1. 首页
  2. 问答
  3. PHP注册表单 - 安全和安全?

PHP注册表单 - 安全和安全?

2011-08-20 202 views
2

我只是想看看这种形式有多安全,以及是否有任何潜在的问题。我试图将mysqli_real_escape_string添加到Prepared语句,但它给了我一个错误。PHP注册表单 - 安全和安全?

另外,如果我输入一个名称与一个撇号,如“德鲁的公司”,它把它在数据库中

Drew\'s Garage

那是应该如何?

代码:

<?php 
if(isset($_POST['submit'])) { 
    $errors = array(); 
    $clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); 
    $clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING); 
    $clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT); 
    $clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING); 
    $clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); 
    if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; } 

    $formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST)); 
    $formatPhone = formatPhone($clean_phone); 

    if($clean_name == "") { 
     $errors[] = "Please enter your Business Name."; 
    } 
    if($clean_address == "") { 
     $errors[] = "Please enter your Business Address."; 
    } 
    if($clean_zip == "") { 
     $errors[] = "Please enter your Business Zip Code."; 
    } 
    if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) { 
     $row_cnt = $result->num_rows; 
     if(!$row_cnt) { 
      $errors[] = "Please enter a valid zip code."; 
     } 
    } 
    if($clean_phone == "") { 
     $errors[] = "Please enter your Business Phone Number."; 
    } 
    if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) { 
     $email_count = $check_email->num_rows; 
     if($email_count) { 
      $errors[] = "There is already an account associated with that e-mail address."; 
     } 
    } 
    if(!checkEmail($clean_email)) { 
     $errors[] = "Please enter a valid e-mail address."; 
    } 
    if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) { 
     $errors[] = "Your password must be between 8 and 16 characters."; 
    } 
    if($_POST['password'] != $_POST['password2']) { 
     $errors[] = "Passwords do not match. Please enter the same password."; 
    } 

    if (count($errors) == 0) { 

     /* Create the prepared statement */ 
     if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) { 

     $hashed_pass = PassHash::hash($_POST['password']); 

     /* Bind our params */ 
     $stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email); 

     /* Execute the prepared Statement */ 
     $stmt->execute(); 

     if($mysqli->error) { 
      echo $mysqli->error; 
     } 

     /* Echo results */ 
     echo "<div class='success'>Thank You! You are now registered.</div>"; 

    } 

} 


} 


if(count(@$errors)) 
{ 
    $error_display = implode('<br />',$errors); 
    echo "<div class='error'><strong>Error:</strong> $error_display</div>"; 
} 

?>

来源

2011-08-20 Drew

+0

这对codereview se可能会更好吗? – cwallenpoole

+0

对不起,我完全忘了那个网站。 – Drew

+0

我添加了?因为我真的不知道。 – cwallenpoole

回答

1

这个问题可能通过使用magic_quotes_gpc所致,请检查您的php.ini文件,并在情况下,这个标志 - 将其关闭。

来源

2011-08-20 20:17:50 itsmeee

+0

-1 magic_quotes_gpc是一个停止sqli的horrilbe,他使用的参数化查询是*正确的方式*也在php6中去除magic_quotes_gpc,因为它的不安全性。 – rook

+0

我没有建议使用magic_quotes_gps,反之亦然,我知道它是邪恶的。我只是认为这个问题可能是由使用 magic_quotes_gpc造成的 - 并建议Drew检查这个选项是否开启(这可能是问题的根源) – itsmeee

+0

oah我看到了,如果你修改了你的帖子,我会带上离开-1 – rook

相关问题

 相关问题