I have been looking at End Users' script for sanitizing data and was wondering how to use it. I have a general idea but I'm not sure if it is correct.
I am planning on having a "Coming soon" image (which I haven't made yet) on my temporary homepage as well as some text that says "If you would like us to email you when the site is launched fill out the form below."
I also plan on adding
BotScout and ReCAPTCHA to this once I get it working to help prevent spambots from attacking the site.
I intend on having the only mandatory field be their email address with their first and last name being optional. So far here is what I've come up with, although I am pretty sure I've screwed up somewhere, which is why I am asking for help with it.
The reason I don't have the image linked, or the code for ReCAPTCHA/BotScout is because I figured I should K.I.S.S. and try to get the base of it working first.
Main page:
php Code:
<?php include('./includes/stuff/sanitize.php');
include('./includes/stuff/constants.php');?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Coming Soon!</title>
</head>
<body>
The site will be launching soon!
<p>If you would like us to email you when the site is launched fill out the form below.</p>
<?php
if (isset($_POST&
#91;'submitted'])) { require_once('MYSQL');
//Sanitize data
$c_fname = sanitize(3, 20, $_POST['first_name']);
$c_lname = sanitize(3, 40, $_POST['last_name']);
$c_email = sanitize(5, 50, $_POST['email']);
echo '<p>Please enter your email address.</p>';
} elseif (!
empty($c_email)) { $access = "SELECT email FROM customers WHERE email='$c_email'"
$r = mysqli_query
($dbc,
$access) or
trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error
($dbc));
}
//Insert information if email is unique:
if (mysqli_num_rows($r) == 0) {
$access = "INSERT INTO customers (email) VALUES ('$c_email')";
$r = mysqli_query
($dbc,
$access) or
trigger_error("Query: $access\n<br />MySQL error: " . mysqli_error
($dbc));
} else {
echo '<p>Your email address could not be recorded due to an error, please try again.</p>';
}
mysqli_close($dbc);
?>
<form action="sanitize.php" method="post">
<fieldset>
<p><b>First name:</b> <input type="text" name="first_name" size="20" maxlength="15" value="<?php if(isset($cleaned_fname)) echo $c_fname; ?>" /></p>
<p><b>Last name:</b> <input type="text" name="last_name" size="20" maxlength="25" value="<?php if(isset($cleaned_lname)) echo $c_lname; ?>" /></p>
<p><b>Email Address:</b> <input type="text" name="email" size="30" maxlength="50" value="<?php if(isset($cleaned_email)) echo $c_email; ?>" /></p>
<div class="center"><input type="submit" name="submit" value="Register" /></div>
<input type="hidden" name="submitted" value="TRUE" />
</form>
</body>
</html>
I don't have the spacing between forum fields (other than the paragraph tags) like I do above, I just did that so it would be easier to read.
Sanitize code removed.
constants.php Code:
<?phpdefine('BASE_URL', 'http://mywebsite.com');define('MYSQL', '../SQL/mysqli_connect.php');?>
and, finally, mysqli_connect.php I edited the user information in the script below to random stuff:
php Code:
<?php
//Set database access information:
DEFINE('DB_USER',
'**********');
DEFINE('DB_PASSWORD',
'********');
DEFINE('DB_HOST',
'localhost');
//Attempt to connect to MySQL
$dbc = @mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if (!$dbc) {
trigger_error('Could not connect to MySQL: ' . mysqli_connect_error
() );
}
?>
Again the reason I am even posting this is because I am not sure how to use End Users' script and would like to in order to help prevent my server from being hijacked.
