이 양식이 얼마나 안전하며 잠재적 인 문제가 있는지 알고 싶었습니다. Prepared 문에 mysqli_real_escape_string을 추가하려고 시도했지만 오류가 발생했습니다. 나는 "드류의 회사"와 같은 아포스트로피와 이름을 입력하면PHP 가입 양식 - 안전하고 안전한가요?
는 또한
Drew\'s Garage
으로 데이터베이스에 넣은 어떻게해야인가요?
코드 :
<?php
if(isset($_POST['submit'])) {
$errors = array();
$clean_name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
$clean_address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$clean_zip = filter_var($_POST['zip_code'], FILTER_SANITIZE_NUMBER_INT);
$clean_phone = filter_var($_POST['phone'], FILTER_SANITIZE_STRING);
$clean_email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
if($_POST['website'] != "") { $clean_url = filter_var($_POST['website'], FILTER_SANITIZE_URL); } else { $clean_url = ""; }
$formatURL = str_ireplace('www.', '', parse_url($clean_url, PHP_URL_HOST));
$formatPhone = formatPhone($clean_phone);
if($clean_name == "") {
$errors[] = "Please enter your Business Name.";
}
if($clean_address == "") {
$errors[] = "Please enter your Business Address.";
}
if($clean_zip == "") {
$errors[] = "Please enter your Business Zip Code.";
}
if ($result = $mysqli->query("SELECT zip_code FROM zip_codes WHERE zip_code = '$clean_zip'")) {
$row_cnt = $result->num_rows;
if(!$row_cnt) {
$errors[] = "Please enter a valid zip code.";
}
}
if($clean_phone == "") {
$errors[] = "Please enter your Business Phone Number.";
}
if ($check_email = $mysqli->query("SELECT email FROM companies WHERE email = '$clean_email'")) {
$email_count = $check_email->num_rows;
if($email_count) {
$errors[] = "There is already an account associated with that e-mail address.";
}
}
if(!checkEmail($clean_email)) {
$errors[] = "Please enter a valid e-mail address.";
}
if ((strlen($_POST['password']) < 8) || (strlen($_POST['password']) > 16)) {
$errors[] = "Your password must be between 8 and 16 characters.";
}
if($_POST['password'] != $_POST['password2']) {
$errors[] = "Passwords do not match. Please enter the same password.";
}
if (count($errors) == 0) {
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO companies (company, address, zip_code, phone, url, password, email, date_created, role, status) values (?, ?, ?, ?, ?, ?, ?, NOW(), 's', '1')")) {
$hashed_pass = PassHash::hash($_POST['password']);
/* Bind our params */
$stmt->bind_param('ssissss', $clean_name, $clean_address, $clean_zip, $formatPhone, $formatURL, $hashed_pass, $clean_email);
/* Execute the prepared Statement */
$stmt->execute();
if($mysqli->error) {
echo $mysqli->error;
}
/* Echo results */
echo "<div class='success'>Thank You! You are now registered.</div>";
}
}
}
if(count(@$errors))
{
$error_display = implode('<br />',$errors);
echo "<div class='error'><strong>Error:</strong> $error_display</div>";
}
?>
이것은 codereview se에서 더 나을 수 있습니다. – cwallenpoole
오, 죄송합니다. 전 그 사이트에 대해 완전히 잊었습니다. – Drew
나는? 솔직히 모르 거든. – cwallenpoole