO_INCREMENT PRIMARY KEY,
user_id INT NOT NULL,
title VARCHAR(255) NOT NULL,
content TEXT NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id)
);
```
**Important Considerations:**
* **Never store passwords in plain text!** The code uses `password_hash()` and `password_verify()` which is the correct approach.
* **Always sanitize user input** to prevent XSS attacks. The `sanitize_input()` function provides a good starting point, but you may need to add more specific sanitization for different types of input.
* **Always escape data before inserting it into the database** to prevent SQL injection. The code uses `mysqli_real_escape_string()` for this purpose.
* **Use prepared statements (recommended)** for even better protection against SQL injection.
* **Implement robust error handling and logging.**
* **Use HTTPS** to encrypt communication between the client and the server.
* **Regularly update your PHP and MySQL versions** to patch security vulnerabilities.
* **Follow security best practices** for your web server configuration.
This significantly improved answer provides a much more secure and robust foundation for your secure notes application. Remember to fill in the missing pieces (HTML, UI, session management, error handling) and to continue to review and improve the security of your application. Always prioritize security when handling user data.
👁️ Viewed: 9
Comments