PHP表单及印证-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP表单及印证

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 am 10:54 AM

echophppost

PHP表单及验证

一、概述

PHP在处理一个页面时，它都会检查URL和表单变量、上传的文件、可用的cookie以及Web服务器和环境变量。之后，这些信息就可以通过下面这些数组直接访问：$_GET、$_POST、$_FILES、$_COOKIE、$_SERVER和$_ENV。也就是说，PHP会分别保存在查询字符串中设置的变量、一个post请求的主题内容、上传的文件、cookie、Web服务器及Web服务器运行其上的环境等这些信息。当然，也有一个$_REQUEST变量，它是包含着前面六个数组中全部值的一个大数组。

variables_order
当在$_REQUEST数组中放置元素时，如果两个数组都有一个同名的键，PHP会根据php.ini中的variables_order配置指令决定如何切断他们之间的联系。在默认情况下，variables_order的值是EGPCS(如果使用的是php.ini-recommended配置文件，则是GPCS)。也就是说，PHP首先会把环境变量添加到$_REQUEST中，然后再依次添加查询字符串(get)、post、cookie、和web服务器变量。在这种情况下，因为默认是C在P的后面，所以一个名为username的cookie会覆盖一个同样名为username的post变量。注意，php.ini-recommended文件中的GPCS值表明$_ENV数组中的环境变量不会被添加到$_REQUEST数组中。

track_vars
在PHP4.1之前，这些自动全局变量是不存在的。当时，它们只是一些常规的数组，名字分别为$HTTP_COOKIE_VARS、$HTTP_ENV_VARS、$HTTP_GET_VARS、$HTTP_POST_VARS、$HTTP_POST_FILES和$HTTP_SERVER_VARS。出于继承的原因，这些数组仍然是有效的，只不过新增加的数组更容易使用。这些老数组只有在track_vars配置指令为on时才会被赋值。(此选项自php4.0.3后总是开启的，不再通过track_vars=设置）

register_globals
如果register_globals配置指令的值是on，那么以上所有的变量同样也将作为全局名称空间中的变量。所以$_GET['password']的值也可以使用$password访问。这样虽然方便，但却也引入了较大的安全问题。自PHP 4.2起，register_globals的默认值为off。

以上是PHP表单提交数据时涉及的相关知识的一些简单介绍。为了保证PHP代码的安全，PHP表单处理程序不能忽略两个很重要的步骤：数据验证和输出转义。保证输入的信息对程序是可以接受的；保证恶意用户不会利用你的网站攻击其他的网站。

二、数据验证

需牢记的几点：
1、所有接收的数据不一定如你前端(html及javascript)约束的那样，可能会是来自电脑黑客通过手工构造的数据请求或恶意用户发现你程序漏洞的请求。
2、不同类型的表单元素留空会导致$_GET和$_POST中的元素值不尽相同。空文本框、空文本区域及空的文件上传字段的值是零长度字符串。而未选中的复选框和单选按钮，不会在$_GET和$_POST中生存任何值。浏览器通常会强迫在单选下拉列表选中一个项目，而对于多选下拉列表，如果没有选择其中的任何项，那么结果和复选框是一样的，即不会在$_GET和$_POST中生存任何值。
3、$_GET和$_POST中的值始终是字符串。例如,某人在text_price文本框中填入02201并提交了表单，那么$_POST['text_price']的值会是五位的字符串“02201”,而不是整数2201。

验证实例
1、验证必填项
使用strlen()来测试$_GET或$_POST中的元素值。出于某种偏好，很多人常用empty()代替strlen()来测试一个文本框中是否填写了值。但根据PHP的布尔值计算规则，字符0可以转换为FALSE，因此这常常会导致问题出现。例如，有人在total_val文本框中填入了0，而empty($_POST['total_val'])测试的结果会是TRUE。显然，从表单验证的角度来看这是错误的。

<?phpif (! strlen($_POST['keyname']) {    echo 'keyname is null';}?>

2、数字验证
A、判断是否大于或等于零的整数，直接用ctype_digit()函数判断。

<?phpif (! ctype_digit($_POST['keyname']) {    echo 'Your keyname must be a number bigger than or equal to zero.';}?>

在PHP数字验证中一种常见的做法是用is_numeric()函数来验证数字。遗憾的是，is_numeric()所认为的数字更符合计算机的特点而不是人的思维。比如说，十六进制的数字字符串0xCAFE和带指数符号的数字字符串10e40对于is_numeric()来说都是数字。

在PHP5.1之前，如果向ctype_digit()传递一个空字符串，它会返回TRUE；显然这不是我们要的结果，因此首先要验证下它是否为空。

<?phpif (! strlen($_POST['keyname']) && ! ctype_digit($_POST['keyname']) {    echo 'Your keyname must be a number bigger than or equal to zero.';}?>

B、判断是否为正整数或负整数，可以采用提交值与值在转换成证书之后返回的字符串进行比较。
1）类型转换法验证整数

<?phpif ($_POST['keyname'] != strval(intval($_POST['keyname']))) {    echo 'Your keyname must be an integer.';}?>

?intval('025')返回25，intval('-2300')返回-2300, intval('2.2')返回2, intval('-8.8')返回-8, intval('sdf')返回0.

2）类型转换法验证小数

<?phpif ($_POST['keyname'] != strval(floatval($_POST['keyname']))) {    echo 'Your keyname must be an number.';}?>

?floatval('3.025')返回3.025，floatval('-23.007')返回-23.007 floatval('sdf')返回0.

3、正则表达式验证

1)字符串中只能包含数字

<?php$str = "0238";if (preg_match('/^\d+$/', $str)) {	echo 'match';}?>

2)检验PHP变量名是否符合规范

<?phpfunction pregPHPVar($str) {    if (preg_match('/\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/', $str)) {        return 'match';    } else {	return 'mismatch';    }}echo prefPHPVar('$str'); // print match;echo prefPHPVar('$1str'); // print mismatch;?>

3)邮箱验证

<?php$email = "[email&#160;protected]";if (! preg_match('/^[^0-9][a-zA-Z0-9_]+([.][a-zA-Z0-9_]+)*[@][a-zA-Z0-9_]+([.][a-zA-Z0-9_]+)*[.][a-zA-Z]{2,4}$/', $email)) {    echo 'Email is invalid.';}?>

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP's Current Status: A Look at Web Development TrendsApr 13, 2025 am 12:20 AM

PHP remains important in modern web development, especially in content management and e-commerce platforms. 1) PHP has a rich ecosystem and strong framework support, such as Laravel and Symfony. 2) Performance optimization can be achieved through OPcache and Nginx. 3) PHP8.0 introduces JIT compiler to improve performance. 4) Cloud-native applications are deployed through Docker and Kubernetes to improve flexibility and scalability.

PHP vs. Other Languages: A ComparisonApr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

PHP vs. Python: Core Features and FunctionalityApr 13, 2025 am 12:16 AM

PHP and Python each have their own advantages and are suitable for different scenarios. 1.PHP is suitable for web development and provides built-in web servers and rich function libraries. 2. Python is suitable for data science and machine learning, with concise syntax and a powerful standard library. When choosing, it should be decided based on project requirements.

PHP: A Key Language for Web DevelopmentApr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

PHP: The Foundation of Many WebsitesApr 13, 2025 am 12:07 AM

The reasons why PHP is the preferred technology stack for many websites include its ease of use, strong community support, and widespread use. 1) Easy to learn and use, suitable for beginners. 2) Have a huge developer community and rich resources. 3) Widely used in WordPress, Drupal and other platforms. 4) Integrate tightly with web servers to simplify development deployment.

Beyond the Hype: Assessing PHP's Role TodayApr 12, 2025 am 12:17 AM

PHP remains a powerful and widely used tool in modern programming, especially in the field of web development. 1) PHP is easy to use and seamlessly integrated with databases, and is the first choice for many developers. 2) It supports dynamic content generation and object-oriented programming, suitable for quickly creating and maintaining websites. 3) PHP's performance can be improved by caching and optimizing database queries, and its extensive community and rich ecosystem make it still important in today's technology stack.

What are Weak References in PHP and when are they useful?Apr 12, 2025 am 12:13 AM

In PHP, weak references are implemented through the WeakReference class and will not prevent the garbage collector from reclaiming objects. Weak references are suitable for scenarios such as caching systems and event listeners. It should be noted that it cannot guarantee the survival of objects and that garbage collection may be delayed.

Explain the __invoke magic method in PHP.Apr 12, 2025 am 12:07 AM

The \_\_invoke method allows objects to be called like functions. 1. Define the \_\_invoke method so that the object can be called. 2. When using the $obj(...) syntax, PHP will execute the \_\_invoke method. 3. Suitable for scenarios such as logging and calculator, improving code flexibility and readability.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks agoByDDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

DVWA

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software