我正在尝试执行表单注册验证,但我不知道我做得是否正确。
首先,我为表单中的每个空白字段存储一条错误消息。之后,如果我的字段不是空的,我想验证用户名字段(不包含无效字符)、密码和电子邮件
问题是当我删除die()时;在我的用户名验证条件行中,它确实向我显示了错误消息和成功消息,并且在我的数据库中插入了无效的用户名。
我很确定问题出在我的if($numrows==0)条件中,但我不知道为什么。
<?php
session_start();
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('user_registration') or die("cannot select DB");
if(isset($_POST["submit"])){
$arrErrors = array();
unset($_SESSION['errors']);
if($_POST['user'] == ''){
$arrErrors['user_not_completed'] = "Username is not completed!";
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
}
if($_POST['pass'] == ''){
$arrErrors['pass_not_completed'] = "Password is not completed!";
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
}
if($_POST['email'] == ''){
$arrErrors['email_not_completed'] = "Email is not completed!";
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
}
if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['email'])) {
$user=$_POST['user'];
$pass=$_POST['pass'];
$email=$_POST['email'];
if(!preg_match("/^[a-zA-Z'-]+$/",$user)) {
$arrErrors['invalid_user'] = "Username is invalid!";
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
die();
}
$query=mysql_query("SELECT * FROM users WHERE username='".$user."'");
$numrows=mysql_num_rows($query);
if($numrows==0){
$sql="INSERT INTO users(username,password, email) VALUES('$user','$pass', '$email')";
$result=mysql_query($sql);
if($result){
$arrErrors['succes'] = 'Account successfuly created!';
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
}
} else {
$arrErrors['already_exists'] = 'That username already exists!';
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
}
}
}
?>
以下是我建议您做的:
<?php
//FIRST I WOULD CHECK IF SESSION EXIST BEFORE STARTING IT:
if (session_status() == PHP_SESSION_NONE || session_id() == '') {
session_start();
}
//NEXT I'D USE PDO AS MY DATABASE ABSTRACTION LAYER: IT HAS A LOT OF ADVANTAGES, REALLY:
//DATABASE CONNECTION CONFIGURATION:
defined("HOST") or define("HOST", "localhost"); //REPLACE WITH YOUR DB-HOST
defined("DBASE") or define("DBASE", "user_registration"); //REPLACE WITH YOUR DB NAME
defined("USER") or define("USER", "root"); //REPLACE WITH YOUR DB-USER
defined("PASS") or define("PASS", ""); //REPLACE WITH YOUR DB-PASS
if(isset($_POST["submit"])){
//THEN CLEAN UP THE SUBMITTED DATA TO AVOID POSSIBLE ATTACKS...
$user = isset($_POST['user']) ? htmlspecialchars(trim($_POST['user'])) : null; //PROTECT AGAINST ATTACKS
$pass = isset($_POST['pass']) ? htmlspecialchars(trim($_POST['pass'])) : null; //PROTECT AGAINST ATTACKS
$email = isset($_POST['email']) ? htmlspecialchars(trim($_POST['email'])) : null; //PROTECT AGAINST ATTACKS
$passRX = '#(^[a-zA-z0-9'-'+_'}'{'(')])(['w'.'-'':';'+'(')'/'}'{'(')' ])*'w*$#';
$userRX = '#(^[a-zA-z])(['w'.'-'(')' ])*'w*$#';
$arrErrors = array();
unset($_SESSION['errors']);
//CHECK IF USERNAME CONFORMS TO THE CUSTOM USERNAME REG-EXP...
if(!preg_match($userRX, $user)){
$arrErrors['user_not_completed'] = "Username is either not completed or is invalid!";
//SAVE ERRORS TO SESSION
$_SESSION['errors'] = $arrErrors;
//REDIRECT BACK TO REGISTER PAGE
header("Location: register.php");
exit;
}
//CHECK IF PASSWORD CONFORMS TO THE CUSTOM PASSWORD REG-EXP...
if(!preg_match($passRX, $pass)){
$arrErrors['pass_not_completed'] = "Password is not completed!";
//SAVE ERRORS TO SESSION
$_SESSION['errors'] = $arrErrors;
//REDIRECT BACK TO REGISTER PAGE
header("Location: register.php");
exit;
}
//CHECK IF E-MAIL CONFORMS TO THE STANDARD E-MAIL FORMAT USING BUILT-FUNCTIONS...
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$arrErrors['email_not_completed'] = "Email is not completed!";
//SAVE ERRORS TO SESSION
$_SESSION['errors'] = $arrErrors;
//REDIRECT BACK TO REGISTER PAGE
header("Location: register.php");
exit;
}
//BECAUSE WE HAVE SANITIZED VERSIONS OF OUR $user, $pass & $email VARIABLES
//WE CAN JUST USE THEM DIRECTLY HERE:
if($user && $pass && $email) {
//HERE WE BEGIN THE PDO HIGH-LEVEL MAGIC... ;-)
try {
$dbh = new PDO('mysql:host='.HOST.';dbname='. DBASE,USER,PASS);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $dbh->prepare("SELECT * FROM users WHERE username = :user");
$stmt->execute(['user' => $user]);
$objUser = $stmt->fetch(PDO::FETCH_OBJ);
//THIS USER DOES NOT ALREADY EXIST SO WE GO AHEAD AND CREATE A CORRESPONDING RECORD IN THE DB TABLE
if(!$objUser){
$stmt = $dbh->prepare("INSERT INTO users (username, password, email) VALUES(:user, :pass, :email)");
$stmt->bindParam(':user', $user);
$stmt->bindParam(':pass', $pass);
$stmt->bindParam(':email', $email);
$insertStatus = $stmt->execute();
if($insertStatus){
$arrErrors['succes'] = 'Account successfuly created!';
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
exit;
}
}else {
$arrErrors['already_exists'] = 'That username already exists!';
$_SESSION['errors'] = $arrErrors;
header("Location: register.php");
exit;
}
//GARBAGE COLLECTION
$dbh = null;
}catch(PDOException $e){
//YOU HANDLE YOUR EXCEPTIONS HERE IN YOUR OWN UNIQUE MANNER...
echo $e->getMessage();
}
}
}
?>
希望这能有所帮助。。。