如果字段无效，则阻止 PHP 输入输入答案

【问题标题】：Prevent PHP from entering input if fields aren't valid如果字段无效，则阻止 PHP 输入输入
【发布时间】：2014-04-20 17:25:46
【问题描述】：

这是我的代码

    <?php
$con = mysqli_connect("localhost", "root", "xxx", "s");

// Check connection

if (mysqli_connect_errno())
    {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

$name = $con->real_escape_string($_POST['name']);
$username = $con->real_escape_string($_POST['username']);
$email = $con->real_escape_string($_POST['email']);
$password1 = $con->real_escape_string($_POST['pass1']);
$password2 = $con->real_escape_string($_POST['pass2']);

if (empty($name) || empty($username) || empty($email) || empty($password1) || empty($password2))
    {
    echo "Complete all fields";

    // you can stop it here instead of putting the curly brace ALL the way at the bottom :)

    return;
    }

if (!filter_var($email, FILTER_VALIDATE_EMAIL))
    {
    echo $emailvalid = "Enter a  valid email";
    }

if (strlen($password1) <= 6)
    {
    echo $passlength = "Password must be at least 6 characters long";
    }

// Password numbers

if (!preg_match("#[0-9]+#", $password1))
    {
    echo $passnum = "Password must include at least one number!";
    }

if (!preg_match("#[a-zA-Z]+#", $password1))
    {
    echo $passletter = "Password must include at least one letter!";
    }

if ($password1 <> $password2)
    {
    echo $passmatch = "Passwords don't match";
    }

mysqli_query($con, "INSERT INTO pass (Name,Username,Email,Password) VALUES ('$name','$username','$email','$password1')");
mysqli_close($con);
?>

即使字段有效，输入也会发送到数据库。有没有办法防止这种情况发生？所以说我的密码不匹配，它仍然会将表单发送到数据库。我希望 PHP 停止这样做。有什么想法吗？

【问题讨论】：

单独检查每个验证，并尝试找出哪个失败。
将您的插入查询放在 else 中。对除第一个以外的所有其他 if 语句使用 elseif 它会像 if(condition1){}elseif(condition2)elseif(condition3)...else(插入语句）
另一种方法是在每个 if 语句中使用 exit。 if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { echo $emailvalid = "输入有效的电子邮件";exit; }
我该怎么做？ @AmalMurali
@user3444414：将您的每个if 语句分开并验证它是否有效？

标签： php forms security

【解决方案1】：

if(!(isset($emailvalid) || isset($passlength) || isset($passnum) || isset($passletter) || isset($passmatch))) {
    mysqli_query(...);
}

如果存在包含错误的任何变量，则大括号之间的代码没有运行。

【讨论】：

这样安全吗？
如果您在 SQL 注入之前保护您的查询 - 是的
在 SQL 注入之前如何保护它？
阅读准备好的语句
这不是准备好的声明吗？ $name = $con->real_escape_string($_POST['name']);这还不够吗？

【解决方案2】：

你的代码应该是这样的：

    <?php
$con = mysqli_connect("localhost", "root", "xxx", "s");

// Check connection

if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$name = $con->real_escape_string($_POST['name']);
$username = $con->real_escape_string($_POST['username']);
$email = $con->real_escape_string($_POST['email']);
$password1 = $con->real_escape_string($_POST['pass1']);
$password2 = $con->real_escape_string($_POST['pass2']);

if (empty($name) || empty($username) || empty($email) || empty($password1) || empty($password2))
{
echo "Complete all fields";

// you can stop it here instead of putting the curly brace ALL the way at the bottom :)

return;
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo $emailvalid = "Enter a  valid email";
return;
}

if (strlen($password1) <= 6)
{
echo $passlength = "Password must be at least 6 characters long";
return;
}

// Password numbers

if (!preg_match("#[0-9]+#", $password1))
{
echo $passnum = "Password must include at least one number!";
return;
}

if (!preg_match("#[a-zA-Z]+#", $password1))
{
echo $passletter = "Password must include at least one letter!";
return;
}

if ($password1 <> $password2)
{
echo $passmatch = "Passwords don't match";
return;
}

mysqli_query($con, "INSERT INTO pass (Name,Username,Email,Password) VALUES         ('$name','$username','$email','$password1')");
mysqli_close($con);
?>

你忘了放退货；每个 if 中的语句。

【讨论】：

然后显示一个错误。如果你有的话，不是多个
因此，您不应该在 ifs 中使用 return，而是设置一个变量，然后检查它是否已设置并返回。这将回显所有错误并在此之后返回。

【解决方案3】：

你可以这样试试

   if (!$name < '' || ....)
   {
     echo "Complete all fields";

     return;      
   }

【讨论】：

你能告诉我 my if's 使用它的样子吗？

【解决方案4】：

你的代码应该和我一样。所以我正在准备错误，如果没有错误，我只需执行查询，如果有错误我会显示它们。当然，这是简化的，但你应该得到练习。

<?php
$con = mysqli_connect("localhost", "root", "xxx", "s");

// Check connection

if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$name = $con->real_escape_string($_POST['name']);
$username = $con->real_escape_string($_POST['username']);
$email = $con->real_escape_string($_POST['email']);
$password1 = $con->real_escape_string($_POST['pass1']);
$password2 = $con->real_escape_string($_POST['pass2']);

$canExecute = true;
$errors = array();

if (empty($name) || empty($username) || empty($email) || empty($password1) || empty($password2))
{
    echo "Complete all fields";

    // you can stop it here instead of putting the curly brace ALL the way at the bottom :)
    return;
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
    $errors[] = "Enter a  valid email";
    $canExecute = false;
}

if (strlen($password1) <= 6)
{
    $errors[] = "Password must be at least 6 characters long";
    $canExecute = false;
}

// Password numbers

if (!preg_match("#[0-9]+#", $password1))
{
    $errors[]= "Password must include at least one number!";
    $canExecute = false;
}

if (!preg_match("#[a-zA-Z]+#", $password1))
{
    $errors[] = "Password must include at least one letter!";
    $canExecute = false;
}

if ($password1 <> $password2)
{
    $errors[]= "Passwords don't match";
    $canExecute = false;
}

if ($canExecute)
{
    mysqli_query($con, "INSERT INTO pass (Name,Username,Email,Password) VALUES         ('$name','$username','$email','$password1')");
    mysqli_close($con);
}
else
{
    echo '<ul>';
    foreach ($errors as $error)
        echo '<li>'.$error.'</li>';
    echo '</ul>';
}

【讨论】：