Assignment Activity Unit # 4

Subject: Web Programming – 2

Instructor: Manish Kumar Mishra

Submitted By: Muhammad Abdul Rehman Khan

Date: 16 – 07 – 2025
Title: Secure User Registration and Data Transmission Methods in Web Development

Introduction

In modern web development, the foundation of a reliable online platform lies in the
implementation of secure user registration systems and efficient data transmission methods.
Ensuring data confidentiality, validation, and protection against vulnerabilities like Cross-Site
Scripting (XSS) and SQL injection are critical. Additionally, understanding the nuances between
HTTP GET and POST methods enhances the developer’s ability to handle data securely. This
assignment explores the implementation of a secure user registration form using PHP and
HTML, and provides a practical comparison between GET and POST methods.

1. Secure User Registration Form

a. Form Creation (HTML)

The following HTML code snippet provides a registration form that collects a user's username,
email, password, and confirm password:

HTML Code:

<!DOCTYPE html>
<html>
<head>
<!-- Page title shown in the browser tab -->
<title>User Registration</title>
</head>
<body>
<!-- Main heading of the page -->
<h2>Register</h2>

<!--
User registration form:
- When submitted, data is sent to '[Link]' for processing on the server.
- Uses POST method to securely send form data.
-->
 <form action="[Link]" method="POST">

<!-- Input for user's desired username -->

<label>Username:</label><br>
<input type="text" name="username" required><br><br>

<!-- Input for user's email address; validated for proper email format -->
<label>Email:</label><br>
<input type="email" name="email" required><br><br>

<!-- Input for user's password; characters are masked -->

<label>Password:</label><br>
<input type="password" name="password" required><br><br>

<!-- Input to confirm the password entered above, to avoid typos -->
<label>Confirm Password:</label><br>
<input type="password" name="confirm_password" required><br><br>

<!-- Submit button that sends the form data to the server -->
<input type="submit" value="Register">
</form>
</body>
</html>

Output:
B. PHP Processing and Validation
<?php
// Helper function for sanitization
function sanitize_input($data) {
return htmlspecialchars(stripslashes(trim($data)));
}

$errors = [];
$username = $email = "";
$password = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Validate username
if (empty($_POST['username'])) {
$errors[] = "Username is required.";
} else {
 $username = sanitize_input($_POST['username']);
if (!preg_match("/^[a-zA-Z0-9_-]{3,20}$/", $username)) {
$errors[] = "Username must be 3-20 characters and contain only letters, numbers,
underscores, or hyphens.";
}
}

// Validate email
if (empty($_POST['email'])) {
$errors[] = "Email is required.";
} else {
$email = sanitize_input($_POST['email']);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors[] = "Invalid email format.";
}
}

// Validate password
if (empty($_POST['password'])) {
$errors[] = "Password is required.";
} else {
$password = $_POST['password']; // do not sanitize password here; keep raw for hashing
// Password criteria: minimum 8 chars, at least one number and one special char
if (!preg_match('/^(?=.*[0-9])(?=.*[\W_]).{8,}$/', $password)) {
$errors[] = "Password must be at least 8 characters long, contain at least one number, and
one special character.";
}
}
 // Confirm password
if (empty($_POST['confirm_password'])) {
$errors[] = "Confirm password is required.";
} else {
$confirm_password = $_POST['confirm_password'];
if ($password !== $confirm_password) {
$errors[] = "Passwords do not match.";
}
}

if (empty($errors)) {
// Secure data processing
// Example: To prevent SQL injection, use prepared statements when inserting into DB (not
coded here)
// Here, we hash the password before storing (simulate storing)
$password_hash = password_hash($password, PASSWORD_DEFAULT);

// TODO: Insert $username, $email, $password_hash securely into database using prepared
statements

echo "Registration successful for user: " . htmlspecialchars($username);

} else {
// Display user-friendly error messages
echo "<h3>Errors:</h3><ul>";
foreach ($errors as $error) {
echo "<li>" . htmlspecialchars($error) . "</li>";
}
echo "</ul>";
echo '<a href="[Link]">Go back to registration form</a>';
 }
} else {
// If not POST request, redirect to form
header("Location: [Link]");
exit;
}
?>
Notes:

The PHP script uses filter_var() for validating email to ensure proper format, as recommended in
PHP docs and best practices.

