1. 首頁
  2. 問答
  3. 表單驗證PHP /避免注射

表單驗證PHP /避免注射

2011-08-28 78 views
0

我在HTML創建的窗體(查詢形式)的帖子下面的代碼:表單驗證PHP /避免注射

<?php   
if(isset($_POST['submit'])) 

{ 
$name = mysql_real_escape_string((string)$_POST['name']); 
$surname = mysql_real_escape_string((string)$_POST['surname']); 
$email = mysql_real_escape_string((string)$_POST['email']); 
$phone = mysql_real_escape_string((string)$_POST['phone']); 
$country = mysql_real_escape_string((string)$_POST['country']); 
$message = mysql_real_escape_string((string)$_POST['message']); 

$sql = "INSERT INTO contact 
     (name, surname, email, phone, country, message) 
     VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')"; 

mysql_select_db($db); 
$retval = mysql_query($sql, $conn)or die(mysql_error()); 

echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>'; 

mysql_close($conn); 
} 

?>

我很納悶,我怎麼能顯示錯誤和無效時,停止形式發佈或輸入零數據?

在學習如何在網上創建表單時,我也聽說過SQL注入。我受保護了嗎?

非常感謝。

來源

2011-08-28 Support

回答

4

I am wondering how I can display errors and stop the form posting when invalid or zero data is entered.

您必須在if(isset($_POST['submit']))之後進行驗證。例如,你可以檢查是名非空:

if (empty($_POST['name'])) { 
    $errors[] = 'name must not be empty'; 
}

對於更復雜的驗證,如驗證該電子郵件是有效的,你應該在filter extension看看:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); 
if (!$email) // invalid email

並經過所有的驗證:

if (!count($errors)) { 
    // do the insert here 
}

你可以使用,而塊儘快打破你檢測埃羅R:

while (isset($_POST['submit'])) { 

    if (empty($_POST['name'])) { 
     $errors = 'name must not be empty'; 
     break; 
    } 

    // do the insert here 

    break; 
}

Whilst learning how to create forms on the web, I also heard about sql injections, am I protected?

是的,只要你逃避什麼,你在SQL查詢中(就像你正在做的)嵌入,你受到保護。

你應該嘗試使用prepared statements,這是更安全和更易於使用。

來源

2011-08-28 10:47:52 arnaud576875

+0

...只要你逃脫所有的**字符串值**你在一個SQL查詢,而不是變量嵌入。 –

+0

@Col。基本上,所有提交的值都是字符串。數值('「123」')和整數('123')之間是有區別的。因此,我發現最好將int列的值轉換爲整數,此外還要轉義字符串輸入。 –

+0

我的意思是對於SQL來說,唯一的字符串值是一個用引號括起來的值 –

-1 
<?php   
if(isset($_POST['submit'])) 
{ 
$errors = array(); 
$name = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'Name must not be empty'; 
$surname = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'User Name must not be empty'; 
$email = !empty($_POST['email']) ? mysql_real_escape_string((string)$_POST['email']) : $errors[] = 'Email must not be empty'; 
$phone = !empty($_POST['phone']) ? mysql_real_escape_string((string)$_POST['phone']) : $errors[] = 'Phone must not be empty'; 
$country = !empty($_POST['country']) ? mysql_real_escape_string((string)$_POST['country']) : $errors[] = 'Country must not be empty'; 
$message = !empty($_POST['message']) ? mysql_real_escape_string((string)$_POST['message']) : $errors[] = 'Message must not be empty'; 

if (empty($errors)) 
{ 
if (preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) 
{ 
    $sql = "INSERT INTO contact 
    (name, surname, email, phone, country, message) 
    VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')"; 

    mysql_select_db($db); 
    $retval = mysql_query($sql, $conn)or die(mysql_error()); 

    echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>'; 

    mysql_close($conn); 
} 
else { 
    echo 'Invalid Email'; 
} 
} 
else 
{ 
foreach ($errors AS $error) 
{ 
    echo "$error<br />";  
} 
} 
}

?>

來源

2011-08-28 13:48:47

+0

對於sql-escape變量來說太早是不好的做法。你甚至不應該爲它們分配轉義值(理想情況下你應該使用準備好的語句)。 – arnaud576875

+0

爲什麼無效的電子郵件錯誤是如此特別? –

相關問題

 相關問題