一体化PHP / MySQL注册/登录表单无法正常工作

时间:2009-08-14 00:19:39

标签: php login mysqli registration

我正在制作一个注册/登录脚本,如果未设置$ _POST,将首先显示注册表单。如果是,但是未填写必填字段,则会再次重定向到该页面,重新设置$ _POST。如果填写了所有字段,则如果设置了提交按钮$ _POST [“login”]的名称,则表单确认登录并设置一个文本块,该页面是将用户重定向到他们的购物篮或回到商店。如果设置了提交按钮$ _POST [“register”],则用户想要注册并构建并提交插入查询。如果此查询未返回受影响的行,则脚本将检查用户是否已注册。如果是这样,请将其登录并按正常登录方式向他们显示重定向页面。否则,如果脚本返回1行受影响,那么我假设插入成功(如果查询失败,我有脚本中断)。

如果您登录时登录有效,如果您错过了必填字段,则重定向会起作用,但就是这样。我看不出问题而且没有错误 - 在其他情况下我只是得到一个空白屏幕。这是一大堆代码,我害怕...... 

    <?php
if(!$_POST) {
  //hasn't seen the registration form
  //display registration form
      $display_block = "
      <form method=\"POST\" action=\"".$_SERVER["PHP_SELF"]."\">
      <p>Please fill in the registration field (required fields marked with <span class=\"req\"><</span>)<br />
      First name: <input type=\"text\" name=\"f_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />
      Last name: <input type=\"text\" name=\"l_name\" size=\"25\" maxlength=\"50\" /><span class=\"req\"><</span><br />
      Address: <input type=\"text\" name=\"address\" size=\"50\" maxlength=\"150\" /><br />
      Town: <input type=\"text\" name=\"town\" size=\"50\" maxlength=\"150\" /><br />
      City: <input type=\"text\" name=\"city\" size=\"50\" maxlength=\"150\" /><br />
      Post Code: <input type=\"text\" name=\"postcode\" size=\"10\" maxlength=\"10\" /><br />
      Username: <input type=\"text\" name=\"username\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Confirm username: <input type=\"text\" name=\"usernameConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Password: <input type=\"password\" name=\"password\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      Confirm password: <input type=\"password\" name=\"passwordConfirm\" size=\"25\" maxlength=\"25\" /><span class=\"req\"><</span><br />
      <br />
      <input type=\"submit\" name=\"register\" value=\"Register\" /><br /><br />
      Already a member? <input type=\"submit\" name=\"login\" value=\"Login\" />
      </p>";

} else if ((!isset($_POST["username"])) || (!isset($_POST["usernameConfirm"])) || (!isset($_POST["password"])) || (!isset($_POST["passwordConfirm"]))) {
  //hasn't filled out all the fields
  header("Location: ".$_SERVER["PHP_SELF"]."");
  exit;
} else if($_POST["login"]) {

  //user is logging in, so connect to server and select database, check they are registered and their details are right
          $mysqli = mysqli_connect(hostname,username,pass,dbname);

    //create and issue the query
    $sql = "SELECT f_name, l_name FROM auth_users WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";
    $sql_res =mysqli_query($mysqli, $sql) or die(mysqli_error($mysqli));

    //get the number of rows in the result set; should be 1 if a match
    if(mysqli_num_rows($sql_res) == 1) {
      //if authorized, get the values of f_name, l_name
      while($info = mysqli_fetch_array($sql_res)) {
        $f_name = stripslashes($info["f_name"]);
        $l_name = stripslashes($info["l_name"]);
      }
      //set authorization cookie
      setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);

      //create display string
      $display_block = "<p>".$f_name." ".$l_name." is authorized.</p>
      <p>You are now logged in.</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";

    } else if($_POST["register"]) {

      //connect to db and issue registration query
          $mysqli = mysqli_connect(hostname,username,pass,dbname);

          $register_sql = "INSERT INTO aromaMaster (username, password, date_registered) VALUES ('".$_POST["username"]."',PASSWORD('".$_POST["password"]."'),now())";
          $register_res = mysqli_query($mysqli, $register_sql) or die(mysqli_error($mysqli));

          if (mysqli_num_rows($register_res) != 1) {
            //registration failed - perhaps duplicate account

            $check_sql = "SELECT username, password FROM aromaMaster WHERE username='".$_POST["username"]."' AND password=PASSWORD('".$_POST["password"]."')";
            $check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));

            if(mysqli_num_rows($check_res) == 1) {
              //already a member

              //set cookie
                    //set authorization cookie
      setcookie("auth", "1", 0, "/", "sinaesthesia.co.uk", 0);

              $display_block = "
              <p>You are already registered.</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";
            }
          } else {
            //success
            $display_block = "
            <p>You are registered!</p>
      <a href=\"basket.php5\">View Basket</a> | <a href=\"home.php5\">Continue Shopping</a>";
          }


    }
    mysqli_close($mysqli);
    }
?>
<html>
<head>
<title>Login / Register</title>
</head>
<body>
<?php echo "$display_block"; ?>
</body>
</html>

1 个答案:

答案 0 :(得分:1)

您不想将用户的字符串直接放入查询中。 http://php.net/manual/en/security.database.sql-injection.php

相关问题
最新问题