我正在做一个注册脚本。这就是我做的事情
Connect.php
<?php
$Connessione = mysql_connect('localhost','root','');
$Database = mysql_select_db('my_database');
if(!$Connessione) {
echo "Errore di connessione: ".mysql_error;
}
else {
echo "";
}
?>
Register.php
<html>
<head>
<title>Registrati o loggati</title>
<meta charset="utf-8">
</head>
<body>
<h1>Sei nuovo? Registrati! Sei già registrato? Loggati!</h1>
<form action="full.php" name="registrazione" method="post">
NickName (Massimo 10 caratteri): <input type="text" name="nickname" maxlenght="10" required/>
<br><br>
Password: <input type="password" name="psw" required/><br>
<input type="submit" value="Registrati" name="registrati"/>
</form>
</body>
</html>
full.php
<?php
include('connect.php');
if(isset($_POST['registrati'])) {
$Username = $_POST['nickname'];
$Password = md5($_POST['password']);
$Escape = mysql_real_escape_string($Username);
$Query = "INSERT INTO sito (user, password) VALUES($Escape, $Password)";
$Esecuzione = mysql_query($Query);
if(!$Esecuzione) {
echo "Errore: ".mysql_error();
} else {
echo "";
}
}
?>
当我运行它并点击按钮告诉我(例如在nikcname中我把“John”)Errore:'字段列表'中的未知列'John'。为什么?这段代码对SQL注入开放了吗?感谢
答案 0 :(得分:3)
我相信你需要引用你的价值观:
$Query = "INSERT INTO `sito` (`user`, `password`) VALUES('$Escape', '$Password')";
此外,您可能需要查看mysqli
或PDO
,而不是使用mysql_*
功能。
答案 1 :(得分:0)
希望你能检查一下。可以将 MySQL 代码转换为 MySQLi 。 MySQL 已弃用。
<强> Connect.php 强>
<?php
$con=mysqli_connect("localhost","root","","my_database");
if(mysqli_connect_errno()){
echo "Error".mysqli_connect_error();
}
?>
<强> full.php 强>
<?php
include('connect.php');
if(isset($_POST['registrati'])) {
$Username = $_POST['nickname'];
$Password = md5($_POST['password']);
$Escape = mysql_real_escape_string($Username);
/* START OF CHECK IF INPUT IS ALREADY IN DATABASE */
$result=mysqli_query($con,"SELECT * FROM sito WHERE user='$Escape'");
if(mysqli_num_rows($result)==0){ /* IF USERNAME HASN'T TAKEN YET */
mysqli_query($con,"INSERT INTO sito (user, password) VALUES ('$Escape','$Password')");
}
else {
echo $Escape." is already taken.";
}
} /* END OF ISSET REGISTRATI */
?>