跳转到内容
XOOPS 2.7 Docs

“表单验证”

概述

Section titled “概述”

XOOPS 为表单输入提供客户端-side 和服务器-side 验证。本指南涵盖验证技术、内置-in验证器和自定义验证实现。

验证架构

Section titled “验证架构”
flowchart TB
    A[Form Submission] --> B{Client-Side Validation}
    B -->|Pass| C[Server Request]
    B -->|Fail| D[Show Client Errors]
    C --> E{Server-Side Validation}
    E -->|Pass| F[Process Data]
    E -->|Fail| G[Return Errors]
    G --> H[Display Server Errors]

服务器-Side验证

Section titled “服务器-Side验证”

使用 XOOPSFormValidator

Section titled “使用 XOOPSFormValidator”
use Xoops\Core\Form\Validator;


$validator = new Validator();


$validator->addRule('username', 'required', 'Username is required');
$validator->addRule('username', 'minLength:3', 'Username must be at least 3 characters');
$validator->addRule('username', 'maxLength:50', 'Username cannot exceed 50 characters');
$validator->addRule('email', 'email', 'Please enter a valid email address');
$validator->addRule('password', 'minLength:8', 'Password must be at least 8 characters');


if (!$validator->validate($_POST)) {
    $errors = $validator->getErrors();
    // Handle errors
}

内置-in验证规则

Section titled “内置-in验证规则”
规则描述示例
required字段不能为空required
email有效的电子邮件格式email
url有效的URL格式url
numeric仅数值numeric
integer仅整数值integer
minLength最小字符串长度minLength:3
maxLength最大字符串长度maxLength:100
min最小数值min:1
max最大数值max:100
regex自定义正则表达式模式regex:/^[a-z]+$/
in列表中的值in:draft,published,archived
date有效日期格式date
alpha仅限字母alpha
alphanumeric字母和数字alphanumeric

自定义验证规则

Section titled “自定义验证规则”
$validator->addCustomRule('unique_username', function($value) {
    $memberHandler = xoops_getHandler('member');
    $criteria = new \CriteriaCompo();
    $criteria->add(new \Criteria('uname', $value));
    return $memberHandler->getUserCount($criteria) === 0;
}, 'Username already exists');


$validator->addRule('username', 'unique_username');

请求验证

Section titled “请求验证”

清理输入

Section titled “清理输入”
use Xoops\Core\Request;


// Get sanitized values
$username = Request::getString('username', '', 'POST');
$email = Request::getEmail('email', '', 'POST');
$age = Request::getInt('age', 0, 'POST');
$price = Request::getFloat('price', 0.0, 'POST');
$tags = Request::getArray('tags', [], 'POST');


// With validation
$username = Request::getString('username', '', 'POST', [
    'minLength' => 3,
    'maxLength' => 50
]);

XSS 预防

Section titled “XSS 预防”
use Xoops\Core\Text\Sanitizer;


$sanitizer = Sanitizer::getInstance();


// Sanitize HTML content
$cleanContent = $sanitizer->sanitizeForDisplay($userContent);


// Strip all HTML
$plainText = $sanitizer->stripHtml($userContent);


// Allow specific tags
$content = $sanitizer->sanitizeForDisplay($userContent, [
    'allowedTags' => '<p><br><strong><em><a>'
]);

客户端-Side验证

Section titled “客户端-Side验证”

HTML5 验证属性

Section titled “HTML5 验证属性”
// Required field
$element->setExtra('required');


// Pattern validation
$element->setExtra('pattern="[a-zA-Z0-9]+" title="Alphanumeric only"');


// Length constraints
$element->setExtra('minlength="3" maxlength="50"');


// Numeric constraints
$element->setExtra('min="1" max="100"');

JavaScript 验证

Section titled “JavaScript 验证”
document.getElementById('myForm').addEventListener('submit', function(e) {
    const username = document.getElementById('username').value;
    const errors = [];


    if (username.length < 3) {
        errors.push('Username must be at least 3 characters');
    }


    if (!/^[a-zA-Z0-9_]+$/.test(username)) {
        errors.push('Username can only contain letters, numbers, and underscores');
    }


    if (errors.length > 0) {
        e.preventDefault();
        displayErrors(errors);
    }
});

CSRF 保护

Section titled “CSRF 保护”

代币生成

Section titled “代币生成”
// Generate token in form
$form->addElement(new \XoopsFormHiddenToken());


// This adds a hidden field with security token

令牌验证

Section titled “令牌验证”
use Xoops\Core\Security;


if (!Security::checkReferer()) {
    die('Invalid request origin');
}


if (!Security::checkToken()) {
    die('Invalid security token');
}

文件上传验证

Section titled “文件上传验证”
use Xoops\Core\Uploader;


$uploader = new Uploader(
    uploadDir: XOOPS_UPLOAD_PATH . '/images/',
    allowedMimeTypes: ['image/jpeg', 'image/png', 'image/gif'],
    maxFileSize: 2 * 1024 * 1024, // 2MB
    maxWidth: 1920,
    maxHeight: 1080
);


if ($uploader->fetchMedia('image_upload')) {
    if ($uploader->upload()) {
        $savedFile = $uploader->getSavedFileName();
    } else {
        $errors[] = $uploader->getErrors();
    }
}

错误显示

Section titled “错误显示”

收集错误

Section titled “收集错误”
$errors = [];


if (empty($username)) {
    $errors['username'] = 'Username is required';
}


if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    $errors['email'] = 'Invalid email format';
}


if (!empty($errors)) {
    // Store in session for display after redirect
    $_SESSION['form_errors'] = $errors;
    $_SESSION['form_data'] = $_POST;
    header('Location: ' . $_SERVER['HTTP_REFERER']);
    exit;
}

显示错误

Section titled “显示错误”
{if $errors}
<div class="alert alert-danger">
    <ul>
        {foreach $errors as $field => $message}
        <li>{$message}</li>
        {/foreach}
    </ul>
</div>
{/if}

最佳实践

Section titled “最佳实践”
  1. 始终验证服务器-side - 客户端-side验证可以被绕过
  2. 使用参数化查询 - 防止SQL注入
  3. 清理输出 - 防止 XSS 攻击
  4. 验证文件上传 - 检查MIME类型和大小
  5. 使用CSRF令牌 - 防止交叉-site请求伪造
  6. 速率限制提交 - 防止滥用

相关文档

Section titled “相关文档”
  • 表单元素参考
  • 表格概览
  • 安全最佳实践