需要我的PHP驗證幫助

Question

我正在嘗試執行表單註冊驗證，但我不知道我是否正確地做。

首先，我在我的表單中爲每個空白字段存儲一條錯誤消息。 之後，如果我的字段不是空的，我想驗證用戶名字段（從無效字符），密碼和電子郵件

問題是當我刪除死亡（）;在我的用戶名驗證有條件的行中，它會向我顯示錯誤消息和成功消息，並將無效的用戶名插入到我的數據庫中。

我敢肯定，問題是在我的if（$ numrows == 0）條件，但我不明白爲什麼。

<?php 
session_start(); 
$con=mysql_connect('localhost','root','') or die(mysql_error()); 
mysql_select_db('user_registration') or die("cannot select DB"); 


if(isset($_POST["submit"])){ 

    $arrErrors = array(); 
    unset($_SESSION['errors']); 

    if($_POST['user'] == ''){ 
     $arrErrors['user_not_completed'] = "Username is not completed!"; 
     $_SESSION['errors'] = $arrErrors; 
     header("Location: register.php"); 
    } 

    if($_POST['pass'] == ''){ 
     $arrErrors['pass_not_completed'] = "Password is not completed!"; 
     $_SESSION['errors'] = $arrErrors; 
     header("Location: register.php"); 
    } 

    if($_POST['email'] == ''){ 
     $arrErrors['email_not_completed'] = "Email is not completed!"; 
     $_SESSION['errors'] = $arrErrors; 
     header("Location: register.php"); 
    } 

    if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['email'])) { 
     $user=$_POST['user']; 
     $pass=$_POST['pass']; 
     $email=$_POST['email']; 

      if(!preg_match("/^[a-zA-Z'-]+$/",$user)) { 
       $arrErrors['invalid_user'] = "Username is invalid!"; 
       $_SESSION['errors'] = $arrErrors; 
       header("Location: register.php"); 
       die(); 
      } 

     $query=mysql_query("SELECT * FROM users WHERE username='".$user."'"); 
     $numrows=mysql_num_rows($query); 


     if($numrows==0){ 
      $sql="INSERT INTO users(username,password, email) VALUES('$user','$pass', '$email')"; 
      $result=mysql_query($sql); 


      if($result){ 
       $arrErrors['succes'] = 'Account successfuly created!'; 
       $_SESSION['errors'] = $arrErrors; 
       header("Location: register.php"); 
      } 

     } else { 
      $arrErrors['already_exists'] = 'That username already exists!'; 
      $_SESSION['errors'] = $arrErrors; 
      header("Location: register.php"); 
     } 

} 

} 
?> 

Answer 1

這裏是我建議你這樣做：

<?php 
    //FIRST I WOULD CHECK IF SESSION EXIST BEFORE STARTING IT: 
    if (session_status() == PHP_SESSION_NONE || session_id() == '') { 
     session_start(); 
    } 
    //NEXT I'D USE PDO AS MY DATABASE ABSTRACTION LAYER: IT HAS A LOT OF ADVANTAGES, REALLY: 
    //DATABASE CONNECTION CONFIGURATION: 
    defined("HOST")  or define("HOST", "localhost");   //REPLACE WITH YOUR DB-HOST 
    defined("DBASE") or define("DBASE", "user_registration"); //REPLACE WITH YOUR DB NAME 
    defined("USER")  or define("USER", "root");    //REPLACE WITH YOUR DB-USER 
    defined("PASS")  or define("PASS", "");     //REPLACE WITH YOUR DB-PASS 

