php - 注册表单无法验证
问题描述
我为注册表单验证编写了此代码,但它不起作用。它只是将数据存储在数据库中而不对其进行验证。它只是用于练习一些 php 的注册表单,我也想知道这个脚本是否足够安全以供使用。
<?php
include_once('connection.php');
session_start();
$count_username = "";
$count_email = "";
$count_password = "";
$count_phone = "";
$err_message = array();
if(isset($_POST['submit'])){
// checking post variables and escaping weird characthers
$firstname = mysqli_real_escape_string($connect,$_POST['firstname']);
$lastname = mysqli_real_escape_string($connect,$_POST['lastname']);
$email = mysqli_real_escape_string($connect,$_POST['email']);
$username = mysqli_real_escape_string($connect,$_POST['username']);
$phone = mysqli_real_escape_string($connect,$_POST['phone']);
$city = mysqli_real_escape_string($connect,$_POST['city']);
$address = mysqli_real_escape_string($connect,$_POST['address']);
$bank = mysqli_real_escape_string($connect,$_POST['bank']);
$account = mysqli_real_escape_string($connect,$_POST['account']);
$password = mysqli_real_escape_string($connect,$_POST['password']);
$confirmPass = mysqli_real_escape_string($connect,$_POST['confirmpassword']);
//form validation
//validating firstname input
if(!empty($firstname)){
$firstname_chk = strip_tags(trim($firstname));
if(strlen($firstname_chk) > 25){
array_push($err_message , 'The maximum length you can use is 25');
}elseif(preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/',$firstname_chk) && preg_match('/[0-9]/',$firstname_chk)){
array_push($err_message , 'Only letter are allowed');
}else{
$_firstname = $firstname_chk;
}
}else{
array_push($err_message , 'First Name can not be empty');
}
//validating lastname input
if(!empty($lastname)){
$lastname_chk = strip_tags(trim($lastname));
if(strlen($lastname_chk) > 25){
array_push($err_message , 'The maximum length you can use is 25');
}elseif(preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/',$lastname_chk) && preg_match('/[0-9]/',$lastname_chk)){
array_push($err_message , 'Only letter are allowed');
}else{
$_lastname = $firstname_chk;
}
}else{
array_push($err_message , 'Last Name can not be empty');
}
//validating email input
if(!empty($email)){
if(preg_match( '/^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$/',$email)){
$email_query = mysqli_query($connect,"SELECT * FROM Byers WHERE Email = '$email' ");
$count_email = mysqli_num_rows($email_query);
if($count_email > 0){
array_push($err_message , 'Email is already used by someone');
}else{
$_email = $email;
}
}else{
array_push($err_message , 'Please use a valid email');
}
}else{
array_push($err_message , 'Email can not be empty');
}
//validating username input
if(!empty($username)){
if(strlen($username) > 10){
array_push($err_message , 'The maximum length you can use is 10');
}else{
$username_query = mysqli_query($connect , "SELECT * FROM Byers WHERE UserName = '$username' ");
$count_username = mysqli_num_rows($username_query);
if($count_username > 0){
array_push($err_message , 'User Name is already used by someone');
}else{
$_username = $username;
}
}
}else{
array_push($err_message , 'Username can not be empty');
}
//validating phone number
if(!empty($phone)){
$number = ereg_replace("[^0-9]", "", $phone);
$numberLen = strlen($number);
if ($numberLen == 10 || $numberLen == 12){
$phone_query = mysqli_query($connect , "SELECT * FROM Buyers WHERE PhoneNo = '$phone' ");
$count_phone = mysqli_num_rows($phone_query);
if($count_phone > 0){
array_push($err_message , 'Phone number is already used');
}else{
$_phone = $phone;
}
}else{
array_push($err_message , 'The phone number is not valid');
}
}else{
