PHP學習記錄02
PHP 表單驗證
參考:https://www.runoob.com/php/php-form-validation.html
第一步開啓環境:phpstudy、Sublime TEXT、瀏覽器、操作系統
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title></title> <style> .error {color: #FF0000;} </style> </head> <body> <?php // 定義變量並默認設置爲空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "名字是必需的"; } else { $name = test_input($_POST["name"]); // 檢測名字是否只包含字母跟空格 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; } } if (empty($_POST["email"])) { $emailErr = "郵箱是必需的"; } else { $email = test_input($_POST["email"]); // 檢測郵箱是否合法 if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; } } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); // 檢測 URL 地址是否合法 if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; } } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的"; } else { $gender = test_input($_POST["gender"]); } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表單驗證實例</h2> <p><span class="error">* 必需字段。</span></p> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 名字: <input type="text" name="name" value="<?php echo $name;?>"> <span class="error">* <?php echo $nameErr;?></span> <br><br> E-mail: <input type="text" name="email" value="<?php echo $email;?>"> <span class="error">* <?php echo $emailErr;?></span> <br><br> 網址: <input type="text" name="website" value="<?php echo $website;?>"> <span class="error"><?php echo $websiteErr;?></span> <br><br> 備註: <textarea name="comment" rows="5" cols="40"><?php echo $comment;?></textarea> <br><br> 性別: <input type="radio" name="gender" <?php if (isset($gender) && $gender=="female") echo "checked";?> value="female">女 <input type="radio" name="gender" <?php if (isset($gender) && $gender=="male") echo "checked";?> value="male">男 <span class="error">* <?php echo $genderErr;?></span> <br><br> <input type="submit" name="submit" value="Submit"> </form> <?php echo "<h2>您輸入的內容是:</h2>"; echo $name; echo "<br>"; echo $email; echo "<br>"; echo $website; echo "<br>"; echo $comment; echo "<br>"; echo $gender; ?> </body> </html>
html界面
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <h2>PHP表單驗證實例</h2> <p>*必需字段</p> <form> 名字:<input type="text" name="name">*<br> E-mail:<input type="text" name="email">*<br> 網址:<input type="text" name="website"><br> 備註:<textarea name="comment" rows="5" cols="40"></textarea><br> 性別:<input type="radio" name="gender" value="female">女 <input type="radio" name="gender" value="man">男*<br> <input type="submit" name="submit" value="Submit"> <h2>您輸入的內容是:</h2> </form> </body> </html>
php代碼
<script>alert(document.cookie)</script>
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
<script>alert('hacked')</script>
漏洞分析
在輸入框中輸入
php1.php
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <form action="php3.php" method="post"> user:<input type="text" name="1"> pass:<input type="text" name="2"> <br> <input type="submit" name="3"> </form> </body> </html>
php2.php
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <h1>這是GET獲取的位置</h1> 用戶名:<?php echo $_GET['1']; ?> <br> 密碼:<?php echo $_GET['2']; ?> </body> </html>
php3.php
在url中輸入
/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <h1>這是POST獲取的位置</h1> 用戶名:<?php echo $_POST['1']; ?> <br> 密碼:<?php echo $_POST['2']; ?> <form action="<?php echo $_SERVER["PHP_SELF"];?>" method="post"> user:<input type="text" name="1"> pass:<input type="text" name="2"> <br> <input type="submit" name="3"> </form> </body> </html>
php5.php
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <h1>這是POST獲取的位置</h1> 用戶名:<?php echo $_POST['1']; ?> <br> 密碼:<?php echo $_POST['2']; ?> <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post"> user:<input type="text" name="1"> pass:<input type="text" name="2"> <br> <input type="submit" name="3"> </form> </body> </html>
PHP 驗證表單數據
當用戶提交表單時,我們將做以下兩件事情:
-
使用 PHP trim() 函數去除用戶輸入數據中不必要的字符 (如:空格,tab,換行)。
-
使用PHP stripslashes()函數去除用戶輸入數據中的反斜槓 ()
接下來讓我們將這些過濾的函數寫在一個我們自己定義的函數中,這樣可以大大提高代碼的複用性。
