在我的PHP验证上需要帮助

Question

I'm trying to perform a form register validation but I don't know if I'm doing it right. 我正在尝试执行表单注册验证，但是我不知道我是否做对了。

First I'm storing an error message for each blank field in my form. 首先，我在表单中为每个空白字段存储一条错误消息。 After that if my fields aren't empty I want to validate the username field (from having invalid characters), password and email 之后，如果我的字段不为空，我想验证用户名字段（使用无效字符），密码和电子邮件

The problem is when I delete the die(); 问题是当我删除die（）时； line in my username validation conditional, it does show me both the error message and the succes message and the invalid username is inserted in my database. 用户名验证条件中的第1行，它的确显示了错误消息和成功消息，并且无效的用户名已插入我的数据库中。

I'm pretty sure the problem is in my if($numrows==0) conditional but I can't figure it out why. 我很确定问题出在我的if（$ numrows == 0）条件中，但是我不知道为什么。

<?php
session_start();
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('user_registration') or die("cannot select DB");


if(isset($_POST["submit"])){

    $arrErrors = array();
    unset($_SESSION['errors']);

    if($_POST['user'] == ''){
        $arrErrors['user_not_completed'] = "Username is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if($_POST['pass'] == ''){
        $arrErrors['pass_not_completed'] = "Password is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if($_POST['email'] == ''){
        $arrErrors['email_not_completed'] = "Email is not completed!";
        $_SESSION['errors'] = $arrErrors;
        header("Location: register.php");
    }

    if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['email'])) {
        $user=$_POST['user'];
        $pass=$_POST['pass'];
        $email=$_POST['email'];

            if(!preg_match("/^[a-zA-Z'-]+$/",$user)) {
                $arrErrors['invalid_user'] = "Username is invalid!";
                $_SESSION['errors'] = $arrErrors;
                header("Location: register.php");
                die();
            } 

        $query=mysql_query("SELECT * FROM users WHERE username='".$user."'");
        $numrows=mysql_num_rows($query);


        if($numrows==0){
            $sql="INSERT INTO users(username,password, email) VALUES('$user','$pass', '$email')";
            $result=mysql_query($sql);


            if($result){
                $arrErrors['succes'] = 'Account successfuly created!';
                $_SESSION['errors'] = $arrErrors;
                header("Location: register.php");
            } 

        } else {
            $arrErrors['already_exists'] = 'That username already exists!';
            $_SESSION['errors'] = $arrErrors;
            header("Location: register.php");
        }

} 

}
?>

Answer 1

Here's what I'd suggest you do: 我建议您这样做：

<?php
    //FIRST I WOULD CHECK IF SESSION EXIST BEFORE STARTING IT:
    if (session_status() == PHP_SESSION_NONE  || session_id() == '') {
        session_start();
    }
    //NEXT I'D USE PDO AS MY DATABASE ABSTRACTION LAYER: IT HAS A LOT OF ADVANTAGES, REALLY:
    //DATABASE CONNECTION CONFIGURATION:
    defined("HOST")     or define("HOST",   "localhost");           //REPLACE WITH YOUR DB-HOST
    defined("DBASE")    or define("DBASE",  "user_registration");   //REPLACE WITH YOUR DB NAME
    defined("USER")     or define("USER",   "root");                //REPLACE WITH YOUR DB-USER
    defined("PASS")     or define("PASS",   "");                    //REPLACE WITH YOUR DB-PASS

    if(isset($_POST["submit"])){
        //THEN CLEAN UP THE SUBMITTED DATA TO AVOID POSSIBLE ATTACKS...
        $user       = isset($_POST['user'])     ? htmlspecialchars(trim($_POST['user']))    : null;     //PROTECT AGAINST ATTACKS
        $pass       = isset($_POST['pass'])     ? htmlspecialchars(trim($_POST['pass']))    : null;     //PROTECT AGAINST ATTACKS
        $email      = isset($_POST['email'])    ? htmlspecialchars(trim($_POST['email']))   : null;     //PROTECT AGAINST ATTACKS
        $passRX     = '#(^[a-zA-z0-9\-\+_\}\{\(\)])([\w\.\-\\:\;\+\(\)\/\}\{\(\)\ ])*\w*$#';
        $userRX     = '#(^[a-zA-z])([\w\.\-\(\)\ ])*\w*$#';
        $arrErrors  = array();

        unset($_SESSION['errors']);

        //CHECK IF USERNAME CONFORMS TO THE CUSTOM USERNAME REG-EXP...
        if(!preg_match($userRX, $user)){
            $arrErrors['user_not_completed'] = "Username is either not completed or is invalid!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //CHECK IF PASSWORD CONFORMS TO THE CUSTOM PASSWORD REG-EXP...
        if(!preg_match($passRX, $pass)){
            $arrErrors['pass_not_completed'] = "Password is not completed!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //CHECK IF E-MAIL CONFORMS TO THE STANDARD E-MAIL FORMAT USING BUILT-FUNCTIONS...
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            $arrErrors['email_not_completed'] = "Email is not completed!";
            //SAVE ERRORS TO SESSION
            $_SESSION['errors'] = $arrErrors;
            //REDIRECT BACK TO REGISTER PAGE
            header("Location: register.php");
            exit;
        }

        //BECAUSE WE HAVE SANITIZED VERSIONS OF OUR $user, $pass & $email VARIABLES
        //WE CAN JUST  USE THEM DIRECTLY HERE:
        if($user && $pass && $email) {
            //HERE WE BEGIN THE PDO HIGH-LEVEL MAGIC... ;-)
            try {
                $dbh        = new PDO('mysql:host='.HOST.';dbname='. DBASE,USER,PASS);
                $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $stmt       = $dbh->prepare("SELECT * FROM users WHERE username = :user");
                $stmt->execute(['user' => $user]);
                $objUser    = $stmt->fetch(PDO::FETCH_OBJ);

                //THIS USER DOES NOT ALREADY EXIST SO WE GO AHEAD AND CREATE A CORRESPONDING RECORD IN THE DB TABLE
                if(!$objUser){
                    $stmt   = $dbh->prepare("INSERT INTO users (username, password, email) VALUES(:user, :pass, :email)");
                    $stmt->bindParam(':user',   $user);
                    $stmt->bindParam(':pass',   $pass);
                    $stmt->bindParam(':email',  $email);
                    $insertStatus   = $stmt->execute();

                    if($insertStatus){
                        $arrErrors['succes']    = 'Account successfuly created!';
                        $_SESSION['errors']     = $arrErrors;
                        header("Location: register.php");
                        exit;
                    }
                }else {
                    $arrErrors['already_exists']    = 'That username already exists!';
                    $_SESSION['errors']             = $arrErrors;
                    header("Location: register.php");
                    exit;
                }


                //GARBAGE COLLECTION
                $dbh        = null;
            }catch(PDOException $e){
                //YOU HANDLE YOUR EXCEPTIONS HERE IN YOUR OWN UNIQUE MANNER...
                echo $e->getMessage();
            }
        }

    }
?>

Hope this helps a bit... 希望这个对你有帮助...

在我的PHP验证上需要帮助

问题描述

1 个解决方案

解决方案1
1 2016-04-29 13:59:54

在我的PHP验证上需要帮助

问题描述

1 个解决方案

解决方案1 1 2016-04-29 13:59:54

解决方案1
1 2016-04-29 13:59:54