我有一个网络表单,用户需要输入以下字段的信息:全名,联系电话和最佳通话时间。填写完这些字段后,用户将提交表单,然后将数据添加到数据库中,但是,我现在的问题是我的Web表单忽略了我设置的验证并允许用户提交空白Web表单。我不确定这可能是我编写代码的方式吗?不过,我该如何解决这个问题?
PHP
<?php
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/bootstrap.php');
include("config/cn.php");
$template['template']="page";
// define variables and set to empty values
$nameErr = $contactErr = $callErrErr = "";
$full_name = $contact_number = $best_time_to_call = "";
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if (empty($_POST["full_name"]))
{$nameErr = "Full name is required";}
else
{$full_name = test_input($_POST["full_name"]);}
if (empty($_POST["contact_number"]))
{$contactErr = "Contact number is required";}
else
{$contact_number = test_input($_POST["contact_number"]);}
if (empty($_POST["best_time_to_call"]))
{$callErr = "Must not be left blank";}
else
{$best_time_to_call = test_input($_POST["best_time_to_call"]);}
$enter_sql = "INSERT INTO contact (full_name,contact_number,best_time_to_call) VALUES('$full_name','$contact_number','$best_time_to_call')";
/*print($enter_sql);*/
$enter_query = mysql_query($enter_sql) or die(mysql_error());
header('Location: /thankyou.php');
exit;
}
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
HTML
<form name="frmContact" id="frmCallContact" method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<table width="100%" border="0" cellspacing="1" cellpadding="0" class="TableFormat">
<tr><th align="left" valign="top" colspan="2">Call me back</th></tr>
<tr><td align="right" valign="top">Full Name:</td>
<td><input type="text" name="full_name" id="full_name" style="width:250px;" title="Please enter your full name"/><span class="error">* <?php echo $nameErr;?></span></td></tr>
<tr>
<td align="right" valign="top">Contact Number:</td>
<td><input type="text" name="contact_number" id="contact_number" style="width:250px;" />
<span class="error">*<?php echo $contactErr;?></span></td>
</tr>
<tr>
<td align="right" valign="top">Best Time to Call:</td>
<td><input type="text" name="best_time_to_call" id="best_time_to_call" style="width:250px;" title="Please enter your best time to call"/>
<span class="error">*<?php echo $callErr;?></span></td>
</tr>
<tr>
<td align="right" valign="top"> </td>
<td><!--<a name="submit" href="#"><img src="/img/bn_submit.png" width="93" height="28" /></a>--><input type="submit" name="Submit" value="Submit">
</tr>
</table>
</form>
答案 0 :(得分:0)
$myflag = true; //create a flag
1.
if (empty($_POST["full_name"]))
{
echo $nameErr = "Full name is required"; // echo the error
$myflag = false; //change status of flag
}
2.
if ( $myflag )
{
//if flag is true then insert data;
$enter_sql = "INSERT INTO contact (full_name,contact_number,best_time_to_call) VALUES('$full_name','$contact_number','$best_time_to_call')";
}
3.如果数据直接从用户插入数据库
,则您很容易受到SQL注入攻击