简体   繁体   English

来自数据库的PHP验证

[英]PHP Validation from database

I am working on a project and I am stuck on the registration page. 我正在从事一个项目,并且停留在注册页面上。 I want to verify if: 我要验证是否:

  1. The mobile number already exists. 手机号码已经存在。
  2. The username already exists. 这个账户名已经存在。
  3. The Email ID already exists. 电子邮件ID已经存在。

Currently in my code I have added validation for the mobile number and it is working fine. 目前,在我的代码中,我已经添加了对手机号码的验证,并且可以正常工作。 But the username and email part I am not understanding how to implement it. 但是用户名和电子邮件部分我不了解如何实现。 Please help me out with my problem. 请帮我解决我的问题。

Here is my code. 这是我的代码。

<?php
$msg = '';
if(isset($_POST['register']))
{
    $uname = (!empty($_POST['username']))?$_POST['username']:null;
    $pass = (!empty($_POST['pass']))?$_POST['pass']:null;
    $cpass = (!empty($_POST['cpass']))?$_POST['cpass']:null;
    $fname = (!empty($_POST['fname']))?$_POST['fname']:null;
    $lname = (!empty($_POST['lname']))?$_POST['lname']:null;
    $email = (!empty($_POST['email']))?$_POST['email']:null;
    $mobile = (!empty($_POST['mobile']))?$_POST['mobile']:null;

if($uname == '' || $pass == '' || $cpass == '' || $fname == '' || $lname == '' || $email == '' || $mobile == ''){
    $msg = "<font color='red'>Fields cannot be empty</font>";
}else if(strlen($uname)<5){
    $msg = "<font color='red'>Username must be at least 5 characters long</font>";
}else if(strlen($pass)<6 && strlen($cpass)<6){
    $msg = "<font color='red'>Password must be at least 6 characters long</font>";
}else if($pass != $cpass){
    $msg = "<font color='red'>Passwords are not matching</font>";
}else if(!is_numeric($mobile)){
    $msg = "<font color='red'>Mobile number should contain only numbers</font>";
}else if(strlen($mobile)<10){
    $msg = "<font color='red'>Mobile number should be at least 10 characters long</font>";
}else{

        $query = "SELECT user_mobile FROM user_reg WHERE user_mobile = '".$mobile."'";
        $query1 = mysql_query($query) or die(mysql_error());
        $num_rows = mysql_num_rows($query1);
        $row = mysql_fetch_array($query1);

        if($num_rows > 0)
        {
          $msg = "<font color='red'>Mobile number already exists. Please try again...</font>";
        }
else{
    $str = "INSERT INTO user_reg(user_email, user_uname, user_pass, user_fname, user_lname, user_mobile)VALUES('$email','$uname','$pass','$fname','$lname','$mobile')";
    $sql = mysql_query($str) or die(mysql_error());

if($sql){
    $msg = "<font color='green'>Regstration successfull. Please Login to use your account.</font>";
    }else{
    $msg = "<font color='red'>Sorry.. There are some errors. Please fix them before you continue.</font>";
   }
  }
 }
}
?>

HTML part. HTML部分。

<div class="reg-box"><br />
  <center>
    <?php echo $msg; ?>
  </center>
  <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <div>
      <label>Username</label>
      <input type="text" name="username" value="" class="a-text" />
    </div>
    <div>
      <label>Password</label>
      <input type="password" name="pass" value="" class="a-text" />
    </div>
    <div>
      <label>Confirm Password</label>
      <input type="password" name="cpass" value="" class="a-text" />
    </div>
    <div>
      <label>First Name</label>
      <input type="text" name="fname" value="" class="a-text" />
    </div>
    <div>
      <label>Last Name</label>
      <input type="text" name="lname" value="" class="a-text" />
    </div>
    <div>
      <label>Email</label>
      <input type="email" name="email" value="" class="a-text" />
    </div>
    <div>
      <label>Mobile</label>
      <input type="text" name="mobile" value="" class="a-text" maxlength="10" />
    </div>
    <input type="submit" name="register" value="Register" class="button" id="button-left" />
  </form>
</div>

What should I do add username and email validation? 我该怎么做添加用户名和电子邮件验证? Please help me out friends. 请帮帮我。

It has already been stated in comments that your code isn't safe to use. 注释中已经指出,您的代码不安全。

Use prepared statements and a modern password hashing method. 使用准备好的语句和现代的密码哈希方法。

  • Consult my footnotes. 请查阅我的脚注。

To answer the question, use the following: 要回答这个问题,请使用以下命令:

$query = "SELECT * FROM user_reg 
WHERE user_mobile = '".$mobile."'

