I want to let user input two variable, Name and Password in a form. I want to disable any XSS or script insert in the input values. I have the following code in the form method:
<form name="form1" method="post" action="checkpw.php">
Your Name:
<table>
<tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr>
</table>
Password:
<table>
<tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr>
<tr><td align="center"><br/>
<input class="text" type="submit" name="submitbt" value="Login" />
</td></tr>
</table>
and the following checkpw.php:
<?php
// Clean up the input values
$post = filter_input_array(INPUT_POST, array(
'name' => FILTER_SANITIZE_STRING,
'pw' => FILTER_SANITIZE_STRING,
));
if (is_null($post) || in_array(null, $post)) {
header("location:login.php");
return; // missing fields (or failed filter)
}
// pw is the password sent from the form
$pw=$_POST['passwd'];
$name=$_POST['name'];
if($pw == 'testpass'){
header("location:index.php");
} else {
header("location:wrong.php");
}
?>
Is this a secure way to ensure the form is sent to the server and executed ONLY after the input values have been sanitized?
Also, the $name value i want to pass it to index.php file. I insert a code in the index.php as follow:
<?php echo $name ?>
But it’s empty. Any idea how to resolve it?
The
magic_quotes_gpcshould be disabled on most servers by now; however, do read this article to see other ways of disabling them.Furthermore, you can use
filter_input_array()(PHP >= 5.2) for this purpose: