我试图检查用户名是否已经注册。如果没有,我想注册它,然后给出Role的值。不幸的是,它没有做到> _<它虽然可以登录...
注册码:
<?php
$con=mysqli_connect("localhost","root","password","d_database");
if (mysqli_connect_errno($con)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$Role = $_POST['Role']
$result = mysqli_query($con,"SELECT Role FROM user where username='$username'");
$row = mysqli_fetch_array($result);
if(mysql_num_rows($row)==0){
$qry = "INSERT INTO user(fname, lname, username, email, password, Role)
value('fname', 'lname', 'username', 'email', 'password', 'Role'");
$result = mysqli_query($con,"SELECT Role FROM user where
username='$username'");
$row = mysqli_fetch_array($result);
$data = $row[0];
echo $data;
}else{
echo"name already exists";
}
mysqli_close($con);
?>
我的登录代码
<?php
$con=mysqli_connect("localhost","root","password","d_database");
if (mysqli_connect_errno($con)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$username = $_POST['username'];
$password = $_POST['password'];
$result = mysqli_query($con,"SELECT Role FROM user where
username='$username' and password='$password'");
$row = mysqli_fetch_array($result);
$data = $row[0];
if($data){
echo $data;
}
mysqli_close($con);
?>
答案 0 :(得分:0)
<?php
$pdo = new PDO('mysql:host=localhost;dbname=d_database', 'root', 'password');
$username = $_POST['username'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$password = $_POST['password'];
$Role = $_POST['Role'];
$roleStmt = $pdo->prepare("SELECT Role FROM user WHERE username = :username");
$roleStmt->bindParam(':username', $username, PDO::PARAM_STR);
if(!$roleStmt->execute()) {
echo "Failed to execute role selection";
}
if($roleStmt->rowCount() > 0) {
echo "name already exists";
} else {
$userStmt = $pdo->prepare("INSERT INTO user (fname, lname, username, email, password, Role) VALUES (:fname, :lname, :username, :email, :password, :Role)");
$userStmt->bindParam(':fname', $fname, PDO::PARAM_STR);
$userStmt->bindParam(':lname', $lname, PDO::PARAM_STR);
$userStmt->bindParam(':username', $username, PDO::PARAM_STR);
$userStmt->bindParam(':email', $email, PDO::PARAM_STR);
$userStmt->bindParam(':password', $password, PDO::PARAM_STR);
$userStmt->bindParam(':Role', $Role, PDO::PARAM_STR);
if(!$userStmt->execute() OR $userStmt->rowCount() == 0) {
print_r($userStmt->errorInfo());
echo "could not create user";
} else {
echo "User created <br/>";
if($roleStmt->execute()) {
$role = $roleStmt->fetch();
echo "Users Role: ${role['Role']}";
}
}
}
作为提示,请不要使用这样的毫无准备的陈述。您正在将php变量注入sql语句,这非常危险。
$result = mysqli_query($con,"SELECT Role FROM user where
username='$username' and password='$password'");
如果有人试图让你伤心,他或她可以进入
x'; DROP ALL TABLES; --
因为他们的用户名或密码和数据库表将消失,所以请始终准备参数。我建议你阅读PDO http://www.phptherightway.com/#databases_interacting或使用图书馆。然后看看他们的实现。注册和登录等内容非常重要。