PHP表单验证和XSS安全

Question

我对PHP很陌生，正在开发Web应用程序以允许遇到不同的技巧，问题并找到解决方法。

现在我正在创建一个注册表单并验证表单并防止SQL注入和XSS。 注意我明白可以使用准备好的声明，但对于我的技能水平，我认为从Mysqli程序将是最好的结果为我的发展，直到如果填补足够的信心。

所以我只是想让你的专家，看看是否有我需要删除或添加或使用（而不是stmt）的东西。

这是我的注册页面。

<?php 
    // define mqsqli real escape string function 
    function _olaskee($escape) { 
     $escape = htmlspecialchars ($escape, ENT_QUOTES, 'UTF-8'); 
     $escape = trim ($escape, ENT_QUOTES, 'UTF-8'); 
     $escape = stripcslashes ($escape, ENT_QUOTES, 'UTF-8'); 
     return $escape; 

    } 
    // start session 
    session_start(); 

    // include database connection 
    //require_once('include/connection.php'); 

    // if user type already detected, redirect to index.php 
    if(isset($_SESSION['user_type'])){ 
     header('Location: index.php'); 
    } 

    // check if we have submited/if the for as being submitted 
    if(!empty($_POST['submit'])){ 

     //instantiate 
     $firstname = _olaskee($con, $_POST['firstname']); 
     $lastname = _olaskee($con, $_POST['lastname']); 
     $user_name = _olaskee($con, $_POST['user_name']); 
     $user_type = _olaskee($con, $_POST['user_type']); 
     $password = _olaskee($con, $_POST['password']); 
     $confirm_password = _olaskee($con, $_POST['confirm_password']); 

      // hash password 
     $hashed_password = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]); 

     // include database connection 
     require_once('include/errMsg.php'); 

    } 
    // include page title 
    $title = 'Registration Page'; 


    // include header layout 
    require_once('include/header.php'); 
    ?> 

    <div> 

     <form name="register" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post"> 
     <table> 
     <tr> 
      <td>First Name</td> 
      <td><input type="text" name="firstname" value='<?php// echo htmlspecialchars ($firstname) ?>'><br><span style='color: red'><?php echo $fnErr ?></span></td> 
      <?php echo $firstname ; ?> 
     </tr> 
     <tr> 
      <td>Last Name</td> 
      <td><input type="text" name="lastname" value='<?php echo htmlspecialchars ($lastname) ?>'><br><span style='color: red'><?php echo $lnErr ?></span></td> 
     </tr> 
     <tr> 
      <td>User Name</td> 
      <td><input type="text" name="user_name" value='<?php echo htmlspecialchars ($user_name) ?>'><br><span style='color: red'><?php echo $unameErr ?></span></td> 
     </tr> 
     <tr> 

      <td>User Type</td> 
      <td> 
    <!-- <label for="flavor">Select User Type:</label > --> 

    <select id="user_type" name='user_type' > 
     <option value="">Select User Type</option> 
     <option <?php echo $user_type=='rsw'?'selected':''; ?> >rsw</option> 
     <option <?php echo $user_type=='sp'?'selected':''; ?> >sp</option> 
    </select> 
     <span style='color: red'><?php echo $u_typeErr?></span> 
      </td> 
     </tr> 

     <tr> 
      <td>Email</td> 
      <td><input type="email" name="email" value='<?php echo htmlspecialchars ($email) ?>'><br /><span style='color: red'><?php echo $emailErr ?></span></td> 
     </tr> 
     <tr> 
      <td>Password:</td> 
      <td><input type="password" name="password" id="password"><br /><span style='color: red'><?php echo $passErr ?></span></td></td> 
     </tr> 
     <tr> 
      <td>Confirm Password:</td> 
      <td><input type="password" name="confirm_password" id="confirm_password"><br /><span style='color: red'><?php echo $cpassErr ?></span></td></td> 
     </tr> 
     <tr> 
      <td></td> 
      <td><input type="submit" name="submit" value="Register"><a href='index.php'> Login</a></td> 
     </tr> 
     </table> 
     </form> 
    </div> 

    <?php 
    if(is_file('include/footer.php')) 
    include_once('include/footer.php'); 
    ?> 

这里是我的错误信息页面

<?php 

    // error handler variable 
    $fnErr = $lnErr = $unameErr = $u_typeErr = $emailErr = $passErr = $cpassErr = ''; 
    $firstname = $lastname = $user_name = $user_type = $email = $password = $confirm_password = ''; 

      // if submit, then validate 
     $firstname = ($_POST['firstname']); 
      // set field validation for first name 
      if (empty($firstname)){  
      $fnErr = 'Field empty, please enter your first name';   
      }else{ 
        if (strlen($firstname) < 3){ 
          $fnErr = 'First Name is too short'; 
        } 
      } 
       // check if name only contains letters and whitespace 
         if (!preg_match("/^[a-zA-Z ]*$/",$firstname)) { 
         $fnErr = "Only letters and white space allowed"; 
      } 


