问题描述
什么是最方便的方式,用PHP验证表单的最佳方式?我不希望JavaScript这样的语言验证我的表单,我想知道使用PHP进行表单验证的最佳方法,更干净的方式来完成它。
我是PHP的新手,我在注册页面上工作,完成了它,我想知道我做的方法是否可以接受,以及是否有最佳,方便,干净的方法来验证表单。
这是我使用的方法:
if(post表单提交(动作相同的页面)){
$ errors = array(); //将变量错误初始化为数组
if(用户名的各种控件不能出现){
$ errors [] ='Inputnot valid。';
}
//例如:
if(empty($ _ POST ['username'])||!ctype_alnum($ _ POST ['username'])){
$ errors [] ='用户名无效。';
if(empty($ _ POST ['email'])||!filter_var($ _ POST ['email'],FILTER_VALIDATE_EMAIL)){
$ errors [] ='电子邮件无效。';
if(empty($ errors)){//检查数组是否为空,以便没有错误
echo'everything is ok';
} else {//有错误
foreach($ errors为$ error){
echo $ error;
}
}
}
//开始HTML
<!DOCTYPE html>
验证取决于您的程序逻辑。对用户输入的每个字段应用适当的逻辑。不信任。我会谈论消毒。在使用db查询之前进行清理。在打印到html之前也要进行消毒。 2种不同的消毒方式。
消毒数字是最简单的:
$ var =(int)$ var;
现在没有办法 $ var
可以伤害任何东西。数据库和html输出的安全。
用于字符串数据我做 preg_replace
或 str_replace
并删除所有不期望的字符。只需google即可获得您需要的正则表达式,并使用 preg_replace
。
用于用户提交的文本在输出之前,请使用 htmlspecialchars()
或 htmlentities()
。
密码:无论何时输入密码,立即对其使用单向散列(如 md5()
或更好)。比较哈希值是否相等。你永远不需要知道或存储实际的PW。通过将PW存储为散列,攻击你的用户表的人将看到一堆散列,当进入PW字段时将不起作用。腌制你的哈希将使它更难以扭转加密。即在散列之前将每个密码都准确地加上9827345978457。 (总是相同的不可猜测的盐)。
电子邮件:验证将检查@和点。但它只是为了帮助用户拼写错误。清理电子邮件:为数据库设置参数或转义,并在输出时使用 htmlspecialchars()
。
What is the the most convenient way, the "best" way for validate a form with PHP? I don't want languages like Javascript for validate my form, I want to know the best approach for do a form validation using only PHP, the more cleanly way to do it.
I'm new with PHP, I'm working on a registration page, I finish it and I want to know if the approach that I do it's acceptable and if there is a best, convenient, clean way for validate a form.
This is the approach that I use:
if (post form submitted (action same page)) {
$errors = array(); // Initialize the variable error as an array
if (various controls for the username which must not occur) {
$errors[] = 'Inputnot valid.';
}
// for example:
if (empty($_POST['username']) || !ctype_alnum($_POST['username'])) {
$errors[] = 'Username not valid.';
}
if (empty($_POST['email']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$errors[] = 'Email not valid.';
}
if (empty($errors)) { // Check if the array is empty so that there are no errors
echo 'everything is ok';
} else { // There is errors
foreach ($errors as $error) {
echo $error;
}
}
}
// Begin HTML
<!DOCTYPE html>
Validating depends on your program logic. apply appropriate logic to each field of user input. trust none of it. I'll talk about sanitizing. sanitize before using in a db query. also sanitize before printing to html. 2 different kinds of sanitizing.
Sanitizing numbers is the easiest:$var = (int)$var;
Now there's no way $var
can hurt anything. Safe for db and for html output.
for string data I do preg_replace
or str_replace
and remove any characters im not expecting. just google for the regular expression you need and use with preg_replace
.
For user-submitted text that is posted to a site, use htmlspecialchars()
or htmlentities()
before you output it.
passwords: whenever you have a password entered, immediately use a 1-way hash on it (as md5()
or better). Compare the hashes for equality. you never have to know or store the actual PW. by storing PWs as hashes, someone who hacks your user table will see a bunch of hashes that wont work when entered into PW field. salting your hashes will make it harder to reverse the encryption. ie add exactly "9827345978457" to EVERY password before hashing. (always the same unguessable salt).
emails: validating would be to check for the @ and the dot. but its just to help the user from misspelling. sanitizing emails: parameterize or escape for db, and when output use htmlspecialchars()
.
Note, preg_replace doesnt apply when the user can enter any text and have it be valid (ie PWs). Those are the hardest inputs to deal with.
这篇关于使用PHP验证表单的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!