我从教程中获得了此留言簿的代码,但我决定添加一些安全性和ip检查。这样做我正在学习php。我遇到的问题是"如果不是"语句不检查任何内容,只是将其添加到数据库中。这是代码:
if ($_POST['postbtn']) {
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower(strip_tags($_POST['answer']));
// Check if all fields were filled out
if ($name && $email && $message && $response) {
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
}
else {
echo "<p style='color:red;'>You didn't fill out all of the fields.</p>";
}
// Check if security answer was correct
if ($response === $answer) {
echo "<p style='color:red;'>Security answer was incorrect.</p>";
} else {
// Check ip address
$checkIP = mysql_query("SELECT ip FROM guestbook WHERE ip = '$ip'");
}
if (mysql_num_rows($checkIP) > 0) {
echo "<p style='color:red;'>You already signed.</p>";
} else {
// add to the database
mysql_query("INSERT INTO guestbook VALUES (
'', '$name', '$email', '$message', '$time', '$date', '$ip'
)");
// refresh page
header('Location: http://www.example.com/guestbook');
}
}
答案 0 :(得分:0)
它检查所有内容,但执行不会被错误阻止。 将代码包装到try-catch块中,并在每个错误上抛出异常。
try {
if ($_POST['postbtn']) {
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower($_POST['answer']);
// Check if all fields were filled out
// Invert condition
if (!$name || !$email || !$message || $response) {
throw new Exception("You didn't fill out all of the fields.");
}
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
// And so on...
}
}
catch (Exception $e) {
echo "<p style='color:red;'>" . $e->getMessage() . "</p>";
}
答案 1 :(得分:0)
if (isset($_POST['postbtn'])) {
// define variables after the check if the postbtn is pressed
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower(strip_tags($_POST['answer']));
// Check if all fields were filled out, I turned it arround for you, it checks now if it's empty, if so, process an error, else continue
if (empty($name) || empty($email) || empty($message) || empty($response)) {
echo "<p style='color:red;'>You didn't fill out all of the fields.</p>";
// Check if security answer was correct, you check here if its correct and state incorrect answer.
}else if ($response != $answer) {
echo "<p style='color:red;'>Security answer was incorrect.</p>";
// so now we have all errors out of the way, lets go deeper
}else{
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
$checkIP = mysql_query("SELECT ip FROM guestbook WHERE ip = '$ip'");
// check if we get anything back from the query
if (mysql_num_rows($checkIP) > 0) {
echo "<p style='color:red;'>You already signed.</p>";
} else {
mysql_query("INSERT INTO guestbook VALUES ('', '$name', '$email', '$message', '$time', '$date', '$ip')");
// refresh page
header('Location: http://www.example.com/guestbook');
}
}
}
我是从头开始做的,所以不要把我击倒。我试图指出你的缺陷在哪里。例如,您在检查变量时存在缺陷,您的安全性存在缺陷(当您输入正确的安全性答案时,实际上会给出错误消息)
所以要解释一下,在if语句中,你需要深入了解兔子洞,因为他们说的很好。有时您需要else语句继续并深入。这样您可以更好地捕获错误。例如。您的代码无论如何都会在数据库中输入,因为即使您遇到错误,也只能将其输入数据库。 (你的答案会被忽略,因为在if语句中设置了变量,不能在该循环之外使用。将其视为localized variable)
但是如果你继续深入研究if else的陈述,你可以随身携带它们。
修改
另外,我为你缩进代码,所以你看我们有多深,以及实际上有多少if-else语句。如果您有任何疑问,请不要犹豫;)
<强> EDIT2
我实际上已经替换了响应并回答了检查1 if else statement down并且如果要将所有错误保持在彼此附近则做出其他错误。您也可以使用变量来检查num_rows,但我还没有这样做。在安全检查之后,您还可以在else if语句中抛出它。这也应该有效,但为了让它更漂亮,你可以按照我描述的方式进行。
理论上,这应该可以正常工作。