如何更改此正则表达式“/ ^ [0-9] + $ / m”?

<title>mylogin</title>
<body>
<form action="sql.php" method="POST">
User ID: <input type="text" id="userid" name="userid"/><br/>
Password:  <input type="text" id="password" name="password"/><br/>
<input type="submit" value="send">
</form>
</body>

and my code sql.php is

<?php
include('..\db.php');
$con = mysqli_connect($dbsrvname, $dbusername, $dbpassword, $dbname);
if (!$con){
     echo("Connection ERROR");
     die(print_r(mysqli_error($con)));
   }
if (!preg_match("/^[0-9]+$/m", $_POST["userid"])){
    die("ONLY numbers allowed");
    }
$query = "SELECT * FROM tbl1 WHERE id=" . 
     $_POST["userid"] . " AND password='" .
     mysqli_real_escape_string($con, $_POST["password"]) . "';";
$stms = mysqli_query($con, $query);
if ($stms === false){
    echo("ERROR during query execution: ");
    die(print_r(mysqli_error($con))); 
    }
$row = mysqli_fetch_array($stms, MYSQLI_ASSOC);
if ($row){
    die("Logged in");
    }
else{
    die("Wrong username or password");}

?>

when in this code

if (!preg_match("/^[0-9]+/", $_POST["userid"])){
    die("ONLY numbers allowed");
}

in this code when I input the first number and after this any char like 9a the statement (if) is false and continues without printing "only allowed numbers"

but in this statement

if (!preg_match("/^[0-9]+$/m", $_POST["userid"])){
    die("ONLY numbers allowed");
}

when I input 9a or any first number with char like 9a the statement is true and prints "only allowed numbers"

What is the input value I should enter to make the statement (false) and not go inside the if statement which is printing the allowed numbers?

Do not use Regex at all.

if(!filter_input(INPUT_POST, "userid", FILTER_SANITIZE_NUMBER_INT))
    die ("ONLY numbers allowed");

An input such as:

$_POST["userid"] = '1234
--\'';

would pass your regex because the first line is only numbers. The m checks line by line. You want the whole string to be numerical though.

It would be easier to just check for a non-numeric value anywhere in the string:

if (empty($_POST["userid"]) || preg_match("/\D/", $_POST["userid"])){
     die('You entered an unacceptable string');

For the SQL part though you'd be much better off using parameterized queries. You also should not store plain text passwords.

See:

  1. http://php.net/manual/en/function.password-hash.php
  2. http://php.net/manual/en/function.password-verify.php
  3. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php