AND user_email = '$email' 
AND user_uname = '$uname' 

";
  • That will match for all conditions. 这将适合所有条件。

  • You could seperate the condition using OR or a mix of, in order to check for "any" condition. 您可以使用OR或混合使用这些条件,以检查“任何”条件。 I will let you decide which conditions should be met. 我将让您决定应满足哪些条件。


Footnotes : 脚注

Your present code is open to SQL injection . 您当前的代码可以进行SQL注入 Use mysqli with prepared statements , or PDO with prepared statements , they're much safer . mysqli与预处理语句配合使用,或将PDO与预处理语句配合使用则更加安全

Passwords: 密码:

I noticed you may be storing passwords in plain text. 我注意到您可能以纯文本形式存储密码。 If this is the case, it is highly discouraged. 如果是这种情况,强烈建议不要这样做。

However I have not yet used the MD5 encryption which I will use later. 但是,我尚未使用MD5加密,以后将使用它。

Plus, you mentioned in wanting to use MD5 in commments. 另外,您曾提到要在注释中使用MD5。 Do not use that. 不要使用它。 It is old and no longer safe to use as a password hashing/storage method. 它已经过时,不再安全用作密码哈希/存储方法。

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. 我建议您使用CRYPT_BLOWFISH或PHP 5.5的password_hash()函数。 For PHP < 5.5 use the password_hash() compatibility pack . 对于PHP <5.5,使用password_hash() compatibility pack

@Jha, it seems you are quite confused. @Jha,看来您很困惑。 Yh I know, is kind of wierd. h,我知道,有点奇怪。 But if I were you I will go by: 但是如果我是你,我会经过:

<?php
$msg = '';

if (isset($_POST['register'])) {

    $uname  = (!empty($_POST['username'])) ? $_POST['username'] : null;
    $pass   = (!empty($_POST['pass'])) ? $_POST['pass'] : null;
    $cpass  = (!empty($_POST['cpass'])) ? $_POST['cpass'] : null;
    $fname  = (!empty($_POST['fname'])) ? $_POST['fname'] : null;
    $lname  = (!empty($_POST['lname'])) ?$_POST['lname'] : null;
    $email  = (!empty($_POST['email'])) ?$_POST['email'] : null;
    $mobile = (!empty($_POST['mobile'])) ?$_POST['mobile'] : null;

    if ($uname == '' || $pass == '' || $cpass == '' || $fname == '' || $lname == '' || $email == '' || $mobile == '') {
        $msg = "<font color='red'>Fields cannot be empty</font>";

    } else if (strlen($uname) < 5) {
        $msg = "<font color='red'>Username must be at least 5 characters long</font>";

    } else if (strlen($pass) < 6 && strlen($cpass) < 6) {
        $msg = "<font color='red'>Password must be at least 6 characters long</font>";

    } else if ($pass != $cpass) {
        $msg = "<font color='red'>Passwords are not matching</font>";

    } else if (!is_numeric($mobile)) {
        $msg = "<font color='red'>Mobile number should contain only numbers</font>";

    } else if (strlen($mobile) < 10) {
        $msg = "<font color='red'>Mobile number should be at least 10 characters long</font>";

    } else {
        //query for mobile validation
        $m_sql      = "SELECT user_mobile FROM user_reg WHERE user_mobile = '".$mobile."'";
        $m_query    = mysql_query($m_sql) or die(mysql_error());
        $m_num_rows = mysql_num_rows($m_query);
        $m_row      = mysql_fetch_array($m_query);

        //query for username validation
        $u_sql      = "SELECT user_mobile FROM user_reg WHERE user_mobile = '".$uname."'";
        $u_query    = mysql_query($u_sql) or die(mysql_error());
        $u_num_rows = mysql_num_rows($u_query);
        $u_row      = mysql_fetch_array($u_query);

        //query for email validation
        $e_sql      = "SELECT user_email FROM user_reg WHERE user_mobile = '".$email."'";
        $e_query    = mysql_query($e_sql) or die(mysql_error());
        $e_num_rows = mysql_num_rows($e_query);
        $e_row      = mysql_fetch_array($e_query);

        if ($m_num_rows > 0) {
            $msg = "<font color='red'>Mobile number already exists. Please try again...</font>";

        } else if ($u_num_rows > 0) {
            $msg = "<font color='red'>Username already exists. Please choose a unique one...</font>";

        } else if ($e_num_rows > 0) {
            $msg = "<font color='red'>Email already exists. Please choose a unique one...</font>";

        } else {
            $str = "INSERT INTO user_reg(user_email, user_uname, user_pass, user_fname, user_lname, user_mobile)VALUES('$email','$uname','$pass','$fname','$lname','$mobile')";
            $sql = mysql_query($str) or die(mysql_error());

            if ($sql) {
                $msg = "<font color='green'>Regstration successfull. Please Login to use your account.</font>";
            } else {
                $msg = "<font color='red'>Sorry.. There are some errors. Please fix them before you continue.</font>";
            }
        }
    }
}

?> ?>

Besides fixing your code so that it's not vulnerable to SQL injection you should change your query to check all three inputs at the same time using the OR operator. 除了修复代码以使其不易受到SQL注入攻击外,还应更改查询以使用OR运算符同时检查所有三个输入。

$query = "SELECT * FROM user_reg WHERE user_mobile = '".$mobile."' OR user_uname = '".$uname."' OR user_email = '".$email."'";

Then if you do get any hits you can check to see what it was: 然后,如果确实有任何点击,您可以检查一下它是什么:

if($query1->num_rows > 0){
        while($field = $query1->fetch_assoc()){
            if($field['user_mobile'] === $mobile){
                 $msg = $msg . "<font color='red'> Mobile number already exists. Please try again...</font>";
            }
            if($field['user_email'] === $email){
                $msg = $msg . "<font color='red'> Email already exists. Please choose a unique one...</font>";
            }
            if($field['user_uname'] === $uname){
                 $msg = $msg . "<font color='red'> Username already exists. Please choose a unique one...</font>";
            }
        }
    }

But like the others say, you'll want to switch to using either MySQLi or PDO_MySQL 但是就像其他人说的那样,您将想要切换为使用MySQLi或PDO_MySQL

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM