Fatal编程技术网
  • php/
  • Php 人们可以编辑我的表单并发送一个字符串,该字符串与破坏我数据库的电子邮件不同

Php 人们可以编辑我的表单并发送一个字符串,该字符串与破坏我数据库的电子邮件不同

php mysql email

Php 人们可以编辑我的表单并发送一个字符串,该字符串与破坏我数据库的电子邮件不同,php,mysql,email,Php,Mysql,Email,我的表单需要通过输入类型设置emailset,但是人们使用Inspect元素并提交其他非电子邮件的值。其中一个是百分号,它把我的数据库搞得一团糟。我试着检查百分号,但没用。这是我的密码,你能给我一个线索或者告诉我怎么了吗 谢谢 if(strpos($_POST['email'], '%') == false) { $curpass = strtoupper(hash("whirlpool", $_POST['curpass'])); $passii = $con

我的表单需要通过输入类型设置emailset,但是人们使用Inspect元素并提交其他非电子邮件的值。其中一个是百分号,它把我的数据库搞得一团糟。我试着检查百分号,但没用。这是我的密码,你能给我一个线索或者告诉我怎么了吗

谢谢

if(strpos($_POST['email'], '%') == false) 
{
    $curpass = strtoupper(hash("whirlpool", $_POST['curpass']));
    $passii = $con->prepare("SELECT `password` FROM `playerinfo` WHERE `PlayerName` = ?;");
    $passii->execute(array($_SESSION["playername"]));
    while($row = $passii->fetch())
    {
        $curpass1 = $row['password'];
    }
    if($curpass == $curpass1)
    {
        $email = mysql_escape_string($pemail);
        echo "<div class='flash_success'>Your email has been changed.</div>";
        $p_name_settings = $_SESSION['playername'];
        $updatemail = $con->prepare("UPDATE `playerinfo` SET `email` = ? WHERE `PlayerName` = ?");
        $updatemail->execute(array($pemail, $_SESSION["playername"]));
    }
    else
    {
        echo "<div class='flash_error'>You did not enter your current password correctly. Settings were not saved.</div>";
    }
}
您可以使用FILTER_VALIDATE_电子邮件和FILTER_SANITIZE_电子邮件来防止插入。比如:

$email = $_POST['email'];

// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);

// Validate e-mail
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // email is a valid email address
    $curpass = strtoupper(hash("whirlpool", $_POST['curpass']));
    $passii = $con->prepare("SELECT `password` FROM `playerinfo` WHERE `PlayerName` = ?;");
    $passii->execute(array($_SESSION["playername"]));
    while($row = $passii->fetch())
    {
        $curpass1 = $row['password'];
    }
    if($curpass == $curpass1)
    {
        $email = mysqli_real_escape_string($con, $email);
        echo "<div class='flash_success'>Your email has been changed.</div>";
        $p_name_settings = $_SESSION['playername'];
        $updatemail = $con->prepare("UPDATE `playerinfo` SET `email` = ? WHERE `PlayerName` = ?");
        $updatemail->execute(array($pemail, $_SESSION["playername"]));
    }
    else
    {
        echo "<div class='flash_error'>You did not enter your current password correctly. Settings were not saved.</div>";
    }
}
你可以用这个

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email !== false) {
    //do action
}
你能不能定义我的数据库被搞得一团糟。如果!filter_var$_POST['email'],filter_VALIDATE_email{//error}始终验证您的数据服务器端,以确保您获得的数据是您期望的数据。在散列密码时需要使用salt。您应该始终假定通过用户输入提供的任何内容都是恶意的,并在提交后在服务器端执行检查。客户端设置有助于指导用户,但不应将其视为防御线mysql_escape_string,它不会与mysql_以外的任何其他api混合,因此这一行$email=mysql_escape_string$pemail;不行。@Fred ii-接得好!我会修复那个部分。我对函数做了一点修改。它需要一个db连接作为第一个参数。