我自己学习PHP,PDO和MySQL,并且我在这里试图建立一个高级登录系统。以下部分是" register.php ":
所有显然都很顺利,直到我们到达 INSERT 部分,因为没有任何反应。
我是设计师,我喜欢一切都干净,我的代码不是这样,所以如果你们中的一个人帮我提供如何清理我的代码的提示,我将非常感谢:)
我是Brazillian,所以有些文字是葡萄牙语,但我认为我不需要翻译,因为它们只是代码后面的常见警报信息。
<?php
require('include/core.php');
require('include/func.php');
if(isset($_POST['submit'])) {
//Information
$user = htmlentities($_POST['user']);
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
$email = $_POST['email'];
$register_date = date('Y-m-d H:i:s');
$email_token = md5(uniqid(rand(),1));
$user_level = "normal";
$ip = get_ip();
//Validation
if(!isset($user)) {
echo "Você não digitou um nome de usuário";
} else if(strlen($user) < 4) {
echo "Digite um nome de usuário com pelo menos 3 Caractéres";
} else if(empty($pass1)) {
echo "Você precisa digitar uma senha.";
} else if(empty($pass2)) {
echo "Você precisa digitar a senha novamente, para confirmação.";
} else if(empty($email)) {
echo "Você precisa digitar um email.";
} else if($pass1 != $pass2) {
echo "As senhas não conferem.";
} else if(filter_var($email, FILTER_VALIDATE_EMAIL) == false) {
echo "Digite o email corretamente.";
} else {
//Checking for Existing User
$query = $database->prepare('SELECT user, email, ip
FROM sk_user WHERE user = ? OR email = ? OR ip = ?');
$query->bindParam(1, $user);
$query->bindParam(2, $email);
$query->bindParam(3, $ip);
$query->execute();
$row = $query->fetch(PDO::FETCH_NUM);
if($row > 0) {
echo "Já existe um usuário com esses dados!";
} else {
$query2 = $database->prepare("INSERT INTO sk_user(user, pass, email, register_date, email_token, user_level, ip) VALUES (:user, :pass, :email, :register_date, :email_token, :user_level, :ip");
$query2->bindParam(':user', $user);
$query2->bindParam(':pass', $pass2);
$query2->bindParam(':email', $email);
$query2->bindParam(':register_date', $register_date);
$query2->bindParam(':email_token', $email_token);
$query2->bindParam(':user_level', $user_level);
$query2->bindParam(':ip', $ip);
$query2->execute();
}
}
?>
答案 0 :(得分:2)
INSERT查询中有一点错误,如下:
$query2 = $database->prepare("INSERT INTO sk_user(user, pass, email, register_date, email_token, user_level, ip) VALUES (:user, :pass, :email, :register_date, :email_token, :user_level, :ip");
应替换为:
$query2 = $database->prepare("INSERT INTO sk_user(user, pass, email, register_date, email_token, user_level, ip) VALUES (:user, :pass, :email, :register_date, :email_token, :user_level, :ip)");
缺少查询的最后一个括号;)
另外,为什么不对两个准备语句使用相同的结构?
答案 1 :(得分:1)
以下行缺少右括号)
关闭(
$query2 = $database->prepare(...
以:user_level, :ip");
$query2 = $database->prepare("INSERT INTO sk_user(user, pass, email, register_date, email_token, user_level, ip) VALUES (:user, :pass, :email, :register_date, :email_token, :user_level, :ip");
将其更改为:(以下行的结尾显示为:user_level, :ip)");
$query2 = $database->prepare("INSERT INTO sk_user(user, pass, email, register_date, email_token, user_level, ip) VALUES (:user, :pass, :email, :register_date, :email_token, :user_level, :ip)");
在打开连接后立即添加$database->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);,包括在您打开<?php标记后立即在文件顶部放置错误报告
error_reporting(E_ALL); ini_set('display_errors', 1);有助于调试代码。
它会发出语法错误信号。
有关密码存储的重要说明:
我注意到您可能正在以纯文本格式存储密码,这是不推荐的,并且不安全。
使用CRYPT_BLOWFISH或PHP 5.5的password_hash()功能
对于PHP&lt; 5.5使用password_hash() compatibility pack。
如果这是针对LIVE网站,不以纯文本格式存储密码,那么您的网站被黑客入侵只是时间问题。
我在Stack上看到太多关于此事的案例,因为人们就是这么做的。