Hi everyone,
I finally have all of the code for my web site working the way I want it. Now, I want to make sure that I have coded everything securely.
This code follows an HTML form that accepts typed user input and there is one file upload form. All of this information is stored in a MySQL database, except the image. The image is stored in a directory on my web server and the path to that file is stored in a database. I specified the maximum file size in my HTML form and I have the file types limited to gif and jpg. Is there anything I can do to "sanitize" the information input in the HTML form fields, other than using htmlentities()?
This form will be stored in either a password protected directory or it will only be accessible by a user who has started a session by entering proper username/password.
Any suggestions would be greatly appreciated! Thanks in advance!!!
function process_form() {
$filetypes = array ('image/gif', 'image/jpg');
if (in_array($_FILES['upfile']['type'], $filetypes)){
$currentname = $_FILES['upfile']['name'];
$newname = $currentname.date("Ymdhis");
$uploaddir = "uploads/";
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir.'/'.$newname)) {
print("file upload was successful");
} else {
print("file upload failed");
}
} else {
print "Please use a .gif or .jpg file";
}
// Access the global variable $db inside this function
global $db;
$imagename = $uploaddir.$newname;
// Insert the new cd into the table
$db->query('INSERT INTO lounge (isbn, artist_name, album_title, release_date, description, price, image)
VALUES (?,?,?,?,?,?,?)',
array(htmlentities($_POST['isbn']), htmlentities($_POST['artist_name']), htmlentities($_POST['album_title']), htmlentities($_POST['release_date']), nl2br(htmlentities($_POST['description'])), htmlentities($_POST['price']), $imagename));
// Tell the user that we added a dish.
print 'Added ' . htmlentities($_POST['artist_name']) .
' to the database.';
}
?>
