3, 'max_length' => 20]);
$email = post_param('email', 'email');
$age = post_param('age', 'int', 0, ['min' => 13, 'max' => 120]);
$bio = post_param('bio', 'html'); // Will be sanitized by VFilter
// Validate required fields
if (empty($username) || empty($email)) {
$error = 'Username and email are required';
} else {
// Process the form (save to database, etc.)
// The database class now uses prepared statements automatically
$update_data = [
'usr_user' => $username,
'usr_email' => $email,
'usr_age' => $age,
'usr_bio' => $bio
];
$success = $class_database->doUpdate('db_accountuser', 'usr_id', $update_data, $_SESSION['USER_ID']);
if ($success) {
log_security_event('user_profile_updated', ['user_id' => $_SESSION['USER_ID']]);
$message = 'Profile updated successfully';
} else {
$error = 'Failed to update profile';
}
}
}
// Example: Secure file upload
if (isset($_FILES['avatar'])) {
$allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
$maxSize = 2 * 1024 * 1024; // 2MB
$validation = validate_file_upload($_FILES['avatar'], $allowedTypes, $maxSize);
if ($validation['valid']) {
// Process the file upload
$uploadDir = 'f_data/data_userfiles/avatars/';
$filename = uniqid() . '_' . basename($_FILES['avatar']['name']);
$uploadPath = $uploadDir . $filename;
if (move_uploaded_file($_FILES['avatar']['tmp_name'], $uploadPath)) {
log_security_event('avatar_uploaded', ['user_id' => $_SESSION['USER_ID'], 'filename' => $filename]);
$avatar_message = 'Avatar uploaded successfully';
} else {
$avatar_error = 'Failed to upload avatar';
}
} else {
$avatar_error = 'Invalid file: ' . $validation['error'];
}
}
?>
Secure Form Example
Secure User Profile Form