將函數命名爲 test_input()。
現在,我們可以通過test_input()函數來檢測 $_POST 中的所有變量, 腳本代碼如下所示:
注意我們在執行以上腳本時,會通過$_SERVER["REQUEST_METHOD"]來檢測表單是否被提交 。如果 REQUEST_METHOD 是 POST, 表單將被提交 - 數據將被驗證。如果表單未提交將跳過驗證並顯示空白。
<?php // 定義變量並默認設置爲空值 $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = test_input($_POST["name"]); $email = test_input($_POST["email"]); $website = test_input($_POST["website"]); $comment = test_input($_POST["comment"]); $gender = test_input($_POST["gender"]); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?>
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title></title> </head> <body> <?php // 定義變量並默認設置爲空值 $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { $name = test_input($_POST["name"]); $email = test_input($_POST["email"]); $website = test_input($_POST["website"]); $comment = test_input($_POST["comment"]); $gender = test_input($_POST["gender"]); } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表單驗證實例</h2> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 名字: <input type="text" name="name"> <br><br> E-mail: <input type="text" name="email"> <br><br> 網址: <input type="text" name="website"> <br><br> 備註: <textarea name="comment" rows="5" cols="40"></textarea> <br><br> 性別: <input type="radio" name="gender" value="female">女 <input type="radio" name="gender" value="male">男 <br><br> <input type="submit" name="submit" value="Submit"> </form> <?php echo "<h2>您輸入的內容是:</h2>"; echo $name; echo "<br>"; echo $email; echo "<br>"; echo $website; echo "<br>"; echo $comment; echo "<br>"; echo $gender; ?> </body>
表單 - 必需字段
字段 | 驗證規則 |
---|---|
名字 | 必需。 + 只能包含字母和空格 |
必需。 + 必需包含一個有效的電子郵件地址(包含"@"和".") | |
網址 | 可選。 如果存在,它必需包含一個有效的URL |
備註 | 可選。多行字段(文本域)。 |
性別 | 必需。必需選擇一個。 |
在以下代碼中我們加入了一些新的變量: $nameErr, $emailErr, $genderErr, 和 $websiteErr.。這些錯誤變量將顯示在必需字段上。 我們還爲每個$_POST變量增加了一個if else語句。 這些語句將檢查 $_POST 變量是 否爲空(使用php的 empty() 函數)。如果爲空,將顯示對應的錯誤信息。 如果不爲空,數據將傳遞給test_input() 函數:
必需字段
<?php // 定義變量並默認設爲空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "名字是必需的。"; } else { $name = test_input($_POST["name"]); } if (empty($_POST["email"])) { $emailErr = "郵箱是必需的。"; } else { $email = test_input($_POST["email"]); } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的。"; } else { $gender = test_input($_POST["gender"]); } } ?>
顯示錯誤信息
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"> 名字: <input type="text" name="name"> <span class="error">* <?php echo $nameErr;?></span> <br><br> E-mail: <input type="text" name="email"> <span class="error">* <?php echo $emailErr;?></span> <br><br> 網址: <input type="text" name="website"> <span class="error"><?php echo $websiteErr;?></span> <br><br> 備註: <textarea name="comment" rows="5" cols="40"></textarea> <br><br> 性別: <input type="radio" name="gender" value="female">女 <input type="radio" name="gender" value="male">男 <span class="error">* <?php echo $genderErr;?></span> <br><br> <input type="submit" name="submit" value="Submit"> </form>
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title></title> <style> .error {color: #FF0000;} </style> </head> <body>
<?php // 定義變量並默認設爲空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "名字是必須的。"; } else { $name = test_input($_POST["name"]); } if (empty($_POST["email"])) { $emailErr = "郵箱是必須的。"; } else { $email = test_input($_POST["email"]); } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必須的。"; } else { $gender = test_input($_POST["gender"]); } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表單驗證實例</h2> <p><span class="error">* 必填字段。</span></p> <form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>"> 名字: <input type="text" name="name"> <span class="error">* <?php echo $nameErr;?></span> <br><br> E-mail: <input type="text" name="email"> <span class="error">* <?php echo $emailErr;?></span> <br><br> 網址: <input type="text" name="website"> <span class="error"><?php echo $websiteErr;?></span> <br><br> 備註: <textarea name="comment" rows="5" cols="40"></textarea> <br><br> 性別: <input type="radio" name="gender" value="female">女 <input type="radio" name="gender" value="male">男 <span class="error">* <?php echo $genderErr;?></span> <br><br> <input type="submit" name="submit" value="Submit"> </form> <?php echo "<h2>您的輸入:</h2>"; echo $name; echo "<br>"; echo $email; echo "<br>"; echo $website; echo "<br>"; echo $comment; echo "<br>"; echo $gender; ?> </body> </html>
驗證郵件和URL
preg_match() 函數;https://www.runoob.com/php/php-preg_match.html
preg_match — 進行正則表達式匹配。 語法: int preg_match ( string $pattern , string $subject [, array $matches [, int $flags ]] ) 在 subject 字符串中搜索與 pattern 給出的正則表達式相匹配的內容。如果提供了 matches ,則其會被搜索的結果所填充。$matches[0] 將包含與整個模式匹配的文本,$matches[1] 將包含與第一個捕獲的括號中的子模式所匹配的文本,以此類推。
驗證名稱
$name = test_input($_POST["name"]); if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; }
驗證郵件
$email = test_input($_POST["email"]); if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; }
驗證 URL
$website = test_input($_POST["website"]); if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; }
驗證 Name, E-mail, 和 URL
<?php // 定義變量並默認設置爲空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "Name is required"; } else { $name = test_input($_POST["name"]); // 檢測名字是否只包含字母跟空格 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; } } if (empty($_POST["email"])) { $emailErr = "Email is required"; } else { $email = test_input($_POST["email"]); // 檢測郵箱是否合法 if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; } } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); // 檢測 URL 地址是否合法 if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; } } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的"; } else { $gender = test_input($_POST["gender"]); } } ?>
<!DOCTYPE HTML> <html> <head> <meta charset="utf-8"> <title>菜鳥教程(runoob.com)</title> <style> .error {color: #FF0000;} </style> </head> <body> <?php // 定義變量並默認設置爲空值 $nameErr = $emailErr = $genderErr = $websiteErr = ""; $name = $email = $gender = $comment = $website = ""; if ($_SERVER["REQUEST_METHOD"] == "POST") { if (empty($_POST["name"])) { $nameErr = "Name is required"; } else { $name = test_input($_POST["name"]); // 檢測名字是否只包含字母跟空格 if (!preg_match("/^[a-zA-Z ]*$/",$name)) { $nameErr = "只允許字母和空格"; } } if (empty($_POST["email"])) { $emailErr = "Email is required"; } else { $email = test_input($_POST["email"]); // 檢測郵箱是否合法 if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email)) { $emailErr = "非法郵箱格式"; } } if (empty($_POST["website"])) { $website = ""; } else { $website = test_input($_POST["website"]); // 檢測 URL 地址是否合法 if (!preg_match("/\b(?:(?:https?|ftp):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$website)) { $websiteErr = "非法的 URL 的地址"; } } if (empty($_POST["comment"])) { $comment = ""; } else { $comment = test_input($_POST["comment"]); } if (empty($_POST["gender"])) { $genderErr = "性別是必需的"; } else { $gender = test_input($_POST["gender"]); } } function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } ?> <h2>PHP 表單驗證實例</h2> <p><span class="error">* 必需字段。</span></p> <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> 名字: <input type="text" name="name"> <span class="error">* <?php echo $nameErr;?></span> <br><br> E-mail: <input type="text" name="email"> <span class="error">* <?php echo $emailErr;?></span> <br><br> 網址: <input type="text" name="website"> <span class="error"><?php echo $websiteErr;?></span> <br><br> 備註: <textarea name="comment" rows="5" cols="40"></textarea> <br><br> 性別: <input type="radio" name="gender" value="female">女 <input type="radio" name="gender" value="male">男 <span class="error">* <?php echo $genderErr;?></span> <br><br> <input type="submit" name="submit" value="Submit"> </form> <?php echo "<h2>您輸入的內容是:</h2>"; echo $name; echo "<br>"; echo $email; echo "<br>"; echo $website; echo "<br>"; echo $comment; echo "<br>"; echo $gender; ?> </body> </html>