PHP Forms and Confirmation

PHP Forms and validation

I. Overview

When PHP processes a page, it checks URLs and form variables, uploaded files, available cookies, and Web server and environment variables. This information can then be accessed directly through the following arrays: $_get, $_post, $_files, $_cookie, $_server, and $_env. In other words, PHP saves the variables set in the query string, the subject content of a POST request, the uploaded file, the cookie, the Web server, and the environment on which the Web server runs. Of course, there is also a $_request variable, which is a large array containing all the values in the previous six arrays.

Variables_order
When placing elements in a $_request array, if two arrays have a key with the same name, PHP will decide how to sever the connection between them based on the Variables_order configuration instructions in php.ini. By default, the value of Variables_order is Egpcs (gpcs if you are using a php.ini-recommended configuration file). That is, PHP first adds the environment variables to $_request, then adds the query string (get), post, cookie, and Web server variables in turn. In this case, because the default is C at the back of P, a cookie named username overrides a post variable named username. Note that the GPCs value in the php.ini-recommended file indicates that the environment variables in the $_ENV array are not added to the $_request array.

Track_vars
These automatic global variables do not exist until PHP4.1. At the time, they were just regular arrays of names $http_cookie_vars, $HTTP _env_vars, $HTTP _get_vars, $HTTP _post_vars, $HTTP _post_files, and $http_ Server_vars. These arrays are still valid for inheritance reasons, except that the newly added arrays are easier to use. These old arrays are only assigned when the Track_vars configuration directive is on. (this option is always turned on after php4.0.3 and is no longer set by track_vars=)

register_globals
If the value of the Register_globals configuration directive is on, all of the above variables will also be used as variables in the global namespace. So the value of $_get[' password '] can also be accessed using $password. This is convenient, but it also introduces a large security problem. From PHP 4.2, the default value for Register_globals is off.

The above is a brief introduction to the relevant knowledge involved in PHP form submission data. To keep PHP code safe, PHP form handlers cannot ignore two important steps: data validation and output escaping. Ensure that the information entered is acceptable to the program, and that malicious users will not use your site to attack other sites.

second, data validation

Some things to keep in mind:
1. All received data may not be as constrained by your front-end (HTML and JavaScript), and could be a request from a computer hacker to make a manual construction of a data request or a malicious user to discover a vulnerability in your program.
2. Leaving the different types of form elements blank causes the element values in $_get and $_post to vary. The value of an empty text box, empty text area, and a blank file upload field is a 0-length string. The unchecked check boxes and radio buttons do not survive any values in $_get and $_post. Browsers often force the selection of an item in the Select drop-down list, and for a multiple-select drop-down list, if no item is selected, the result is the same as the check box, which means that no value will survive in $_get and $_post.
The values in 3, $_get, and $_post are always strings. For example, if someone fills in the Text_price text box with 02201 and submits the form, the value of $_post[' Text_price '] will be the five-bit string "02201" instead of the integer 2201.

Verifying instances
1. Verify the required fields
Use Strlen () to test the value of an element in the $_get or $_post. For some preference, many people often use empty () instead of strlen () to test whether a text box is filled with values. However, based on the boolean value of PHP, the character 0 can be converted to false, so this often causes problems. For example, someone fills in the Total_val text box with 0, and empty ($_post[' total_val ') tests the result to true. Obviously, this is wrong from the point of view of form validation.

?

?

2. Digital verification
A, determine whether the integer is greater than or equal to zero, directly with the Ctype_digit () function.

A common practice in PHP Digital validation is to use the Is_numeric () function to validate numbers. Unfortunately, the figures is_numeric () are more in line with the characteristics of the computer than the human mind. For example, a hexadecimal numeric string of 0xCAFE and a numeric string with exponential notation 10e40 is a number for is_numeric ().

Before PHP5.1, if you pass an empty string to Ctype_digit (), it will return true; Obviously this is not the result we want, so first verify that it is empty.

?

B, judging whether it is a positive or negative integer, you can compare the commit value to the string returned after the value is converted to a certificate.
1) Type conversion method to validate integers

Intval (' 025 ') returns 25,intval ('-2300 ') returns -2300, Intval (' 2.2 ') returns 2, Intval ('-8.8 ') returns-8, Intval (' SDF ') returns 0.

2) Type conversion method to verify decimals

The Floatval (' 3.025 ') return 3.025,floatval ('-23.007 ') returns -23.007 floatval (' SDF ') return 0.

3. Regular expression validation

1) The string can contain only numbers

?

2) Check if PHP variable name conforms to specification

?

3) Email Verification

?

?

?

?