      // set field validation for last name 
     $lastname = ($_POST['lastname']); 
      if (empty($lastname)){  
      $lnErr = 'Field empty, please enter your last name';   
      }else{ 
        if (strlen($lastname) < 3){ 
          $lnErr = 'Last Name is too short'; 
        } 
      } 
       // check if name only contains letters and whitespace 
         if (!preg_match("/^[a-zA-Z ]*$/",$lastname)) { 
         $lnErr = "Only letters and white space allowed"; 
      } 

      // set field validation for user name 
      $user_name = ($_POST['user_name']); 
      if (empty($user_name)){  
      $unameErr = 'Field empty, please enter user name';   
      }else{ 
         if (strlen($user_name) < 6){ 
          $unameErr = 'Password is too short'; 
        }else{ 

         if (strlen($user_name) > 15){ 
          $unameErr = 'Password is too long';     
          } 
        } 
       } 
      // check if name only contains letters and whitespace 
        if (!preg_match("#.*^(?=.*[a-z])(?=.*[A-Z]).*$#",$user_name)) { 
        $unameErr = "At least one CAPS, letters and white space allow"; 
      } 


      // check if user select user type from list 
      $user_type = ($_POST['user_type']); 
        if (empty($user_type)){  
        $u_typeErr = 'Please select user type from list';   
        } 



     // set email filter validation 
      $email = ($_POST['email']); 
      if (empty($email)){  
       $emailErr = 'Field empty, please enter your last name';   
      }else{ 
        // check if e-mail address is well-formed 
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { 
         $emailErr = "Invalid email format"; 
        } 
      } 


      // set field validation for password 
      $password = ($_POST['password']); 
      if (empty($password)){  
      $passErr = 'Field empty, please create a password';   
      }else{ 
         if (strlen($password) < 6){ 
          $passErr = 'Password is too short'; 
        }else{ 

         if (strlen($password) > 15){ 
          $passErr = 'Password is too long';     
          }       
        }          
       } 
         if(!preg_match("#[A-Z]+#", $password)) { 
          $passErr = "Password must include at least one CAPS! "; 
        }else{ 

        if(!preg_match("#[0-9]+#", $password)) { 
          $passErr = "Password must include at least one NUMBER! "; 
         } 
        } 
    // //    // check if name only contains letters and whitespace 
    //    if (preg_match("#.*^(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9]).*$#", $password)) { 
    //     $passErr = "Try again... Password must contain NUMBER, LETTER and CAPS"; 
    //    } 


       // set field validation for confirm password 
     $confirm_password = ($_POST['confirm_password']); 
      if (empty($confirm_password)){  
      $cpassErr = 'Field empty, please confirm your password';   
      }else{ 
        if ($password != $confirm_password) { 
         $cpassErr = 'Error... Passwords do not match'; 
        } 
      }  


    // // define mqsqli real escape string function 
    // function _olaskee($escape) { 
    // $escape = htmlspecialchars ($escape, ENT_QUOTES, 'UTF-8'); 
    // $escape = trim ($escape, ENT_QUOTES, 'UTF-8'); 
    // $escape = stripcslashes ($escape, ENT_QUOTES, 'UTF-8'); 
    // return $escape; 

    // } 

    ?> 

注意注释掉两页中的某些行。

此外在注册页面中还包括会话顶部的安全功能，不确定是否正确。

而且使用了密码散列，但我没有测试在数据库中还没有，但（有我就用它吧？）

请只是看看，并给我您的专家意见

最好的问候

Answer 1

我不是专家，但我可以给你一些笔记。在您的消毒功能_olaskee，我认为你需要了解这些功能也和如何使用它

• 你不需要stripcslashes这里。这个函数删除斜杠为什么你把它放在这里？

• 您不需要清理密码。您将在使用它之前对它进行哈希处理，哈希将替换任何注入的代码

• 为了消毒SQL注入，您需要使用mysqli_real_escape_string它会负责清理字符串。

• 看看filter_var函数。您会发现它在消毒和验证输入方面非常有用。此功能允许您来验证指定的长度，允许在某些输入一些HTML标记（如文字区域）等

要了解如何保护自己免受攻击，你需要先了解攻击是如何做。阅读有关SQL Injections的内容，看看你是否可以通过易受攻击的代码破解你的数据库。

您也可以试试ZAP工具。您只需传递网站的网址即可使用自动扫描功能，它会自动扫描您的网络应用并报告发现的所有漏洞。

学习如何制作登录系统是一件好事。但对于真实世界的应用程序，建议不要建立自己的登录系统。始终依赖经过测试和认可的软件，否则您将创建充满漏洞的系统。祝你好运！