1. 首页
  2. 问答
  3. 表单验证PHP /避免注射

表单验证PHP /避免注射

2011-08-28 62 views
0

我在HTML创建的窗体(查询形式)的帖子下面的代码:表单验证PHP /避免注射

<?php   
if(isset($_POST['submit'])) 

{ 
$name = mysql_real_escape_string((string)$_POST['name']); 
$surname = mysql_real_escape_string((string)$_POST['surname']); 
$email = mysql_real_escape_string((string)$_POST['email']); 
$phone = mysql_real_escape_string((string)$_POST['phone']); 
$country = mysql_real_escape_string((string)$_POST['country']); 
$message = mysql_real_escape_string((string)$_POST['message']); 

$sql = "INSERT INTO contact 
     (name, surname, email, phone, country, message) 
     VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')"; 

mysql_select_db($db); 
$retval = mysql_query($sql, $conn)or die(mysql_error()); 

echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>'; 

mysql_close($conn); 
} 

?>

我很纳闷,我怎么能显示错误和无效时,停止形式发布或输入零数据?

在学习如何在网上创建表单时,我也听说过SQL注入。我受保护了吗?

非常感谢。

来源

2011-08-28 Support

回答

4

I am wondering how I can display errors and stop the form posting when invalid or zero data is entered.

您必须在if(isset($_POST['submit']))之后进行验证。例如,你可以检查是名非空:

if (empty($_POST['name'])) { 
    $errors[] = 'name must not be empty'; 
}

对于更复杂的验证,如验证该电子邮件是有效的,你应该在filter extension看看:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); 
if (!$email) // invalid email

并经过所有的验证:

if (!count($errors)) { 
    // do the insert here 
}

你可以使用,而块尽快打破你检测埃罗R:

while (isset($_POST['submit'])) { 

    if (empty($_POST['name'])) { 
     $errors = 'name must not be empty'; 
     break; 
    } 

    // do the insert here 

    break; 
}

Whilst learning how to create forms on the web, I also heard about sql injections, am I protected?

是的,只要你逃避什么,你在SQL查询中(就像你正在做的)嵌入,你受到保护。

你应该尝试使用prepared statements,这是更安全和更易于使用。

来源

2011-08-28 10:47:52 arnaud576875

+0

...只要你逃脱所有的**字符串值**你在一个SQL查询,而不是变量嵌入。 –

+0

@Col。基本上,所有提交的值都是字符串。数值('“123”')和整数('123')之间是有区别的。因此,我发现最好将int列的值转换为整数,此外还要转义字符串输入。 –

+0

我的意思是对于SQL来说,唯一的字符串值是一个用引号括起来的值 –

-1 
<?php   
if(isset($_POST['submit'])) 
{ 
$errors = array(); 
$name = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'Name must not be empty'; 
$surname = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'User Name must not be empty'; 
$email = !empty($_POST['email']) ? mysql_real_escape_string((string)$_POST['email']) : $errors[] = 'Email must not be empty'; 
$phone = !empty($_POST['phone']) ? mysql_real_escape_string((string)$_POST['phone']) : $errors[] = 'Phone must not be empty'; 
$country = !empty($_POST['country']) ? mysql_real_escape_string((string)$_POST['country']) : $errors[] = 'Country must not be empty'; 
$message = !empty($_POST['message']) ? mysql_real_escape_string((string)$_POST['message']) : $errors[] = 'Message must not be empty'; 

if (empty($errors)) 
{ 
if (preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) 
{ 
    $sql = "INSERT INTO contact 
    (name, surname, email, phone, country, message) 
    VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')"; 

    mysql_select_db($db); 
    $retval = mysql_query($sql, $conn)or die(mysql_error()); 

    echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>'; 

    mysql_close($conn); 
} 
else { 
    echo 'Invalid Email'; 
} 
} 
else 
{ 
foreach ($errors AS $error) 
{ 
    echo "$error<br />";  
} 
} 
}

?>

来源

2011-08-28 13:48:47

+0

对于sql-escape变量来说太早是不好的做法。你甚至不应该为它们分配转义值(理想情况下你应该使用准备好的语句)。 – arnaud576875

+0

为什么无效的电子邮件错误是如此特别? –

相关问题

 相关问题