Question

我是PHP的新手。我正在尝试为项目创建一个登录/注册系统，所以我使用的是我发现的登录系统源代码，它具有许多功能和功能，如盐渍密码。系统本身工作正常，但我试图在我的MySQL表中添加更多字段。系统有一个额外列的数组，但我认为这导致了错误的mysql语法，所以我决定自己使用变量写出查询，但我不知道如何能够访问函数的变量。变量在register.php文件中，这里是代码（所有register.php）：

        if( isset($_POST['submit']) ){
            $firstname = $_POST['firstname'];
            $lastname = $_POST['lastname'];
            $user    = $_POST['username'];
            $sex = $_POST['sex'];
            $country = $_POST['strCountryChoice'];
            $email = $_POST['email'];
            $pass    = $_POST['pass'];
            $pass2 = $_POST['pass2'];
            $birthdate = $_POST['birthdate'];
            $created = date("Y-m-d H:i:s");
            //need to add a lot more validation functions.. AKA Check if email exists and username. Password > 5 chars
            if( $user=="" || $email=="" || $pass=='' || $pass2=='' || $firstname=='' || $lastname='' || $sex='' || $country='' || $birthdate='' ){
                echo "Fields Left Blank","Some Fields were left blank. Please fill up all fields.";
                exit;
            }
            if( !$LS->validEmail($email) ){
                echo "E-Mail Is Not Valid", "The E-Mail you gave is not valid";
                exit;
            }
            if( !ctype_alnum($user) ){
                echo "Invalid Username", "The Username is not valid. Only ALPHANUMERIC characters are allowed and shouldn't exceed 10 characters.";
                exit;
            }
            if($pass != $pass2){
                echo "Passwords Don't Match","The Passwords you entered didn't match";
                exit;
            }
        $createAccount = $LS->register($user, $pass,
                array(
                    "email"      => $email,
                    "name"   => $firstname,
                    "lastname" => $lastname,
                    "gender" => $sex,
                    "country" => $country,
                    "DOB" => $birthdate,
                    "created" => date("Y-m-d H:i:s") // Just for testing

                )
            );
            if($createAccount === "exists"){
                echo "User Exists.";
            }elseif($createAccount === true){
                echo "Success. Created account.";
            }
    }

整个系统发生在具有该类的另一个文件中。这是寄存器功能：

public function register( $id, $password, $other = array() ){
    if( $this->userExists($id) && (isset($other['email']) && $this->userExists($other['email'])) ){
        return "exists";
    }else{
        $randomSalt = $this->rand_string(20);
        $saltedPass = hash('sha256', "{$password}{$this->passwordSalt}{$randomSalt}");

        if( count($other) == 0 ){
            /* If there is no other fields mentioned, make the default query */
            //old query: ("INSERT INTO `{$this->dbtable}` (`username`, `password`, `password_salt`) VALUES(:username, :password, :passwordSalt)");
            //new query: ("INSERT INTO `{$this->dbtable}` (`username`, 'email' , `password`, `password_salt` , 'name' , 'lastname' , 'gender' , 'country' , 'DOB') VALUES(:username, :email, :pass, :passwordSalt, :firstname, :lastname, :gender, :country, :DOB)");
            $sql = $this->dbh->prepare("INSERT INTO `{$this->dbtable}` (`username`, `password`, `password_salt`) VALUES(:username, :password, :passwordSalt)");
        }else{
            /* if there are other fields to add value to, make the query and bind values according to it */
            //old query: ("INSERT INTO `{$this->dbtable}` (`username`, `password`, `password_salt`, $columns) VALUES(:username, :password, :passwordSalt, :$colVals)");
            //new query: ("INSERT INTO `{$this->dbtable}` (`username`, 'email' , `password`, `password_salt` , 'name' , 'lastname' , 'gender' , 'country' , 'DOB') VALUES(:username, :email, :pass, :passwordSalt, :firstname, :lastname, :gender, :country, :DOB)");
            $keys    = array_keys($other);
            $columns = implode(",", $keys);
            $colVals = implode(",:", $keys);
        //l= $this->dbh->prepare("INSERT INTO `{$this->dbtable}` (`username`, `password`, `password_salt`, $columns) VALUES(:username, :password, :passwordSalt, :$colVals)");
            //INSERT INTO MyGuests (firstname, lastname, email)cLUES ('John', 'Doe', 'john@example.com')
            $sql = $this->dbh->prepare("INSERT INTO `{$this->dbtable}` (username,email,password,password_salt,name,lastname,created,gender,country,DOB) VALUES ('$username','$email','$pass','$saltedPass','$firstname','$lastname','$created','$gender','$country','$birthdate')");
            print($sql);
            foreach($other as $key => $value){
                $value = htmlspecialchars($value);
                $sql->bindValue(":$key", $value);
            }
        }
        /* Bind the default values */
        $sql->bindValue(":username", $id);
        $sql->bindValue(":password", $saltedPass);
        $sql->bindValue(":passwordSalt", $randomSalt);
        $sql->execute();
        return true;
    }
}

所以我需要在类文件中使用register.php中的变量。我可以将它包含在顶部，还是需要对该功能进行特定的操作？

感谢。我之后专注于$ sql行。

Answer 1

是的，您可以在类文件中包含/ require register.php文件以使用所有变量。

另一方面，我想提一下，在将数据添加到查询中以解决安全问题之前，应始终过滤掉POST数据。

快速PHP变量指南

1 个答案: