如果我使用mysqli_real_escape_string函数来转义SQL注入,那么我的查询会出错。如果创建了用户,我想发送带有网址和密钥的激活电子邮件,以便我使用$_GET阅读并向数据库发送帐户已激活(0> 1)
connection.php包含在header.php文件中。
<?php
include("inc/header.php");
?>
<?php
if(isset($_POST["submit"])) {
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
if(empty($username) && empty($password)) {
echo "Please fill in all the details";
}
$username_check_sql = "SELECT * FROM user WHERE username = '".mysqli_real_escape_string($username)."'";
$username_check_query = mysqli_query($connection, $username_check_sql);
$username_row_count = mysqli_num_rows($username_check_query);
if($username_row_count != 0) {
echo "Username already exist";
}
$password_secure = md5($password);
$new_user_sql = "INSERT INTO user(username, password, activated) VALUES('".mysqli_real_escape_string($username)."',
'".mysqli_escape_string($password_secure)."', 0)";
$new_user_query = mysqli_query($connection, $new_user_sql);
$key = uniqid();
$to = $username;
$subject = "activation required";
$header = "from: test";
$message = "Your Confirmation link\n";
$message = "Click on this link to activate your account\n";
$message = "localhost/examen/activate_account.php?key=".$key."";
$sendmail = mail($to, $subject, $message, $header);
header("location: registreren_success.php?account=made");
exit;
}
?>
<div class="registratie-container">
<div class="container">
<form method="POST" action="<?php echo htmlentities($_SERVER["PHP_SELF"]);?>">
<div class="form-group">
<label for="username">Username</label>
<input type="email" name="username" id="username" placeholder="Username">
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" name="password" id="password" placeholder="Password">
</div>
<div class="form-group">
<input type="submit" name="submit" id="submit" value="Registreer">
</div>
</form>
</div>
</div>
<?php
include("inc/footer.php");
?>