我终于完成了登录并通过电子邮件验证注册表单,我 SO 很高兴!我只是不确定我的表格是否足够安全。我在所有用户输入上使用了htmlspecialcharacters(),并在SQL查询中使用了占位符。这足以阻止对我表单的攻击吗?请帮助,因为所有答案都表示赞赏。谢谢!这是我的注册表格的代码:http://pastebin.com/FWsDqeKs
<?php
include_once 'compat.php';
$user = 0;
$pass = 0;
$mail = 0;
if($_SERVER['REQUEST_METHOD'] == 'POST' && !empty($_POST['mail']) && !empty($_POST['user']) && !empty($_POST['pass'])) {
function an($subject) {
if(ctype_alnum($subject)) {
return true;
}
}
if(an($_POST['user']) && strlen($_POST['user']) <= 20) {
$user = htmlspecialchars($_POST['user']);
}
else {
echo 'username is invalid (a-z A-Z 0-9 and less than 20 characters, please)<br>';
}
if(filter_var($_POST['mail'], FILTER_VALIDATE_EMAIL) && strlen($_POST['mail']) <= 255) {
$mail = htmlspecialchars($_POST['mail')];
}
else {
echo 'email is invalid<br>';
}
if(strlen($_POST['pass']) <= 255) {
$pass = htmlspecialchars($_POST['pass']);
}
else {
echo 'password must be less than 255 characters<br>';
}
if($pass && $user && $mail) {
$hash = md5(rand(0, 1000));
require_once('db.php');
$sth = $db->prepare("
INSERT INTO user_info (username, password, email, hash)
VALUES (:username, :password, :mail, :hash)
");
$sth->bindValue(":username", $user, PDO::PARAM_STR);
$sth->bindValue(":password", password_hash($pass, PASSWORD_DEFAULT), PDO::PARAM_STR);
$sth->bindValue(":mail", $mail, PDO::PARAM_STR);
$sth->bindValue(":hash", $hash, PDO::PARAM_STR);
$success = $sth->execute();
echo 'You have been successfully signed up :)! To activate your account, click the link in your e-mail account (check your spam box if you don\'t get the e-mail!)<br>
The last step to activating your account is clicking this link!:<br>
http://localhost/verify.php?mail=' . $mail . '&hash=' . $hash . '<br>
';
}
}
?>