hello, I use a script I found on this site Click Here. I don't think the htmlentities check work and I don't know what's wrong.
the .php file for the registration starts with
<?PHP
require_once("./include/membersite_config.php");
if(isset($_POST['submitted']))
{
if($fgmembersite->RegisterUser())
{
$fgmembersite->RedirectToURL("thank-you.php");
}
}
?>
and the user registration form starts with
<div id='fg_membersite'>
<form id='register' action='<?php echo $fgmembersite->GetSelfScript(); ?>' method='post' accept-charset='UTF-8'>
<fieldset >
<legend>Registration</legend>
<input type='hidden' name='submitted' id='submitted' value='1'/>
<div class='short_explanation'>* field required</div>
<input type='text' class='spmhidip' name='<?php echo $fgmembersite->GetSpamTrapInputName(); ?>' />
<div><span class='error'><?php echo $fgmembersite->GetErrorMessage(); ?></span></div>
<div class='container'>
<label for='name' >Name*: </label><br/>
<input type='text' name='name' id='name' value='<?php echo $fgmembersite->SafeDisplay('name') ?>' maxlength="50" /><br/>
<span id='register_name_errorloc' class='error'></span>
</div>
<div class='container'>
<label for='firstname' Firstname*: </label><br/>
<input type='text' name='firstname' id='firstname' value='<?php echo $fgmembersite->SafeDisplay('firstname') ?>' maxlength="50" /><br/>
<span id='register_firstname_errorloc' class='error'></span>
</div>
...
membersite_config.php contains require_once("./include/fg_membersite.php"); and the $fg_membersite.php has the htmlentities functions like this:
function GetSelfScript()
{
return htmlentities($_SERVER['PHP_SELF']);
}
function SafeDisplay($value_name)
{
if(empty($_POST[$value_name]))
{
return'';
}
return htmlentities($_POST[$value_name]);
}
function GetErrorMessage()
{
if(empty($this->error_message))
{
return '';
}
$errormsg = nl2br(htmlentities($this->error_message));
return $errormsg;
}
However, when I try to insert signs like < > in the name or username, the form accepts it and the information is added with the special characters to mysql as well. I just want avoid people to insert php code or similar in the form. What has to be modified in the code above for it works?