Password validation enforces minimum 8 characters with at least one number and one special
character.

Passwords are hashed using password_hash() (bcrypt), which is a best practice for storing
passwords securely.

Raw inputs are sanitized either by htmlspecialchars() or by using prepared statements (when
writing to DB) to prevent XSS and SQL Injection.

User-friendly error messages are displayed if validation fails

2. GET vs POST Methods Differentiation

<?php
// This PHP block checks if a 'message' parameter is passed in the URL using the GET method.
// If it exists, it sanitizes the input to prevent XSS (Cross-Site Scripting) attacks.
// If not, it sets the message variable to an empty string.
$message = isset($_GET['message']) ? htmlspecialchars($_GET['message']) : '';
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>GET Method Example</title>
</head>
<body>
<h2>GET Method Example</h2>

<!-- This form allows users to input a welcome message.

It uses the GET method to send the data to the same file (get_example.php) -->
<form action="get_example.php" method="GET">
<label for="message">Enter a Welcome Message:</label><br />
<!-- Input field for the user to type their message. 'required' ensures the field is not empty --
>
<input type="text" id="message" name="message" required />
<!-- Submit button to send the form data -->
<input type="submit" value="Send via GET" />
</form>

<!-- This block only runs if a message was submitted and received via GET.
It displays the sanitized message back to the user. -->
<?php if ($message): ?>
<h3>Your message received via GET:</h3>
<p><?php echo $message; ?></p>
<?php endif; ?>
</body>
</html>

Explanation:

This PHP code demonstrates how to use the GET method to collect and display user input
through a simple web form. The form asks the user to enter a welcome message, which is then
sent to the same page, "get_example.php", using the GET method. When the form is submitted,
the message entered by the user appears in the URL as a query parameter. The PHP script at the
top of the page checks if this message parameter exists in the URL. If it does, the input is passed
through the htmlspecialchars() function to ensure that any potentially harmful code is
neutralized, which helps protect the website from cross-site scripting (XSS) attacks. The
sanitized message is then stored in the $message variable. The HTML part includes a heading, a
form with a text input field, and a submit button. After the form is submitted, if a message is
detected, it is displayed on the page under a heading that says "Your message received via GET."
This output is conditionally shown using an if statement that checks whether the message is not
empty. This example is useful for understanding how the GET method works, how to collect
user input, how to display it safely, and how to interact with a user through a simple and clear
PHP script. Overall, this code helps learners see the importance of input handling, form
submission, and basic web security in web development using PHP.

POST Method Implementation

The registration form and processing PHP script in section 1 use the POST method. This is
essential for transmitting sensitive data such as passwords securely, as POST does not append
data to the URL, reducing exposure

Aspect GET POST

Data in URL Yes (appended as query No (sent in request body)
string
Data in length Limited by URL length Large amount of data can be
(usually 2048 chars) sent.
Security Less secure (data is visible in More secure for sensitive
browser) data.
Bookmarking URL with data can be shared Cannot boomark forms with
POST data easily.
Use case examples Search queries Login forms
Idempotence Designed for safe idempotent Designed for actions that
operations. change server state.
Security Implications:

Using the GET method to transmit sensitive data, such as passwords or personal information, is
unsafe because the data becomes visible in the URL. This means it can be logged in browser
history, server logs, or even cached by web browsers and intermediaries, leading to potential data
exposure. In contrast, the POST method sends data in the body of the HTTP request, which is
not visible in the URL, making it more appropriate for transmitting sensitive information.
However, it’s important to understand that neither GET nor POST encrypts data by
themselves. To ensure data security during transmission, especially over the internet, HTTPS
(HyperText Transfer Protocol Secure) must be used. HTTPS encrypts the entire request,
including the headers and body, protecting data from eavesdropping and tampering. The
provided solution demonstrates a secure user registration system by including input validation,
output sanitization, and secure password handling, while also illustrating when to use GET vs.
POST appropriately.
References:

McGrath, M. (2021). PHP in easy steps (4th ed.): Updated for PHP 8. In Easy Steps Limited.