我正在尝试为游戏设置一个简单的帐户创建表单。我将在下面发布我的HTML和PHP。
我要做的是阻止以下单词被输入到字符名中:
Mod, Owner, Mawd, M0d, 0wner
另外,我需要阻止特殊字符,如:
!@#$%^&*()_+|'`~
一旦这些被阻止,我的表单将100%完成,除非我决定改变它的模板。
下面是检查输入到表单中的文本的PHP代码。
<?php //data.php
require_once 'login.php';
// Get values from form
$NAME = $_POST['char_name'];
$PASS = $_POST['char_pass'];
$FORUM = $_POST['forum_name'];
$TESTER ="0";
$BANNED ="0";
$RANK ="1";
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Check for duplicates
$query = mysql_query("SELECT * FROM accounts WHERE username='$NAME'");
if(mysql_num_rows($query) > 0){
header('Location: http://www.runerecovery.us/ingame/characterexists.html');
}else{
// Insert data into mysql
$sql="INSERT INTO accounts (username,password,forumname,tester,banned,rank)
VALUES ('$NAME','$PASS','$FORUM','$TESTER','$BANNED','$RANK')";
$result = mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
header('Location: http://runerecovery.us/ingame/registered.html');
}
else {
echo "ERROR";
}
}
您可以使用下面的代码。我会在您检查是否有任何字段为空之后添加它。下面的代码适用于所有大写和小写。
$invalidCharacterNames = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
foreach($invalidCharacterNames as $invalidCharacterName){
if(strtolower($invalidCharacterName) == trim(strtolower($NAME))){
//redirect to error page
header('Location: http://www.runerecovery.us/ingame/invalid_character_name.html')
}
}
最重要的是,你的表单是脆弱的sql注入-阅读这里:http://php.net/manual/en/security.database.sql-injection.php
另外,我建议您使用mysqli和预处理语句http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
更新:使用preg_match或strpos来检查字符串中的特定字符
简单。只需创建一个包含禁用项列表(例如名称)的数组,然后使用in_array与trim($NAME)的值进行比较。我建议在检查之后放置检查表单是否为空,如下所示:
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Set an array of banned names.
$banned_names = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
// Check if the name is banned.
if(in_array(trim($NAME), $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
对于这些字符:
!@#$%^&*()_+|'`~
您可以使用preg_match来查看这些字符是否也在名称中,并对它们进行操作。我看看能不能把它们拼在一起。
编辑:好吧,我有一个很好的preg_match,将很好地工作在上面的字符:
preg_match("/(!|@|#|$|%|'^|'&|'(|')| _|'+|'|''|`|~)/is", trim($NAME));
现在创建一个可以这样使用的条件句:
// Check if the name has banned characters.
if(preg_match("/(!|@|#|$|%|'^|'&|'(|')| _|'+|'|''|`|~)/is", trim($NAME))) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
把它们放在一起,像这样:
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Check if the name has banned characters.
if(preg_match("/(!|@|#|$|%|'^|'&|'(|')| _|'+|'|''|`|~)/is", trim($NAME))) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
// Set an array of banned names.
$banned_names = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
// Check if the name is banned.
if(in_array(trim($NAME), $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
同样,你也可以用preg_grep代替in_array来做一个不区分大小写的匹配,像这样:
// Check if the name is banned.
if(preg_grep("/" . trim($NAME) . "/i" , $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}