How to check user data for subsequent access to the database using sql query?

M

Mikhail2019-05-12 18:52:56

PHP

Mikhail, 2019-05-12 18:52:56

It is necessary in php to accept data from the user for insertion into the database, but how to correctly check that he entered everything correctly,
maybe there is some kind of template for checking, so as to avoid problems.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander, 2019-05-12
@Kowka_VN

First, check the length of the request, it is important to limit it

if (strlen($_POST['name']) > 60) {
// пока-пока!
return false;
}

Second, check all fields with regular expressions. You can just do for each field

if (!preg_match("/[0-9a-z][email protected][a-z]/", $_POST['email'])) {
   // email не верный, пока-пока!
    return false;
}

You can make up your own function, I wrote something like this

a lot of code

public function registerAction()
    {
        if (!empty($_POST))
        {
            if (!$this->model->validate(['email', 'login', 'wallet', 'password'],$_POST))
            {
                $this->view->message('Ошибка', 'error', $this->model->error);
            }
            elseif (!$this->model->checkEmailExists($_POST['email']))
            {
                $this->view->message('Ошибка', 'error', $this->model->error);
            }
            elseif (!$this->model->checkLoginExists($_POST['login']))
            {
                $this->view->message('Ошибка', 'error', $this->model->error);
            }
            elseif (!$this->model->register($_POST))
            {
                $this->view->message('Ошибка', 'error', $this->model->error);
            }
            $this->view->message('Успешно', 'success', "reg OK, check ur email");
        }
        $this->view->render('Регистрация');
    }
//model
public function validate($inputs, $post)
    {
        $rules = [
            'email' => [
                'pattern' => '#^([a-z0-9_.-]{1,20}+)@([a-z0-9_.-]+)\.([a-z\.]{2,10})$#',
                'message' => 'E-mail адрес указан неверно',
            ],
            'login' => [
                'pattern' => '#^[a-z0-9]{3,15}$#',
                'message' => 'Логин указан неверно (разрешены только латинские буквы и цифры от 3 до 15 символов)',
            ],
            'wallet' => [
                'pattern' => '#^[a-z0-9]{3,15}$#',
                'message' => 'Кошелек указан неверно',
            ],
            'password' => [
                'pattern' => '#^[a-z0-9]{6,30}$#',
                'message' => 'Пароль указан неверно (разрешены только латинские буквы и цифры от 6 до 30 символов)',

            ],
        ];

        foreach ($inputs as $val)
        {
            if (!isset($post[$val])
                or
                !preg_match($rules[$val]['pattern'], $post[$val]))
            {
                $this->error = $rules[$val]['message'];
                return false;
            }
        }
        return true;

    }

Well, in the end, when writing to the database, do not use the standard mysqli_query, substituting variables into the query

// !НЕПРАВИЛЬНО!
$query = 'SELECT * FROM accounts WHERE id = '.$_POST['id'];

I don’t have enough space here to describe everything to protect against sql injections, so I googled it myself, I’ll just say that I recommend pdo.