努力查看错误在这里,尝试使用密码盐将一些字段提交到数据库中以及将新用户添加到我的网站(我将提高安全性)但是因为我得到了使用var_dump获得正确的结果,请参阅下文,因为我无法发现问题?
以下是表格:
<form action="actions/add_emp.php" method="post">
<input type="text" name="user" placeholder="Username" required="required" /><br/>
<input type="text" name="pass" type="password" placeholder="Password"/></label><br/>
<input type="text" name="firstname" id="name" required="required" placeholder="Firstname"/><br />
<input type="text" name="lastname" id="email" required="required" placeholder="Lastname"/><br/>
<input type="email" name="emailAddress" id="city" required="required" placeholder="Email Address"/><br/>
<input type="text" name="extension" id="extension" required="required" placeholder="Extension Number"/><br/>
<select name="title">
<option selected disabled>Please Select a Job Title...</option>
<option disabled></option>
<option disabled>Helpesk:</option>
<option value="Technical Support Advisor">Technical Support Advisor</option>
<option value="Deputy Team Leade">Deputy Team Leader</option>
<option value="Team Leader">Team Leader</option>
<option value="Incident Resolution Advisor">Incident Resolution Advisor</option>
<option disabled></option>
<option disabled>Call Centre:</option>
<option value="Technical Support Advisor">Technical Support Advisor</option>
<option value="">Deputy Team Leader</option>
<option value="">Team Leader</option>
<option disabled></option>
</select>
<br><br>
<input type="submit" value="Add User" name="submit"/><br />
</form>
这是动作脚本:
<?
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['submit'])){
include_once'../../config.php';
$dbh = new PDO("mysql:host=$hostname;dbname=dashboardr",$username,$password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['user']) && isset($_POST['pass'])){
$password=$_POST['pass'];
$sql=$dbh->prepare("SELECT COUNT(*) FROM `user_login` WHERE `username`=?");
$sql->execute(array($_POST['user']));
if($sql->fetchColumn()!=0){
die("User Exists");
}else{
function rand_string($length) {
$str="";
$chars = "MY SALT LIVES HERE - NOT THE MOST SECURE I KNOW!";
$size = strlen($chars);
for($i = 0;$i < $length;$i++) {
$str .= $chars[rand(0,$size-1)];
}
return $str;
}
$p_salt = rand_string(20);
$site_salt="MYCUSTOMSALT";
$salted_hash = hash('sha256', $password.$site_salt.$p_salt);
$sql=$dbh->prepare("INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, '".$_POST["firstname"]."','".$_POST["lastname"]."','".$_POST["emailAddress"]."','".$_POST["extension"]."';");
var_dump($sql);
$sql->execute(array($_POST['user'], $salted_hash, $p_salt));
header ('Location: ../list_emp.php');
}
}
}
?>
我是PDO的新手,所以我还在学习。
哦,这是var_dump的结果:
object(PDOStatement)#3 (1) { ["queryString"]=> string(203) "INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`) VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234';" }
这是错误:
致命错误:未捕获的异常&#39; PDOException&#39; with message&#39; SQLSTATE [42000]:语法错误或访问冲突:1064 SQL语法中有错误;查看与您的MySQL服务器版本相对应的手册,以获得在&#39;&#39;附近使用的正确语法。在第2行&#39; in / Applications / MAMP / htdocs / dashboardr v3.2.3 / admin / actions / add_emp.php:72堆栈跟踪:#0 / Applications / MAMP / htdocs / dashboardr v3.2.3 / admin / actions / add_emp.php(72): PDOStatement-&gt;在第72行的/ Applications / MAMP / htdocs / dashboardr v3.2.3 / admin / actions / add_emp.php中抛出执行(数组)#1 {main}
答案 0 :(得分:2)
问题是您在查询上没有右括号。
context.Bookings.AddOrUpdate(
b => b.CheckIn,
new Booking()
{
CheckIn = new DateTime(2015, 09, 12),
CheckOut = new DateTime(2015, 09, 21),
RoomId = 1,
CustomerId = 1,
},
new Booking()
{
CheckIn = new DateTime(2015, 06, 01),
CheckOut = new DateTime(2015, 06,08),
RoomId = 2,
CustomerId = 2
});
需要
INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234';
但是你的代码有更严重的问题。您正在使用准备好的声明错误。更多要关注....
您永远不会将用户输入直接放入查询中。这是准备语句和参数的原因。您使用占位符INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234');
,然后在execute语句中稍后绑定参数,如下所示:
?