0

I am stuck on my coding: I need to check that the email is legitimate and also check if the passwords match.

As you can see I've tried to make sure it has '@' in it, but it doesn't work.

 <?php
    error_reporting(1);
    include("../site/inc/config.php");

    if (isset($_POST['submit'])) {
        $username = clean($_POST['username']);
        $password = clean($_POST['password']);
        $pass_conf = clean($_POST['password2']);
        $email = clean($_POST['email']);
        $ip = $_SERVER['REMOTE_ADDR'];
        $reg_date = date("F jS, Y - g:i a");
        $md5 = md5($password);

        if(!$username){
            header("Location: /site/register.php?error=1");
            //error
            die;
        }


        if(!$password){
            header("Location: /site/register.php?error=1");
            //error
            die;
        }


        if(!$pass_conf){
            header("Location: /site/register.php?error=1");
            //error
            die;
        }


        if(!$email){
            header("Location: /site/register.php?error=1");
            //error
            die;
        }

        $sign = '@';

        if (strpos($email,$sign) !== true) {
            header("Location: /site/register.php?error=122");
            //error
            die;
        }

        $check_user = mysql_query("SELECT `username` FROM `users` WHERE `username` = '".$username."'");

        if(mysql_num_rows($check_user) !== 0){
            header("Location: /site/register.php?error=2");
            //error
            die;
        }

        $check_email = mysql_query("SELECT `email` FROM `users` WHERE `email` = '".$email."'");

        if(mysql_num_rows($check_email) !== 0){
            header("Location: /site/register.php?error=3");
            //error
            die;
        }

        mysql_query("INSERT INTO `users` (`username`, `password`, `email`, `ip`, `rank`, `reg_date`) VALUES ('$username', '$md5', '$email', '$ip', '1', '$reg_date')");
        header("Location: /site/register.php?success=1");
    } else {
        header("Location: register.php?error=4");
    }

    ?>
4

2 回答 2

1

Ah. First of all, don't use deprecated mysql_ switch to mysqli.

Second, don't use $_POST, $_GET, $_COOKIE variables without checking whether they are set. Rather do:

$request_variables = array('password', 'password2', 'username', ...);
$data = array();
foreach( $request_variables as $k){
    if( !isset( $_POST[$k])){
        header( 'Location: http://...'); // Yes, use absolute url
        die();
    }

    $v = clean( $_POST[$k]);
    if( !$v){
        // header, die
    }

    $data[$k] = $v;
}

Then, make sure you're escaping data before pushing them into query. If not using prepared statements with parameters, at least use *sigh* mysql_real_escape_string and last but not least, for email validation just browse stack overflow for a while:

if (!filter_var($data['email'], FILTER_VALIDATE_EMAIL)) {
    header("Location: http://.../site/register.php?error=122");
    die();
}

Yeah, and password matching:

if( $data['password'] !== $data['password2']){
    header(...);
    die(...);
}

But I'd try to validate password match onsubmit of <form> too (so passwords would be sent just once, and also sent them both to server for case of disabled javascript).

于 2013-04-20T20:07:18.710 回答
0 
if (strpos($email,$sign) === false) {
    /* error ! */
}

是对的,因为 strpos 永远不会返回 true。它返回 false 或整数。因此,如果 strpos 严格等于 false,则在这种情况下会出现错误。

对于密码匹配,只需比较密码:

if ($password !== $pass_conf) {
    /* error ! */
}

Ps:将查询中的 $variables 包围在mysql_real_escape_string($variable). 否则,您将面临 SQL 注入的风险。

于 2013-04-20T19:53:29.023 回答