PHP注册表单-安全可靠?
PHP注册表单-安全可靠?
提问于 2011-08-20 20:11:32
我只想看看这个表单有多安全,以及是否存在任何潜在的问题。我试图将mysqli_real_escape_string添加到准备好的语句中,但它给了我一个错误。
另外,如果我输入一个带有撇号的名称,比如"Drew's Company“,它会将其放在数据库中,如
Drew\'s Garage 应该是这样吗?
代码:
<?php
if(isset($_POST['submit'])) {
$errors = array();
$clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT);
$clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
$clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; }
$formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST));
$formatPhone = formatPhone($clean_phone);
if($clean_name == "") {
$errors[] = "Please enter your Business Name.";
}
if($clean_address == "") {
$errors[] = "Please enter your Business Address.";
}
if($clean_zip == "") {
$errors[] = "Please enter your Business Zip Code.";
}
if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) {
$row_cnt = $result->num_rows;
if(!$row_cnt) {
$errors[] = "Please enter a valid zip code.";
}
}
if($clean_phone == "") {
$errors[] = "Please enter your Business Phone Number.";
}
if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) {
$email_count = $check_email->num_rows;
if($email_count) {
$errors[] = "There is already an account associated with that e-mail address.";
}
}
if(!checkEmail($clean_email)) {
$errors[] = "Please enter a valid e-mail address.";
}
if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) {
$errors[] = "Your password must be between 8 and 16 characters.";
}
if($_POST['password'] != $_POST['password2']) {
$errors[] = "Passwords do not match. Please enter the same password.";
}
if (count($errors) == 0) {
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) {
$hashed_pass = PassHash::hash($_POST['password']);
/* Bind our params */
$stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email);
/* Execute the prepared Statement */
$stmt->execute();
if($mysqli->error) {
echo $mysqli->error;
}
/* Echo results */
echo "<div class='success'>Thank You! You are now registered.</div>";
}
}
}
if(count(@$errors))
{
$error_display = implode('<br />',$errors);
echo "<div class='error'><strong>Error:</strong> $error_display</div>";
}
?>回答 1
Stack Overflow用户
发布于 2011-08-20 20:17:50
这个问题可能是由于使用gpc引起的,请检查您的php.ini文件,以防此标志打开--关闭它。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/7134376
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号