I have this file here:
<?php
include 'core/init.php';
include 'includes/overall/header.php';
if(empty($_POST) === false){
$required_fields = array('username','password','password_again','first_name','email');
foreach($_POST as $key=>$value){
if(empty($value) && in_array($key, $required_fields) === true){
$errors[] = 'Fields Marked with an asterisk are required';
break 1;
}
}
if(empty($errors) === true){
$args = $_POST;
if(user_exists($args['username'])){
$errors[] = 'Sorry, the username \''.$args['username'].'\' is already in use.';
}else if(preg_match("/\\s/",$args['username']) == true){
$errors[] = 'Your username can not contain any spaces.';
}
if(strlen($args['password']) < 6){
$errors[] = "Your Password is to short! It must be at least 6 characters. If you want to know why you need to use a better password visit this page, <a href=\"http://howsecureismypassword.net/\">password checker</a>.<br/>";
}else if($args['password'] !== $args['password_again']){
$errors[] = "Your passwords do not match!";
}
if(filter_var($args['email'], FILTER_VALIDATE_EMAIL) === false){
$errors[] = "A valid email address is required.";
} else if(email_exists($args['email']) === true){
$errors[] = 'Sorry, the email \''.$args['email'].'\' is already in use.';
}
}
}
?>
<h1>Register</h1>
<?php
if(empty($_POST) === true){
include 'includes/register.php';
}else if(empty($_POST) === false && empty($errors) === true){
//Register user
echo "Registered User";
}else{
echo output_errors($errors);
include 'includes/register.php';
}?>
<?php include 'includes/overall/footer.php';?>
Heres register.php:
<?php
$username = "";
$first_name = "";
$last_name = "";
$email = "";
if(empty($_POST) === false){
$username = $_POST['username'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
}
?>
<form action="" method="POST">
<ul>
<li>Username*: <br/><input type="text" name="username" value="<?php echo $username;?>"/></li>
<li>Password*: <br/><input type="text" name="password"/></li>
<li>Confirm Password*: <br/><input type="text" name="password_again"/></li>
<li>First name*: <br/><input type="text" name="first_name" value="<?php echo $first_name;?>"/></li>
<li>Last name: <br/><input type="text" name="last_name" value="<?php echo $last_name;?>"/></li>
<li>Email*: <br/><input type="text" name="email" value="<?php echo $email;?>"/></li>
<li><input type="submit" value="Register"/></li>
</ul>
</form>
This isn’t ever going to be a real site, it’s just me playing around with PHP, what I realised is that when a user submits their data they can put in what ever they want, so if they put in some HTML, would it render as well? like… would they be able to put in the input field last_name a value like "<p>blah blah blah</p>", would this essentially render as
blah blah blah
“”/>
Because wouldn’t that be kinda bad for the site? They could break it or something?
So is there something that fixes this? Like replaces tags like < and > with < and > and makes " into \" or escapes these characters?
Also… is there anything terribly wrong with my code?
What you need is this: http://php.net/manual/en/function.htmlentities.php
htmlentities