Php 人们可以编辑我的表单并发送一个字符串,该字符串与破坏我数据库的电子邮件不同
我的表单需要通过输入类型设置emailset,但是人们使用Inspect元素并提交其他非电子邮件的值。其中一个是百分号,它把我的数据库搞得一团糟。我试着检查百分号,但没用。这是我的密码,你能给我一个线索或者告诉我怎么了吗 谢谢Php 人们可以编辑我的表单并发送一个字符串,该字符串与破坏我数据库的电子邮件不同,php,mysql,email,Php,Mysql,Email,我的表单需要通过输入类型设置emailset,但是人们使用Inspect元素并提交其他非电子邮件的值。其中一个是百分号,它把我的数据库搞得一团糟。我试着检查百分号,但没用。这是我的密码,你能给我一个线索或者告诉我怎么了吗 谢谢 if(strpos($_POST['email'], '%') == false) { $curpass = strtoupper(hash("whirlpool", $_POST['curpass'])); $passii = $con
if(strpos($_POST['email'], '%') == false)
{
$curpass = strtoupper(hash("whirlpool", $_POST['curpass']));
$passii = $con->prepare("SELECT `password` FROM `playerinfo` WHERE `PlayerName` = ?;");
$passii->execute(array($_SESSION["playername"]));
while($row = $passii->fetch())
{
$curpass1 = $row['password'];
}
if($curpass == $curpass1)
{
$email = mysql_escape_string($pemail);
echo "<div class='flash_success'>Your email has been changed.</div>";
$p_name_settings = $_SESSION['playername'];
$updatemail = $con->prepare("UPDATE `playerinfo` SET `email` = ? WHERE `PlayerName` = ?");
$updatemail->execute(array($pemail, $_SESSION["playername"]));
}
else
{
echo "<div class='flash_error'>You did not enter your current password correctly. Settings were not saved.</div>";
}
}
您可以使用FILTER_VALIDATE_电子邮件和FILTER_SANITIZE_电子邮件来防止插入。比如:
$email = $_POST['email'];
// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// Validate e-mail
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
// email is a valid email address
$curpass = strtoupper(hash("whirlpool", $_POST['curpass']));
$passii = $con->prepare("SELECT `password` FROM `playerinfo` WHERE `PlayerName` = ?;");
$passii->execute(array($_SESSION["playername"]));
while($row = $passii->fetch())
{
$curpass1 = $row['password'];
}
if($curpass == $curpass1)
{
$email = mysqli_real_escape_string($con, $email);
echo "<div class='flash_success'>Your email has been changed.</div>";
$p_name_settings = $_SESSION['playername'];
$updatemail = $con->prepare("UPDATE `playerinfo` SET `email` = ? WHERE `PlayerName` = ?");
$updatemail->execute(array($pemail, $_SESSION["playername"]));
}
else
{
echo "<div class='flash_error'>You did not enter your current password correctly. Settings were not saved.</div>";
}
}
你可以用这个
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email !== false) {
//do action
}
你能不能定义我的数据库被搞得一团糟。如果!filter_var$_POST['email'],filter_VALIDATE_email{//error}始终验证您的数据服务器端,以确保您获得的数据是您期望的数据。在散列密码时需要使用salt。您应该始终假定通过用户输入提供的任何内容都是恶意的,并在提交后在服务器端执行检查。客户端设置有助于指导用户,但不应将其视为防御线mysql_escape_string,它不会与mysql_以外的任何其他api混合,因此这一行$email=mysql_escape_string$pemail;不行。@Fred ii-接得好!我会修复那个部分。我对函数做了一点修改。它需要一个db连接作为第一个参数。