PHP form and verification 1. Overview PHP checks URL and form variables, uploaded files, available cookies, and Web servers and environment variables when processing a page. Then, the information can be directly accessed through the following arrays: $ _ GET, $ _ POST, $ _ FILES, $ _ COOKIE, $ _ SERVER, and $ _ env php forms and verification.
I. Overview
When processing a page, PHP checks URL and form variables, uploaded files, available cookies, and Web servers and environment variables. Then, the information can be directly accessed through the following arrays: $ _ GET, $ _ POST, $ _ FILES, $ _ COOKIE, $ _ SERVER, and $ _ ENV. That is to say, PHP stores the variables set in the query string, the topic content of a post request, the uploaded files, cookies, and the environment on which the Web server and Web server run. Of course, there is also a $ _ REQUEST variable, which is a large array containing all the values in the first six arrays.
Variables_order
When an element is placed in the $ _ REQUEST array, if both arrays have a key with the same name, PHP will decide how to cut off the connection between them according to the variables_order command in php. ini. By default, the value of variables_order is EGPCS (GPCS if the php. ini-recommended configuration file is used ). That is to say, PHP will first add the environment variable to $ _ REQUEST, and then add the query string (get), post, cookie, and web server variable in sequence. In this case, because C is followed by P by default, a cookie named username will overwrite a post variable named username. Note that the GPCS value in the php. ini-recommended file indicates that the environment variable in the $ _ ENV array will not be added to the $ _ REQUEST array.
Track_vars
Before PHP4.1, these automatic global variables do not exist. At that time, they were just regular arrays named $ HTTP_COOKIE_VARS, $ HTTP_ENV_VARS, $ HTTP_GET_VARS, $ HTTP_POST_VARS, $ HTTP_POST_FILES, and $ HTTP_SERVER_VARS. For inheritance reasons, these arrays are still valid, but the newly added arrays are easier to use. These old arrays are assigned a value only when the track_vars configuration command is on. (This option is always enabled since php4.0.3 and is not set through track_vars =)
Register_globals
If the value of the register_globals configuration command is on, all the above variables will also be used as variables in the global namespace. Therefore, the value of $ _ GET ['password'] can also be accessed using $ password. This is convenient, but it also introduces a large security issue. From PHP 4.2, the default value of register_globals is off.
The above is a brief introduction to related knowledge when submitting PHP forms. To ensure PHP code security, the PHP form processing program cannot ignore two important steps: data verification and output escape. Ensure that the entered information is acceptable to the program and that malicious users will not use your website to attack other websites.
II. data verification
Notes:
1. all received data is not necessarily as constrained by your front-end (html and javascript, it may be a request from a computer hacker that discovers a program vulnerability by manually constructing data requests or malicious users.
2. leaving the elements in different types of forms empty will lead to different element values in $ _ GET and $ _ POST. The value of an empty text box, an empty text area, and an empty file upload field is a zero-length string. The checkbox and radio button that are not selected do not exist in $ _ GET and $ _ POST. Browsers usually force a project to be selected from the single-choice drop-down list. for multiple-choice drop-down lists, if no items are selected, the results are the same as the check boxes, no value exists in $ _ GET and $ _ POST.
3. the values in $ _ GET and $ _ POST are always strings. For example, if someone fills 02201 in the text_price text box and submits a form, the value of $ _ POST ['text _ price'] will be a five-character string "02201 ", instead of an integer of 2201.
Verify instance
1. verification required
Use strlen () to test the element values in $ _ GET or $ _ POST. For some preference, many people often use empty () instead of strlen () to test whether a value is filled in a text box. However, according to the PHP Boolean calculation rule, character 0 can be converted to FALSE, which often causes problems. For example, if someone fills in 0 in the total_val text box, and empty ($ _ POST ['total _ VAL']), the test result will be TRUE. Obviously, this is incorrect from the perspective of form verification.
?
?
2. digit verification
A. Use the ctype_digit () function to determine whether an integer is greater than or equal to zero.
A common practice in PHP digit verification is to use the is_numeric () function to verify the number. Unfortunately, is_numeric () thinks that numbers are more in line with computer characteristics than human thinking. For example, the hexadecimal numeric string 0xCAFE and the exponential numeric string 10e40 are numbers for is_numeric.
Before PHP5.1, if you pass an empty string to ctype_digit (), it returns TRUE; obviously this is not the result, so first verify whether it is empty.
?
B. determine whether it is a positive integer or a negative integer. you can compare the submitted value with the string returned after the value is converted into a certificate.
1) type conversion method to verify the integer
? Intval ('025') returns 25, intval ('-100') returns-2300, intval ('2. 2 ') returns 2, intval ('-8.8 ') returns-8, intval ('sdf') returns 0.
2) verify decimals by type conversion
? Floatval ('3. 025') returns 3.025, floatval ('-100') returns-23.007 floatval ('sdf') returns 0.
3. Regular expression verification
1) a string can only contain numbers.
?
2) Check whether the PHP variable name complies with the specifications
?
3) email verification
?
?
?
?