我从一个教程中获得了这个留言簿的代码,但我决定在其中添加一些安全性和ip检查。我正在学习php。我遇到的问题是"If else"语句没有检查任何内容,只是将其添加到数据库中。这是代码:
if ($_POST['postbtn']) {
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower(strip_tags($_POST['answer']));
// Check if all fields were filled out
if ($name && $email && $message && $response) {
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
}
else {
echo "<p style='color:red;'>You didn't fill out all of the fields.</p>";
}
// Check if security answer was correct
if ($response === $answer) {
echo "<p style='color:red;'>Security answer was incorrect.</p>";
} else {
// Check ip address
$checkIP = mysql_query("SELECT ip FROM guestbook WHERE ip = '$ip'");
}
if (mysql_num_rows($checkIP) > 0) {
echo "<p style='color:red;'>You already signed.</p>";
} else {
// add to the database
mysql_query("INSERT INTO guestbook VALUES (
'', '$name', '$email', '$message', '$time', '$date', '$ip'
)");
// refresh page
header('Location: http://www.example.com/guestbook');
}
}
if (isset($_POST['postbtn'])) {
// define variables after the check if the postbtn is pressed
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower(strip_tags($_POST['answer']));
// Check if all fields were filled out, I turned it arround for you, it checks now if it's empty, if so, process an error, else continue
if (empty($name) || empty($email) || empty($message) || empty($response)) {
echo "<p style='color:red;'>You didn't fill out all of the fields.</p>";
// Check if security answer was correct, you check here if its correct and state incorrect answer.
}else if ($response != $answer) {
echo "<p style='color:red;'>Security answer was incorrect.</p>";
// so now we have all errors out of the way, lets go deeper
}else{
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
$checkIP = mysql_query("SELECT ip FROM guestbook WHERE ip = '$ip'");
// check if we get anything back from the query
if (mysql_num_rows($checkIP) > 0) {
echo "<p style='color:red;'>You already signed.</p>";
} else {
mysql_query("INSERT INTO guestbook VALUES ('', '$name', '$email', '$message', '$time', '$date', '$ip')");
// refresh page
header('Location: http://www.example.com/guestbook');
}
}
}
我做这件事是出于我的头脑,所以不要因此而责备我。我试着指出你的缺点在哪里。例如,您在检查变量时有缺陷,您的安全性有缺陷(当您键入正确的安全答案时,实际上会给出错误消息)
因此,为了解释这一切,在if语句中,你需要深入兔子洞,因为他们说得很好。有时你需要else语句来继续并深入。这样你可以更好地发现你的错误。例如无论如何,您的代码都会输入到数据库中,因为即使您有错误,它也只会进入将其输入到数据库的阶段。(您的答案将被忽略,因为if-else语句中设置的变量不能在该循环之外使用。请将其视为localized variable)
但是,如果你继续深入挖掘if-else语句,你可以随身携带。
编辑
此外,我为您缩进代码,这样您就可以看到我们的深度以及实际有多少if-else语句。如果你有任何问题,请不要犹豫;)
编辑2
实际上,我替换了响应和答案检查1if-else语句,并做了一个else-if语句,以使所有错误都接近。您也可以使用变量来检查num_rows,但我还没有这样做。您也可以在安全检查后将其放入else if语句中。这也应该有效,但为了让它更漂亮,你可以按照我描述的方式。
理论上,这应该是可行的。
它检查所有内容,但执行不会因错误而受阻。将代码包装到try-catch块中,并在每个错误时抛出异常。
try {
if ($_POST['postbtn']) {
$name = strip_tags($_POST['name']);
$email = strip_tags($_POST['email']);
$message = strip_tags($_POST['message']);
$answer = 'abcdefg';
$response = strtolower($_POST['answer']);
// Check if all fields were filled out
// Invert condition
if (!$name || !$email || !$message || $response) {
throw new Exception("You didn't fill out all of the fields.");
}
$time = date("h:i A");
$date = date("m/d/Y");
$ip = $_SERVER['REMOTE_ADDR'];
// And so on...
}
}
catch (Exception $e) {
echo "<p style='color:red;'>" . $e->getMessage() . "</p>";
}