我试图使用PDO创建一个用户注册页面,我以前从未使用过这个,所以我无法理解如何将值插入到我的表中。
有人能看到我的代码出了什么问题吗?
<?php
include_once ('/_includes/classes/connection.class.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES ($firstname,$lastname,$email,$password,$accounttype)";
echo $query;
$count = $dbh->exec($query);
$dbh = null;
?>
<?php
$dsn = 'mysql:host=localhost;dbname=site.co.uk';
$username = 'access@site.co.uk';
$password = 'password';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userpassword = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $userpassword);
$stmt->bindParam(':accounttype', $accounttype);
$stmt->execute();
?>
答案 0 :(得分:2)
永远不要像你做的那样,SQL Injections
使用准备好的陈述。
http://php.net/manual/de/pdo.prepared-statements.php
<?php
require_once ('_includes/classes/connection.class.php');
$stmt = $dbh->prepare('INSERT INTO users (firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)');
$stmt->execute(array($_POST));
出现问题的是,您忘记了值的引号。但是在准备好的陈述的情况下,你不需要引用。
http://www.w3schools.com/sql/sql_insert.asp
请不要将纯文本密码保存到数据库中,使用哈希
Secure hash and salt for PHP passwords
如果你真的需要includet文件,最好使用“require”或“require_once”。
答案 1 :(得分:2)
include_once ('/_includes/classes/connection.class.php');永远不会包含任何内容。本地文件系统的根目录中没有_includes目录有人能看到我的代码出了什么问题吗?
可能还有其他错误,但是观看代码不是可行的方法。一个人运行代码,调试,并观察发生的错误。
我唯一需要补充的是旁注 - 你的代码和洪水一样湿。看看它:你正在写每个字段名称六次!
$firstname = $_POST['firstname']; - 2x bindParam(':firstname', $firstname); - 2x 共有6次重复
答案 2 :(得分:1)
您需要绑定值而不是使用字符串连接。
$dsn = 'mysql:host=localhost;dbname=mydb';
$username = 'myun';
$password = 'mypw';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES
(:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
//etc
$stmt->execute();
答案 3 :(得分:0)
你应该真正使用预备语句。你应该做更多这样的事情,假设:
您的代码更像是这样。
<?php
error_reporting(E_ALL);
include_once ('_includes/classes/connection.class.php');
$_POST['password'] = hash('md5', $_POST['password']);
$statement = $dbh->prepare("INSERT INTO
users(firstname,lastname,email,password,accounttype)
VALUES (:firstname, :lastname, :email, :password, :accounttype)");
if ($statement->execute($_POST) !== true) {
// there was some kind of error
// perhaps $statement->errorInfo() will tell you something
}