array_push($err_message , 'Phone Number can not be empty');
}
//validating city input
if(!empty($city)){
$city_chk = strip_tags($city);
if(strlen($city_chk) > 25){
array_push($err_message , 'The maximum length you can use is 25');
}elseif(preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/',$city_chk) && preg_match('/[0-9]/',$city_chk)){
array_push($err_message , 'Only letter are allowed');
}else{
$_city = $city_chk;
}
}else{
array_push($err_message , 'City can not be empty');
}
//validating address input
if(!empty($address)){
$address_chk = strip_tags($address);
if(strlen($address_chk) > 100){
array_push($err_message , 'The maximum length you can use is 100');
}else{
$_address = $address_chk;
}
}else{
array_push($err_message , 'Full Address can not be empty');
}
//validating bank name input
if(!empty($bank)){
$bank_chk = strip_tags($bank);
if(strlen($bank_chk) > 50){
array_push($err_message , 'The maximum length you can use is 25');
}elseif(preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/',$bank_chk) && preg_match('/[0-9]/',$bank_chk)){
array_push($err_message , 'Only letter are allowed');
}else{
$_bank = $bank_chk;
}
}else{
array_push($err_message , 'Bank Name can not be empty');
}
//validating bank account
if(!empty($account)){
$account = ereg_replace("[^0-9]", "", $account);
$accountLen = strlen($account);
if ($accountLen < 30 or $accountLen > 5) {
$_account = $account;
}else{
array_push($err_message , 'Your bank account is Invalid');
}
}else{
array_push($err_message , 'Bank Account can not be empty');
}
//validating password
if(!empty($password) && !empty($confirmPass)){
if($password === $confirmPass){
if(strlen($password) < 6 && strlen($password) > 25){
array_push($err_message , 'Your password must be between 6 and 25 characthers only');
}else{
if(preg_match('/[a-z]/', $password) && preg_match('/[A-Z]/', $_POST['password']) && preg_match('/\d/', $password) && preg_match('/[^a-zA-Z\d]/', $password)){
$_password = $password;
$enc_pass = password_hash($_password , PASSWORD_DEFAULT);
}else{
array_push($err_message , 'use : at least 1 - capital letter , 1-special charachter and 1-number');
}
}
}else{
array_push($err_message , 'Please confirm password again');
}
}else{
array_push($err_message , 'Password can not be empty');
}
if(count($err_message)){
$first_query= mysqli_query($connect , "INSERT INTO Buyers values('','$_firstname','_$lastname','_$email','$_username',
'$_phone','$_city','$_address','$_bank','$_account','$enc_pass')");
$_SESSION['username'] = $username;
$_SESSION['success'] = "Registred Sccessfully";
header('location: login.php');
}
}
?>
解决方案
在您的功能结束时,您根本没有$err_message
正确检查。如果count($err_message)
为真,您应该处理您的错误,而不是将数据插入数据库。
if(!count($err_message)) {
$first_query= mysqli_query($connect , "INSERT INTO Buyers values('','$_firstname','_$lastname','_$email','$_username',
'$_phone','$_city','$_address','$_bank','$_account','$enc_pass')");
$_SESSION['username'] = $username;
$_SESSION['success'] = "Registred Sccessfully";
header('location: login.php');
exit;
}
// Display form again, and display the `$err_message`s.
就安全而言,mysqli_real_escape_string()
一起放弃。绑定变量是最值得信赖和最安全的方法。我的建议:看看 PDO。这是迄今为止最简单的方法。
推荐阅读
- python - OpenCV:是否有使用半径的 cv2.inRange 替代方案?
- javascript - jQuery检查输入的值是否在数组中
- ios - 在xcode中显示/隐藏视图而不留空间
- docker - 在 Hydra OAuth 2.0 集成期间面临错误:“客户端身份验证失败”
- c# - C# Xml 可序列化枚举类型
- kubernetes - 在 Kubernetes 的多主节点中安装 Istio
- javascript - 1个函数+多个参数//多个函数+1个函数参数JAVASCRIPT
- swift - 如何调整集合视图单元格的大小
- c++ - 成员函数指针值类别的模板特化
- android - Exoplayer 2 - 如何在没有 uri 但有字符串的情况下显示字幕?