我是PHP編程新手,我有一個註冊表格,允許我的訪問者在我的網站上註冊,但我不確定安全性和我的代碼的安全性。代碼如下所示:我的註冊表有多安全?
if(isset($_POST['submit'])){
$search = array("<", ">", "join", "union", "'", "/", "(", ")", "Join","jOin", "joIn", "joiN", "Union", "uNion", "unIon", "uniOn", "unioN");
$replace = "";
$username = str_ireplace($search, $replace, $_POST['username']);
$email = str_ireplace($search, $replace, $_POST['email']);
if (empty($_POST['username']) or empty($_POST['email']) or empty($_POST['pass']) or empty($_POST['confirmpass'])) {
echo "<p>Please Fill all filds</p>";
}
elseif ($_POST['pass'] != $_POST['confirmpass']) {
echo "<p>Match Password</p>";
}
elseif (strlen($username) > 20){
echo "<p>Your Username should less than 20 Char</p>";
}
else{
$username = mysql_real_escape_string(trim($username));
$email = mysql_real_escape_string(trim($_POST['email']));
$pass = mysql_real_escape_string($_POST['pass']);
$pass = md5($pass);
$confirmpass = mysql_real_escape_string($_POST['confirmpass']);
$confirmpass = md5($confirmpass);
$date = date("Y-m-d");
$checkq = mysql_query("SELECT username, email FROM users WHERE username='$username' ");
$num_rows = mysql_num_rows($checkq);
if($num_rows >= 1){
echo "<p>you have to choose another Username</p>";
}else {
$checkq2 = mysql_query("SELECT username, email FROM users WHERE email='$email' ");
$num_rows2 = mysql_num_rows($checkq2);
if($num_rows2 >= 1){
echo "<p>that email is already registerd <br />".$email."</p>";
}else {
$insertuser = mysql_query("INSERT INTO users
(id, username, password, rdate, email)
VALUES
('', '$username', '$pass', '$date', '$email')
");
if ($insertuser){ echo "<span>you are login successfuly ...</span><META http-equiv='refresh' content='4;URL=http://www.6arbyat.com/join/login.php'> ;";}else{echo "<p>Sorry there is something Wrong !!!</p>";
}
}
}
}
}
有什麼意見?
這個問題似乎是題外話,因爲它是一個**代碼審查請求**。這更適合於[Code Review Stack Exchange站點](http://codereview.stackexchange.com)。在發佈之前,請務必閱讀他們的[FAQ](http://codereview.stackexchange.com/help),以確保您的問題符合他們的指導原則。 –
如果我使用像* JointMonkeysUnion123 *這樣的密碼或者其中一個或者兩個都包含你想要過濾掉的單詞,我是否留下修剪後的密碼,並且我實際上並不知道我的真實密碼?和一個獎勵點,你的密碼甚至可以是一個SQL查詢,但一旦哈希它對你的應用程序無關緊要。只要確保不信任用戶輸入:) –