I just wanted to see how secure this form is, and if there are any potential problems. I tried to add mysqli_real_escape_string to the Prepared statement but it gave me an error.
Also if I enter a name with an apostrophe, like "Drew's Company" i开发者_开发问答t puts it in the database as
Drew\'s Garage
Is that how it should be?
Code:
<?php
if(isset($_POST['submit'])) {
$errors = array();
$clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT);
$clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
$clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; }
$formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST));
$formatPhone = formatPhone($clean_phone);
if($clean_name == "") {
$errors[] = "Please enter your Business Name.";
}
if($clean_address == "") {
$errors[] = "Please enter your Business Address.";
}
if($clean_zip == "") {
$errors[] = "Please enter your Business Zip Code.";
}
if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) {
$row_cnt = $result->num_rows;
if(!$row_cnt) {
$errors[] = "Please enter a valid zip code.";
}
}
if($clean_phone == "") {
$errors[] = "Please enter your Business Phone Number.";
}
if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) {
$email_count = $check_email->num_rows;
if($email_count) {
$errors[] = "There is already an account associated with that e-mail address.";
}
}
if(!checkEmail($clean_email)) {
$errors[] = "Please enter a valid e-mail address.";
}
if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) {
$errors[] = "Your password must be between 8 and 16 characters.";
}
if($_POST['password'] != $_POST['password2']) {
$errors[] = "Passwords do not match. Please enter the same password.";
}
if (count($errors) == 0) {
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) {
$hashed_pass = PassHash::hash($_POST['password']);
/* Bind our params */
$stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email);
/* Execute the prepared Statement */
$stmt->execute();
if($mysqli->error) {
echo $mysqli->error;
}
/* Echo results */
echo "<div class='success'>Thank You! You are now registered.</div>";
}
}
}
if(count(@$errors))
{
$error_display = implode('<br />',$errors);
echo "<div class='error'><strong>Error:</strong> $error_display</div>";
}
?>
The problem might be caused by using magic_quotes_gpc, check your php.ini file and in case this flag is on - turn it off.
精彩评论