您应该使用PHP正则表达式来严格验证输入数据。
假设您要验证以下输入字段,
- 用户名
- 密码
- 名字
- 姓
- 电子邮件
那么你会做这样的事情,
if(isset($_POST['submit']) && !empty($_POST['submit'])){ // use a boolean variable to keep track of errors $error = false; // Username validation $username = trim($_POST['username']); $username_pattern = "/^[a-zA-Z0-9]{3,15}$/"; // username should contain only letters and numbers, and length should be between 3 and 15 characters if(preg_match($username_pattern, $username)){ // success }else{ // error $error = true; } // Password validation $password = $_POST['password']; $/confirm/i_password = $_POST['/confirm/i_password']; if(strlen($password) >= 6 && $password===$/confirm/i_password){ // length of the password should be greater than or equal to 6 // success }else{ // error $error = true; } // First name validation $first_name = trim($_POST['first_name']); $first_name_pattern = "/^[a-zA-Z]{2,15}$/"; if(preg_match($first_name_pattern, $first_name)){ // first name should contain only letters and length should be between 2 and 15 characters // success }else{ // error $error = true; } // Last name validation $last_name = trim($_POST['last_name']); $last_name_pattern = "/^[a-zA-Z]{2,15}$/"; if(preg_match($last_name_pattern, $last_name)){ // last name should contain only letters and length should be between 2 and 15 characters // success }else{ // error $error = true; } // Email validation $email = trim() $email_pattern = "/^([a-z0-9._+-]{3,30})@([a-z0-9-]{2,30})((.([a-z]{2,20})){1,3})$/"; if(preg_match($email_pattern, $email)){ // validate email addresses // success }else{ // error $error = true; } if(!$error){ // all fields are validated. Now do your database operations. }else{ // display error message }}并使用PDO准备阻止您的数据库进行任何形式的SQL注入。
从 PDO :: prepare
为将使用不同参数值多次发出的语句调用PDO :: prepare()和PDOStatement ::
execute()可通过允许驱动程序协商查询计划的客户端和/或服务器端缓存来优化应用程序的性能,并元信息,并 消除了手动引用参数的需要 ,从而
有助于防止SQL注入攻击。
