清理和验证表单 php

问题描述

完全陷入深层次 - PHP 的新手并做了一个简单的表单提交(创建帐户页面)以发送到 mySQL 数据库，因此对于问题的noobness 表示歉意.

Completely thrown in the deep end - new to PHP and doing a simple form submission (create account page) to send to a mySQL database so apologies for the noobness of question.

我不确定如何在发送数据之前正确验证和清理数据.但是我在插入数据库时​​使用了 PDO 和占位符，所以我想我已经涵盖了这一方面.

I'm not sure how to properly validate and sanitize the data before sending it. But i am using a PDO and placeholders when inserting into the database so I think i have that side covered.

<form action="createaccount.php" name="form" method="post">
    <input type="text" name="createUserName" id="createUserName" placeholder="User Name"><br>
    <input type="password" name="passWord" id="passWord" placeholder="Password (Min 6 Characters)"><br>
    <input type="password" name="confirmPW" id="confirmPW" placeholder="Confirm Password"><br>

    <input type="text" name="fName" id="fName" placeholder="First Name"><br>
    <input type="text" name="sName" id="sName" placeholder="Surname"><br><br>

    <input type="email" name="userEmail" id="userEmail" placeholder="Email Address"><br>
    <input type="submit" value="Create Account">
</form>

这被发送到一个名为 createaccount.php 的单独 php 文件，该文件运行用户名检查，如果成功则运行一个函数，将字段发送到我的 dbHandler 类中的插入函数中.

This is sent to a seperate php file called createaccount.php which runs a username check and if success runs a function that sends the fields into an insert function in my dbHandler class.

<?php 
session_start();
include('connect.php'); 

  $username = $_POST['createUserName'];
  $password = $_POST['passWord'];
  $password_confirm = $_POST['confirmPW'];
  $firstname = $_POST['fName'];
  $surname = $_POST['sName'];
  $email = $_POST['userEmail'];

  if ($dbh->checkUserName($username)) {
    $_SESSION['message'] = "Username is taken, please try again";
    header('Location: createAccount.php');
  exit();
  } else {
    $dbh->createAccount($username, $password, $password_confirm, $firstname, $surname, $email);
    header('Location: login.php');
    exit();
  };

 ?>

所以我的问题是.我应该使用

So my questions are. Should i be using

<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>

在我的表单中操作?如果是这样.我需要在 createaccount.php 上运行该函数，是的，因为我无法将其发送到另一个 php 文件?

In my form action? If so. I will need to run the function on createaccount.php here yes as I cant send it to another php file?

我应该使用 filter_var 吗?和/或我应该在我发送到表单的变量中使用修剪、斜线或任何东西吗?我该怎么做呢?我的理解是

Should I be using filter_var? And/Or Should I be using trim, stripslashes or anything in my variables im sending into the form? How do I do this? My understanding is

$name = test_input($_POST['createUserName']);
$password = test_input($_POST['passWord']); .. etc

function test_input($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
return $data;
}

另外，这是我的插入函数.这是否安全/编写正确?

Also, here is my insert function. Is this secure/written correctly?

<?php 
function createAccount($userName, $pw, $confirmPW, $fName, $sName, $email) {
        $sql = "INSERT INTO `room_project`.`user` (`userName`, `pass`, `confirmPW`, `fName`, `sName`, `email`) VALUES (?, ?, ?, ?, ?, ?);";
        $query = $this->connection->prepare($sql);
        $query->execute(Array($userName, $pw, $confirmPW, $fName, $sName, $email));

    }

?>

我非常感谢任何建议！再次请原谅这个初学者的性质:)

I thoroughly appreciate any advice! Again please excuse the beginner nature of this :)

推荐答案

你应该使用 PHP regex 来严格验证您的输入数据.

You should use PHP regex to strictly validate your input data.

假设您要验证以下输入字段，

Suppose you want to validate the following input fields,

• 用户名
• 密码
• 名字
• 姓氏
• 电子邮件

然后你会做这样的事情，

then you would do something like this,

if(isset($_POST['submit']) && !empty($_POST['submit'])){

    // use a boolean variable to keep track of errors
    $error = false;

    // Username validation
    $username = trim($_POST['username']);
    $username_pattern = "/^[a-zA-Z0-9]{3,15}$/"; // username should contain only letters and numbers, and length should be between 3 and 15 characters
    if(preg_match($username_pattern, $username)){
        // success
    }else{
        // error
        $error = true;
    }

    // Password validation
    $password = $_POST['password'];
    $confirm_password = $_POST['confirm_password'];
    if(strlen($password) >= 6 && $password===$confirm_password){ // length of the password should be greater than or equal to 6
       // success
    }else{
       // error
       $error = true;
    }

    // First name validation
    $first_name = trim($_POST['first_name']);
    $first_name_pattern = "/^[a-zA-Z]{2,15}$/";
    if(preg_match($first_name_pattern, $first_name)){ // first name should contain only letters and length should be between 2 and 15 characters
        // success
    }else{
        // error
        $error = true;
    }


    // Last name validation
    $last_name = trim($_POST['last_name']);
    $last_name_pattern = "/^[a-zA-Z]{2,15}$/";
    if(preg_match($last_name_pattern, $last_name)){ // last name should contain only letters and length should be between 2 and 15 characters
        // success
    }else{
        // error
        $error = true;
    }

    // Email validation
    $email = trim()
    $email_pattern = "/^([a-z0-9._+-]{3,30})@([a-z0-9-]{2,30})((.([a-z]{2,20})){1,3})$/";
    if(preg_match($email_pattern, $email)){ // validate email addresses
        // success
    }else{
        // error
        $error = true;
    }

    if(!$error){
        // all fields are validated. Now do your database operations.
    }else{
        // display error message
    }
}

并使用 PDO prepare 来防止您的数据库受到任何类型的 SQL 注入.

And use PDO prepare to prevent your database from any kind of SQL Injection.

来自 PDO::prepare

为将使用不同参数值多次发出的语句调用 PDO::prepare() 和 PDOStatement::execute() 通过允许驱动程序协商客户端和/或服务器端缓存来优化应用程序的性能查询计划和元信息，并且无需手动引用参数，有助于防止 SQL 注入攻击.

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

这篇关于清理和验证表单 php的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持html5模板网！