我是PHP和编程的新手,但是我开始构建自己的网站,需要注册网站以下PHP代码:
<?php
$fnameErr = $lnameErr = $emailErr = $pwErr = $pw_confErr = "";
$fname = $lname = $email = $pw = $pw_conf = "";
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["fname"])) {
$fnameErr = "(Please submit first name)";
}
else {
$fname = test_input($_POST["fname"]);
}
if (empty($_POST["lname"])) {
$lnameErr = "(Please submit last name)";
}
else {
$lname = test_input($_POST["lname"]);
}
if (empty($_POST["email"])) {
$emailErr = "(Please submit email address)";
}
else {
$email = test_input($_POST["email"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "(Email address is not valid)";
}
}
include ("email_compare.php");
if (empty($_POST["pw"])) {
$pwErr = "(Please submit password)";
}
else {
$pw = test_input($_POST["pw"]);
$pwHash = password_hash($pw, PASSWORD_DEFAULT);
}
if (empty($_POST["pw_conf"])) {
$pw_confErr = "(Please confirm password)";
}
else {
$pw_conf = test_input($_POST["pw_conf"]);
}
if ($_POST["pw"] !== $_POST["pw_conf"]) {
$pwErr = "(Please confirm password)";
$pw_confErr = "";
}
if (empty($fnameErr) && empty($lnameErr) && empty($emailErr) && empty
($pwErr) && empty($pw_confErr))
{
include ("db_add.php");
header('Location: register_success_en.php');
exit;
}
}
?>
我刚刚发现,应该包含在MYSQL中的数据应该由mysqli_real_escape_string转义,但我已经使用了我的test_input函数,在我看来,这个函数具有相同的效果。
所以我的问题是:test_input函数是否足够,还是我还应该使用mysqli_real_escape_string?
提前致谢!