我只是想看看这个表单的安全性如何,以及是否存在任何潜在的问题。我试图将mysqli_real_escape_string添加到Prepared语句中,但它给了我一个错误。
如果我输入一个带有撇号的名字,比如"Drew's Company"它会以
的形式把它放到数据库中Drew''s Garage
应该是这样吗?
代码:
<?php
if(isset($_POST['submit'])) {
$errors = array();
$clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT);
$clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
$clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; }
$formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST));
$formatPhone = formatPhone($clean_phone);
if($clean_name == "") {
$errors[] = "Please enter your Business Name.";
}
if($clean_address == "") {
$errors[] = "Please enter your Business Address.";
}
if($clean_zip == "") {
$errors[] = "Please enter your Business Zip Code.";
}
if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) {
$row_cnt = $result->num_rows;
if(!$row_cnt) {
$errors[] = "Please enter a valid zip code.";
}
}
if($clean_phone == "") {
$errors[] = "Please enter your Business Phone Number.";
}
if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) {
$email_count = $check_email->num_rows;
if($email_count) {
$errors[] = "There is already an account associated with that e-mail address.";
}
}
if(!checkEmail($clean_email)) {
$errors[] = "Please enter a valid e-mail address.";
}
if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) {
$errors[] = "Your password must be between 8 and 16 characters.";
}
if($_POST['password'] != $_POST['password2']) {
$errors[] = "Passwords do not match. Please enter the same password.";
}
if (count($errors) == 0) {
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) {
$hashed_pass = PassHash::hash($_POST['password']);
/* Bind our params */
$stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email);
/* Execute the prepared Statement */
$stmt->execute();
if($mysqli->error) {
echo $mysqli->error;
}
/* Echo results */
echo "<div class='success'>Thank You! You are now registered.</div>";
}
}
}
if(count(@$errors))
{
$error_display = implode('<br />',$errors);
echo "<div class='error'><strong>Error:</strong> $error_display</div>";
}
?>
这个问题可能是由使用magic_quotes_gpc引起的,检查你的php.ini文件,如果这个标志是打开的-关闭它