Sanitize input before executing at server in php

Posted by Interfaith on Stack Overflow See other posts from Stack Overflow or by Interfaith
Published on 2012-09-05T15:08:53Z Indexed on 2012/09/05 15:38 UTC
Read the original article Hit count: 197

Filed under:
|

I want to let user input two variable, Name and Password in a form. I want to disable any XSS or script insert in the input values. I have the following code in the form method:

<form name="form1" method="post" action="checkpw.php">
Your Name:
<table>
  <tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr>
</table> 
Password:
<table>
  <tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr>
  <tr><td align="center"><br/>
     <input class="text" type="submit" name="submitbt" value="Login" />
  </td></tr>
</table>  

and the following checkpw.php:

<?php

// Clean up the input values 
$post = filter_input_array(INPUT_POST, array(
    'name' => FILTER_SANITIZE_STRING,
    'pw' => FILTER_SANITIZE_STRING,
));

if (is_null($post) || in_array(null, $post)) {
    header("location:login.php");
    return; // missing fields (or failed filter)
} 

// pw is the password sent from the form 
$pw=$_POST['passwd'];
$name=$_POST['name'];

if($pw == 'testpass'){
    header("location:index.php");
} else {
    header("location:wrong.php");
}
?>

Is this a secure way to ensure the form is sent to the server and executed ONLY after the input values have been sanitized?

Also, the $name value i want to pass it to index.php file. I insert a code in the index.php as follow:

<?php echo $name ?>

But it's empty. Any idea how to resolve it?

© Stack Overflow or respective owner

Related posts about php

Related posts about JavaScript