在我的 PHP 验证方面需要帮助答案

【问题标题】：Need assistance on my PHP validation在我的 PHP 验证方面需要帮助
【发布时间】：2016-04-29 13:05:11
【问题描述】：

我正在尝试执行表单注册验证，但我不知道我是否正确。

首先，我为表单中的每个空白字段存储一条错误消息。之后，如果我的字段不为空，我想验证用户名字段（来自无效字符）、密码和电子邮件

问题是当我删除 die();在我的用户名验证条件行中，它确实向我显示了错误消息和成功消息，并且在我的数据库中插入了无效的用户名。

我很确定问题出在我的 if($numrows==0) 条件下，但我不知道为什么。

<?php
session_start();
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('user_registration') or die("cannot select DB");


if(isset($_POST["submit"])){

    $arrErrors = array();
    unset($_SESSION['errors']);

    if($_POST['user'] == ''){
        $arrErrors['user_not_completed'] = "Username is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if($_POST['pass'] == ''){
        $arrErrors['pass_not_completed'] = "Password is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if($_POST['email'] == ''){
        $arrErrors['email_not_completed'] = "Email is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['email'])) {
        $user=$_POST['user'];
        $pass=$_POST['pass'];
        $email=$_POST['email'];

            if(!preg_match("/^[a-zA-Z'-]+$/",$user)) {
                $arrErrors['invalid_user'] = "Username is invalid!";
                $_SESSION['errors'] = $arrErrors;
                header("Location: register.php");
                die();
            } 

        $query=mysql_query("SELECT * FROM users WHERE username='".$user."'");
        $numrows=mysql_num_rows($query);


        if($numrows==0){
            $sql="INSERT INTO users(username,password, email) VALUES('$user','$pass', '$email')";
            $result=mysql_query($sql);


            if($result){
                $arrErrors['succes'] = 'Account successfuly created!';
                $_SESSION['errors'] = $arrErrors;
                header("Location: register.php");
            } 

        } else {
            $arrErrors['already_exists'] = 'That username already exists!';
            $_SESSION['errors'] = $arrErrors;
            header("Location: register.php");
        }

} 

}
?>

【问题讨论】：

Little Bobby 说your script is at risk for SQL Injection Attacks.。即使escaping the string 也不安全！
请stop using mysql_* functions。 These extensions 已在 PHP 7 中删除。了解PDO 和 MySQLi 的 prepared 语句并考虑使用 PDO，it's really pretty easy。
请使用 PHP 的built-in functions 来处理密码安全问题。如果您使用的 PHP 版本低于 5.5，您可以使用 password_hash() compatibility pack。在散列之前，请确保您 don't escape passwords 或对它们使用任何其他清理机制。这样做会更改密码并导致不必要的额外编码。
你应该在标题后使用exit()，而不是die()。
除了 Jay 提出的有效点之外，如果您删除 die() 语句，代码会愉快地继续运行，因为设置“Location”标头不会终止脚本。因为无效的用户名在你的数据库中可能是唯一的，所以返回的行数为0，将插入无效的用户。

标签： php forms validation

【解决方案1】：

我建议你这样做：

<?php
    //FIRST I WOULD CHECK IF SESSION EXIST BEFORE STARTING IT:
    if (session_status() == PHP_SESSION_NONE  || session_id() == '') {
        session_start();
    }
    //NEXT I'D USE PDO AS MY DATABASE ABSTRACTION LAYER: IT HAS A LOT OF ADVANTAGES, REALLY:
    //DATABASE CONNECTION CONFIGURATION:
    defined("HOST")     or define("HOST",   "localhost");           //REPLACE WITH YOUR DB-HOST
    defined("DBASE")    or define("DBASE",  "user_registration");   //REPLACE WITH YOUR DB NAME
    defined("USER")     or define("USER",   "root");                //REPLACE WITH YOUR DB-USER
    defined("PASS")     or define("PASS",   "");                    //REPLACE WITH YOUR DB-PASS

    if(isset($_POST["submit"])){
        //THEN CLEAN UP THE SUBMITTED DATA TO AVOID POSSIBLE ATTACKS...
        $user       = isset($_POST['user'])     ? htmlspecialchars(trim($_POST['user']))    : null;     //PROTECT AGAINST ATTACKS
        $pass       = isset($_POST['pass'])     ? htmlspecialchars(trim($_POST['pass']))    : null;     //PROTECT AGAINST ATTACKS
        $email      = isset($_POST['email'])    ? htmlspecialchars(trim($_POST['email']))   : null;     //PROTECT AGAINST ATTACKS
        $passRX     = '#(^[a-zA-z0-9\-\+_\}\{\(\)])([\w\.\-\\:\;\+\(\)\/\}\{\(\)\ ])*\w*$#';
        $userRX     = '#(^[a-zA-z])([\w\.\-\(\)\ ])*\w*$#';
        $arrErrors  = array();

        unset($_SESSION['errors']);

        //CHECK IF USERNAME CONFORMS TO THE CUSTOM USERNAME REG-EXP...
        if(!preg_match($userRX, $user)){
            $arrErrors['user_not_completed'] = "Username is either not completed or is invalid!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //CHECK IF PASSWORD CONFORMS TO THE CUSTOM PASSWORD REG-EXP...
        if(!preg_match($passRX, $pass)){
            $arrErrors['pass_not_completed'] = "Password is not completed!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //CHECK IF E-MAIL CONFORMS TO THE STANDARD E-MAIL FORMAT USING BUILT-FUNCTIONS...
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $arrErrors['email_not_completed'] = "Email is not completed!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //BECAUSE WE HAVE SANITIZED VERSIONS OF OUR $user, $pass & $email VARIABLES
        //WE CAN JUST  USE THEM DIRECTLY HERE:
        if($user && $pass && $email) {
            //HERE WE BEGIN THE PDO HIGH-LEVEL MAGIC... ;-)
            try {
                $dbh        = new PDO('mysql:host='.HOST.';dbname='. DBASE,USER,PASS);
                $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $stmt       = $dbh->prepare("SELECT * FROM users WHERE username = :user");
                $stmt->execute(['user' => $user]);
                $objUser    = $stmt->fetch(PDO::FETCH_OBJ);

                //THIS USER DOES NOT ALREADY EXIST SO WE GO AHEAD AND CREATE A CORRESPONDING RECORD IN THE DB TABLE
                if(!$objUser){
                    $stmt   = $dbh->prepare("INSERT INTO users (username, password, email) VALUES(:user, :pass, :email)");
                    $stmt->bindParam(':user',   $user);
                    $stmt->bindParam(':pass',   $pass);
                    $stmt->bindParam(':email',  $email);
                    $insertStatus   = $stmt->execute();

                    if($insertStatus){
                        $arrErrors['succes']    = 'Account successfuly created!';
                        $_SESSION['errors']     = $arrErrors;
                        header("Location: register.php");
                        exit;
                    }
                }else {
                    $arrErrors['already_exists']    = 'That username already exists!';
                    $_SESSION['errors']             = $arrErrors;
                    header("Location: register.php");
                    exit;
                }


                //GARBAGE COLLECTION
                $dbh        = null;
            }catch(PDOException $e){
                //YOU HANDLE YOUR EXCEPTIONS HERE IN YOUR OWN UNIQUE MANNER...
                echo $e->getMessage();
            }
        }

    }
?>

希望这会有所帮助...

【讨论】：