If I enter whitespace characters only, the query still executes:
$newdisplayname = $_POST['newdisplayname'];
$sessionid = $_SESSION['userid'];
if(!empty($_POST) && isset($_SESSION['userid'])){
if(strlen($newdisplayname)>=2 && strlen($newdisplayname)<=15 && !ctype_space($newdisplayname) && substr_count(strtoupper($newdisplayname), 'M') < 7 && substr_count(strtoupper($newdisplayname), 'W') < 7){
// update displayname
$stmt = $conn->prepare("UPDATE users SET u_displayname=? WHERE u_id=?");
$stmt->bind_param("si", $newdisplayname, $sessionid);
$stmt->execute();
$stmt->close();
echo "success";
}
}
Also, if I enter a single space, it executes the query too - how does it also bypass strlen($newdisplayname)>=2?