問題描述
完全陷入深層次 - PHP 的新手并做了一個簡單的表單提交(創建帳戶頁面)以發送到 mySQL 數據庫,因此對于問題的noobness 表示歉意.
Completely thrown in the deep end - new to PHP and doing a simple form submission (create account page) to send to a mySQL database so apologies for the noobness of question.
我不確定如何在發送數據之前正確驗證和清理數據.但是我在插入數據庫時??使用了 PDO 和占位符,所以我想我已經涵蓋了這一方面.
I'm not sure how to properly validate and sanitize the data before sending it. But i am using a PDO and placeholders when inserting into the database so I think i have that side covered.
<form action="createaccount.php" name="form" method="post">
<input type="text" name="createUserName" id="createUserName" placeholder="User Name"><br>
<input type="password" name="passWord" id="passWord" placeholder="Password (Min 6 Characters)"><br>
<input type="password" name="confirmPW" id="confirmPW" placeholder="Confirm Password"><br>
<input type="text" name="fName" id="fName" placeholder="First Name"><br>
<input type="text" name="sName" id="sName" placeholder="Surname"><br><br>
<input type="email" name="userEmail" id="userEmail" placeholder="Email Address"><br>
<input type="submit" value="Create Account">
</form>
這被發送到一個名為 createaccount.php 的單獨 php 文件,該文件運行用戶名檢查,如果成功則運行一個函數,將字段發送到我的 dbHandler 類中的插入函數中.
This is sent to a seperate php file called createaccount.php which runs a username check and if success runs a function that sends the fields into an insert function in my dbHandler class.
<?php
session_start();
include('connect.php');
$username = $_POST['createUserName'];
$password = $_POST['passWord'];
$password_confirm = $_POST['confirmPW'];
$firstname = $_POST['fName'];
$surname = $_POST['sName'];
$email = $_POST['userEmail'];
if ($dbh->checkUserName($username)) {
$_SESSION['message'] = "Username is taken, please try again";
header('Location: createAccount.php');
exit();
} else {
$dbh->createAccount($username, $password, $password_confirm, $firstname, $surname, $email);
header('Location: login.php');
exit();
};
?>
所以我的問題是.我應該使用
So my questions are. Should i be using
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>
在我的表單中操作?如果是這樣.我需要在 createaccount.php 上運行該函數,是的,因為我無法將其發送到另一個 php 文件?
In my form action? If so. I will need to run the function on createaccount.php here yes as I cant send it to another php file?
我應該使用 filter_var 嗎?和/或我應該在我發送到表單的變量中使用修剪、斜線或任何東西嗎?我該怎么做呢?我的理解是
Should I be using filter_var? And/Or Should I be using trim, stripslashes or anything in my variables im sending into the form? How do I do this? My understanding is
$name = test_input($_POST['createUserName']);
$password = test_input($_POST['passWord']); .. etc
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
另外,這是我的插入函數.這是否安全/編寫正確?
Also, here is my insert function. Is this secure/written correctly?
<?php
function createAccount($userName, $pw, $confirmPW, $fName, $sName, $email) {
$sql = "INSERT INTO `room_project`.`user` (`userName`, `pass`, `confirmPW`, `fName`, `sName`, `email`) VALUES (?, ?, ?, ?, ?, ?);";
$query = $this->connection->prepare($sql);
$query->execute(Array($userName, $pw, $confirmPW, $fName, $sName, $email));
}
?>
我非常感謝任何建議!再次請原諒這個初學者的性質:)
I thoroughly appreciate any advice! Again please excuse the beginner nature of this :)
推薦答案
你應該使用 PHP regex 來嚴格驗證您的輸入數據.
You should use PHP regex to strictly validate your input data.
假設您要驗證以下輸入字段,
Suppose you want to validate the following input fields,
- 用戶名
- 密碼
- 名字
- 姓氏
- 電子郵件
然后你會做這樣的事情,
then you would do something like this,
if(isset($_POST['submit']) && !empty($_POST['submit'])){
// use a boolean variable to keep track of errors
$error = false;
// Username validation
$username = trim($_POST['username']);
$username_pattern = "/^[a-zA-Z0-9]{3,15}$/"; // username should contain only letters and numbers, and length should be between 3 and 15 characters
if(preg_match($username_pattern, $username)){
// success
}else{
// error
$error = true;
}
// Password validation
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
if(strlen($password) >= 6 && $password===$confirm_password){ // length of the password should be greater than or equal to 6
// success
}else{
// error
$error = true;
}
// First name validation
$first_name = trim($_POST['first_name']);
$first_name_pattern = "/^[a-zA-Z]{2,15}$/";
if(preg_match($first_name_pattern, $first_name)){ // first name should contain only letters and length should be between 2 and 15 characters
// success
}else{
// error
$error = true;
}
// Last name validation
$last_name = trim($_POST['last_name']);
$last_name_pattern = "/^[a-zA-Z]{2,15}$/";
if(preg_match($last_name_pattern, $last_name)){ // last name should contain only letters and length should be between 2 and 15 characters
// success
}else{
// error
$error = true;
}
// Email validation
$email = trim()
$email_pattern = "/^([a-z0-9._+-]{3,30})@([a-z0-9-]{2,30})((.([a-z]{2,20})){1,3})$/";
if(preg_match($email_pattern, $email)){ // validate email addresses
// success
}else{
// error
$error = true;
}
if(!$error){
// all fields are validated. Now do your database operations.
}else{
// display error message
}
}
并使用 PDO prepare 來防止您的數據庫受到任何類型的 SQL 注入.
And use PDO prepare to prevent your database from any kind of SQL Injection.
來自 PDO::prepare
為將使用不同參數值多次發出的語句調用 PDO::prepare() 和 PDOStatement::execute() 通過允許驅動程序協商客戶端和/或服務器端緩存來優化應用程序的性能查詢計劃和元信息,并且無需手動引用參數,有助于防止 SQL 注入攻擊.
Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.
這篇關于清理和驗證表單 php的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!