表格验证PHP /避免注射

时间:2011-08-28 10:44:13

标签: php mysql forms validation

我在HTML中创建了一个表单(查询表单),其中包含以下代码:

<?php           
if(isset($_POST['submit']))

{
$name = mysql_real_escape_string((string)$_POST['name']);
$surname = mysql_real_escape_string((string)$_POST['surname']);
$email = mysql_real_escape_string((string)$_POST['email']);
$phone = mysql_real_escape_string((string)$_POST['phone']);
$country = mysql_real_escape_string((string)$_POST['country']);
$message = mysql_real_escape_string((string)$_POST['message']);

$sql = "INSERT INTO contact
       (name, surname, email, phone, country, message)
       VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')";

mysql_select_db($db);
$retval = mysql_query( $sql, $conn )or die(mysql_error());

echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>';

mysql_close($conn);
}

?>

我想知道如何在输入无效或零数据时显示错误并停止表单发布?

在学习如何在网上创建表单的同时,我也听说过SQL注入。我受保护了吗?

非常感谢。

2 个答案:

答案 0 :(得分:4)

  

我想知道如何在输入无效或零数据时显示错误并停止表单发布。

您必须在if(isset($_POST['submit']))之后进行验证。例如,您可以检查名称是否为空:

if (empty($_POST['name'])) {
    $errors[] = 'name must not be empty';
}

对于更复杂的验证,例如验证电子邮件是否有效,您应该查看 filter extension 

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if (!$email) // invalid email

经过所有验证后:

if (!count($errors)) {
    // do the insert here
}

一旦检测到错误,您就可以使用while块中断:

while (isset($_POST['submit'])) {

    if (empty($_POST['name'])) {
        $errors = 'name must not be empty';
        break;
    }

    // do the insert here

    break;
}
  

在学习如何在网上创建表单的同时,我也听说过sql注入,我受到保护吗?

是的,只要您逃避嵌入SQL查询中的任何内容(就像您正在做的那样),您就会受到保护。

您应尝试使用 prepared statements ,这样更安全,更易于使用。

答案 1 :(得分:-1)

<?php           
if(isset($_POST['submit']))
{
$errors = array();
$name = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'Name must not be empty';
$surname = !empty($_POST['name']) ? mysql_real_escape_string((string)$_POST['name']) : $errors[] = 'User Name must not be empty';
$email = !empty($_POST['email']) ? mysql_real_escape_string((string)$_POST['email']) : $errors[] = 'Email must not be empty';
$phone = !empty($_POST['phone']) ? mysql_real_escape_string((string)$_POST['phone']) : $errors[] = 'Phone must not be empty';
$country = !empty($_POST['country']) ? mysql_real_escape_string((string)$_POST['country']) : $errors[] = 'Country must not be empty';
$message = !empty($_POST['message']) ? mysql_real_escape_string((string)$_POST['message'])  : $errors[] = 'Message must not be empty';

if (empty($errors))
{   
if (preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    $sql = "INSERT INTO contact
   (name, surname, email, phone, country, message)
   VALUES('$name', '$surname', '$email', '$phone', '$country', '$message')";

    mysql_select_db($db);
    $retval = mysql_query( $sql, $conn )or die(mysql_error());

    echo 'Thank you '.$name.' '.$surname.'. Your enquiry has been forwarded to our team. <br><br>Please check you email inbox for further information.<br><br>Return to homepage:<br><br><button class="search" onclick="/">Return to homepage</button>';

    mysql_close($conn);
}
else {
    echo 'Invalid Email';   
}
}
else
{
foreach ($errors AS $error) 
{
    echo "$error<br />";    
}
}
}

&GT;

相关问题
最新问题