更新: 很抱歉,很多这些评论都是错误的 - 代码不容易受到SQL注入,我认为人们会根据PHP-Login.nets脚本进行检查。它全部转义等。我将链接到下面的完整脚本。此外,新的SQL查询我有工作,所以它不能引用相关,唯一仍然发生的是它检查是否已经多次使用相同的PIN,因为它认为它的电子邮件字段但是我'我们拿出那段代码。多数民众赞成没有意义。无论如何,整个页面都是:
<?php
/**
* Class registration
* handles the user registration
*/
class Registration
{
/**
* @var object $db_connection The database connection
*/
private $db_connection = null;
/**
* @var array $errors Collection of error messages
*/
public $errors = array();
/**
* @var array $messages Collection of success / neutral messages
*/
public $messages = array();
/**
* the function "__construct()" automatically starts whenever an object of this class is created,
* you know, when you do "$registration = new Registration();"
*/
public function __construct()
{
if (isset($_POST["register"])) {
$this->registerNewUser();
}
}
/**
* handles the entire registration process. checks all error possibilities
* and creates a new user in the database if everything is fine
*/
private function registerNewUser()
{
if (empty($_POST['user_name'])) {
$this->errors[] = "Empty Username";
} elseif (empty($_POST['user_password_new']) || empty($_POST['user_password_repeat'])) {
$this->errors[] = "Empty Password";
} elseif ($_POST['user_password_new'] !== $_POST['user_password_repeat']) {
$this->errors[] = "Passwords do not match";
} elseif (strlen($_POST['user_password_new']) < 6) {
$this->errors[] = "Password has a minimum length of 6 characters";
} elseif (strlen($_POST['user_name']) > 64 || strlen($_POST['user_name']) < 2) {
$this->errors[] = "Username cannot be shorter than 2 or longer than 64 characters";
} elseif (!preg_match('/^[a-z\d]{2,64}$/i', $_POST['user_name'])) {
$this->errors[] = "Username does not fit the name scheme: only a-Z and numbers are allowed, 2 to 64 characters";
} elseif (empty($_POST['user_email'])) {
$this->errors[] = "PIN Number cannot be empty";
} elseif (strlen($_POST['user_email']) > 4) {
$this->errors[] = "PIN cannot be longer than 4 characters";
} elseif (!preg_match('/^[a-z\d]{3,4}$/i', $_POST['user_email'])) {
$this->errors[] = "PIN does not fit the required scheme: only a-Z and numbers are allowed, 3 to 4 characters";
} elseif (!empty($_POST['user_name'])
&& strlen($_POST['user_name']) <= 64
&& strlen($_POST['user_name']) >= 2
&& preg_match('/^[a-z\d]{2,64}$/i', $_POST['user_name'])
&& !empty($_POST['user_email'])
&& strlen($_POST['user_email']) <= 4
&& !empty($_POST['user_password_new'])
&& !empty($_POST['user_password_repeat'])
&& ($_POST['user_password_new'] === $_POST['user_password_repeat'])
) {
// create a database connection
$this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
// change character set to utf8 and check it
if (!$this->db_connection->set_charset("utf8")) {
$this->errors[] = $this->db_connection->error;
}
// if no connection errors (= working database connection)
if (!$this->db_connection->connect_errno) {
// escaping, additionally removing everything that could be (html/javascript-) code
$user_name = $this->db_connection->real_escape_string(strip_tags($_POST['user_name'], ENT_QUOTES));
$user_email = $this->db_connection->real_escape_string(strip_tags($_POST['user_email'], ENT_QUOTES));
$user_password = $_POST['user_password_new'];
// crypt the user's password with PHP 5.5's password_hash() function, results in a 60 character
// hash string. the PASSWORD_DEFAULT constant is defined by the PHP 5.5, or if you are using
// PHP 5.3/5.4, by the password hashing compatibility library
$user_password_hash = password_hash($user_password, PASSWORD_DEFAULT);
// check if username already exists
$sql = "SELECT * FROM users WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_email1 . "';";
$query_check_user_name = $this->db_connection->query($sql);
if ($query_check_user_name->num_rows == 1) {
$this->errors[] = "Sorry, that username is already taken.";
} else {
// write new user's data into database
$sql = "INSERT INTO users (user_name, user_password_hash, user_email)
VALUES('" . $user_name . "', '" . $user_password_hash . "', '" . $user_email . "');";
$query_new_user_insert = $this->db_connection->query($sql);
// if user has been added successfully
if ($query_new_user_insert) {
$this->messages[] = "Your account has been created successfully. You can now log in.";
} else {
$this->errors[] = "Sorry, your registration failed. Please go back and try again.";
}
}
} else {
$this->errors[] = "Sorry, no database connection.";
}
} else {
$this->errors[] = "An unknown error occurred.";
}
}
}
好的,所以我使用php-login.net脚本,我必须说我强烈建议你几天前才发现它。它非常强大,安全且易于使用!
我的主要问题是我无法弄清楚当前正在检查注册新用户两件事时的错误。
1)用户名尚未注册。 2)电子邮件尚未注册。
现在我实际上使用电子邮件字段作为PIN号字段,基本上只是保留电子邮件名称以节省时间。所以当然我不想验证人们是否使用了相同的引脚,因为它不可避免地我只需要知道用户名。
这是原始代码:
$sql = "SELECT * FROM users WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_email1 . "';";
$query_check_user_name = $this->db_connection->query($sql);
if ($query_check_user_name->num_rows == 1) {
$this->errors[] = "Sorry, that username / email address is already taken.";
} else {
现在我已经尝试过制作
了$sql = "SELECT * FROM users WHERE user_name = $user_name";
然而,它必定存在其他问题,因为虽然如果没有相同的用户名或密码用户,如果我使用相同的PIN注册,它将允许我注册用户,但它会显示为&#34;对不起,您的注册失败了。请回去再试一次。&#34;。如果我尝试原始代码并使用相同的引脚,则错误显示为抱歉,该用户名/电子邮件地址已被占用。我只是不明白我已经查看了所有代码,无法弄清楚它仍在验证电子邮件领域!!!
任何帮助都会非常感激!所有代码都与网站完全相同,这是我尝试制作的唯一编辑,因此重新创建相同的错误非常容易!
答案 0 :(得分:1)
检查您的电子邮件索引是否未设置为唯一..
您可以在mysql的管理面板中删除它们。
或者你可以:
alter table users drop index email;
答案 1 :(得分:0)
您需要执行以下查询:
SELECT * FROM users WHERE user_name = '$user_name' //<< here
但是!
当您使用mysqli_时,您肯定应该将代码重写为预处理语句,因为您很容易使用实际代码进行sql注入。这是一个简单的例子:
<?php
$mysqli = new mysqli("localhost", "user", "password", "db");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
if ($stmt = $mysqli->prepare("SELECT * FROM users WHERE user_name=?")) {
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($whatever);
$stmt->fetch();
printf ($whatever)
$stmt->close();
}
$mysqli->close();
或者帮自己一个忙,今天就开始使用PDO。