Encoded HTML is now decoded on inputs

dcblogdev · Jun 17, 2016 · 61103f3 · 61103f3
1 parent 75f4bbe
commit 61103f3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/index.php b/index.php
@@ -6,12 +6,14 @@
 //if form has been submitted process it
 if(isset($_POST['submit'])){
 
+	$username = htmlspecialchars_decode($_POST['username'], ENT_QUOTES);
+
 	//very basic validation
-	if($user->isValidUsername($_POST['username'])){
+	if($user->isValidUsername($username)){
 		$error[] = 'Usernames must be at least 3 Alphanumeric characters';
 	} else {
 		$stmt = $db->prepare('SELECT username FROM members WHERE username = :username');
-		$stmt->execute(array(':username' => $_POST['username']));
+		$stmt->execute(array(':username' => $username));
 		$row = $stmt->fetch(PDO::FETCH_ASSOC);
 
 		if(!empty($row['username'])){
@@ -33,11 +35,12 @@
 	}
 
 	//email validation
-	if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)){
+	$email = htmlspecialchars_decode($_POST['email'], ENT_QUOTES);
+	if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
 	    $error[] = 'Please enter a valid email address';
 	} else {
 		$stmt = $db->prepare('SELECT email FROM members WHERE email = :email');
-		$stmt->execute(array(':email' => $_POST['email']));
+		$stmt->execute(array(':email' => $email));
 		$row = $stmt->fetch(PDO::FETCH_ASSOC);
 
 		if(!empty($row['email'])){
@@ -61,9 +64,9 @@
 			//insert into database with a prepared statement
 			$stmt = $db->prepare('INSERT INTO members (username,password,email,active) VALUES (:username, :password, :email, :active)');
 			$stmt->execute(array(
-				':username' => $_POST['username'],
+				':username' => $username,
 				':password' => $hashedpassword,
-				':email' => $_POST['email'],
+				':email' => $email,
 				':active' => $activasion
 			));
 			$id = $db->lastInsertId('memberID');

diff --git a/login.php b/login.php
@@ -7,8 +7,12 @@
 
 //process login form if submitted
 if(isset($_POST['submit'])){
-	if ( $user->isValidUsername($_POST['username'])){
-		$username = $_POST['username'];
+
+	$username = htmlspecialchars_decode($_POST['username'], ENT_QUOTES);
+	if ( $user->isValidUsername($username)){
+		if (!isset($_POST['password'])){
+			$error[] = 'A password must be entered';
+		}
 		$password = $_POST['password'];
 
 		if($user->login($username,$password)){