<?php if (isset($_POST['name']) && isset($_POST['username']) && isset($_POST['password']) && isset($_POST['gender']) && isset($_POST['email']) && isset($_POST['phone_number']))
{
try {
$stmtt = $conn->prepare("SELECT COUNT(*) FROM users WHERE username='".$_POST['username']."' email = '".($_POST['email'])."'phone_number='".$_POST['phone_number']."'");
$stmtt->execute();
if($stmt1->fetchColumn()!=1) {
die("cannot continue");
} else {
$fl = $conn->prepare("INSERT INTO users(username,password,name,gender,email,phone) VALUES('".$_POST['username']."','".md5($_POST['password'])."','".$_POST['name']."','".$_POST['gender']."','".$_POST['email']."','".$_POST['phone_number']."')");
$fl->execute();
}
} catch(PDOException $ex) {
echo "fields ".$ex->getMessage();
}
}
答案 0 :(得分:0)
你的代码中有一些拼写错误:
$stmtt = $conn->prepare("SELECT COUNT(*)
FROM users
WHERE username = :username
AND email = :email
AND phone_number = :phoneNumber");
$stmtt->bindParam(':username', $_POST['username'], PDO::PARAM_STR, 20);
$stmtt->bindParam(':email', $_POST['email'], PDO::PARAM_STR, 20);
$stmtt->bindParam(':phoneNumber', $_POST['phone_number'], PDO::PARAM_STR, 20);
$stmtt->execute();
if($stmtt->rowCount() != 1) {
您必须使用绑定才能阻止sql注入...