    if(isset($_POST["submit"])){ 
     //THEN CLEAN UP THE SUBMITTED DATA TO AVOID POSSIBLE ATTACKS... 
     $user  = isset($_POST['user'])  ? htmlspecialchars(trim($_POST['user'])) : null;  //PROTECT AGAINST ATTACKS 
     $pass  = isset($_POST['pass'])  ? htmlspecialchars(trim($_POST['pass'])) : null;  //PROTECT AGAINST ATTACKS 
     $email  = isset($_POST['email']) ? htmlspecialchars(trim($_POST['email'])) : null;  //PROTECT AGAINST ATTACKS 
     $passRX  = '#(^[a-zA-z0-9\-\+_\}\{\(\)])([\w\.\-\\:\;\+\(\)\/\}\{\(\)\ ])*\w*$#'; 
     $userRX  = '#(^[a-zA-z])([\w\.\-\(\)\ ])*\w*$#'; 
     $arrErrors = array(); 

     unset($_SESSION['errors']); 

     //CHECK IF USERNAME CONFORMS TO THE CUSTOM USERNAME REG-EXP... 
     if(!preg_match($userRX, $user)){ 
      $arrErrors['user_not_completed'] = "Username is either not completed or is invalid!"; 
      //SAVE ERRORS TO SESSION 
      $_SESSION['errors'] = $arrErrors; 
      //REDIRECT BACK TO REGISTER PAGE 
      header("Location: register.php"); 
      exit; 
     } 

     //CHECK IF PASSWORD CONFORMS TO THE CUSTOM PASSWORD REG-EXP... 
     if(!preg_match($passRX, $pass)){ 
      $arrErrors['pass_not_completed'] = "Password is not completed!"; 
      //SAVE ERRORS TO SESSION 
      $_SESSION['errors'] = $arrErrors; 
      //REDIRECT BACK TO REGISTER PAGE 
      header("Location: register.php"); 
      exit; 
     } 

     //CHECK IF E-MAIL CONFORMS TO THE STANDARD E-MAIL FORMAT USING BUILT-FUNCTIONS... 
     if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { 
      $arrErrors['email_not_completed'] = "Email is not completed!"; 
      //SAVE ERRORS TO SESSION 
      $_SESSION['errors'] = $arrErrors; 
      //REDIRECT BACK TO REGISTER PAGE 
      header("Location: register.php"); 
      exit; 
     } 

     //BECAUSE WE HAVE SANITIZED VERSIONS OF OUR $user, $pass & $email VARIABLES 
     //WE CAN JUST USE THEM DIRECTLY HERE: 
     if($user && $pass && $email) { 
      //HERE WE BEGIN THE PDO HIGH-LEVEL MAGIC... ;-) 
      try { 
       $dbh  = new PDO('mysql:host='.HOST.';dbname='. DBASE,USER,PASS); 
       $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
       $stmt  = $dbh->prepare("SELECT * FROM users WHERE username = :user"); 
       $stmt->execute(['user' => $user]); 
       $objUser = $stmt->fetch(PDO::FETCH_OBJ); 

       //THIS USER DOES NOT ALREADY EXIST SO WE GO AHEAD AND CREATE A CORRESPONDING RECORD IN THE DB TABLE 
       if(!$objUser){ 
        $stmt = $dbh->prepare("INSERT INTO users (username, password, email) VALUES(:user, :pass, :email)"); 
        $stmt->bindParam(':user', $user); 
        $stmt->bindParam(':pass', $pass); 
        $stmt->bindParam(':email', $email); 
        $insertStatus = $stmt->execute(); 

        if($insertStatus){ 
         $arrErrors['succes'] = 'Account successfuly created!'; 
         $_SESSION['errors']  = $arrErrors; 
         header("Location: register.php"); 
         exit; 
        } 
       }else { 
        $arrErrors['already_exists'] = 'That username already exists!'; 
        $_SESSION['errors']    = $arrErrors; 
        header("Location: register.php"); 
        exit; 
       } 


       //GARBAGE COLLECTION 
       $dbh  = null; 
      }catch(PDOException $e){ 
       //YOU HANDLE YOUR EXCEPTIONS HERE IN YOUR OWN UNIQUE MANNER... 
       echo $e->getMessage(); 
      } 
     } 

    } 
?> 

希望這有助於有點...