这是一个简单的PHP代码,我想通过它插入数据库表。但我不知道为什么这不起作用。
<!DOCTYPE html>
<html>
<meta charset="utf-8">
<title>Registration</title>
</head>
<body>
<form method = "POST" action = "checkregister.php">
<label for = "email">EmailID</label>
<input type = "text" id = "email" name = "email" /><br />
<label for = "pass">Password</label>
<input type = "text" id = "pass" name = "pass" /><br />
<input type = "submit" name = "submit" value = "submit" />
</form>
</body>
</html>
checkregister.php
<?php
$conn = mysqli_connect('localhost', 'root', '', 'justdental')
or die("couldn't connect");
$email = $_POST['email'];
$pass = $_POST['pass'];
$query = "INSERT INTO register (email, pass) VALUES ('$email', '$pass')";
mysqli_query($conn, $query)
or die("Not connecting");
echo 'Registered Succesfully!';
mysqli_close($conn);
?>
答案 0 :(得分:-1)
您应该检查是否已过帐:
<?php
$conn = mysqli_connect('localhost', 'root', '', 'justdental')
or die("couldn't connect");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
if (!mysqli_query($conn, "SELECT * FROM register WHERE 1=1" ) ) {
printf("Errormessage: %s\n", mysqli_error($conn));
}
if(isset( $_POST['email'] ) ){
$email = $_POST['email'];
} else{
echo "could not get email .";
}
if( isset( $_POST['pass'] ) ){
$pass = $_POST['pass'];
} else{
echo 'Password could not get.';
}
if( $email && $pass ){
$query = "INSERT INTO register ( email, pass) VALUES ('" . $email . "','" . $pass . "')";
$result = mysqli_query($conn, $query);
if( isset($conn->insert_id) && $conn->insert_id ){
echo 'Registered Succesfully!';
} else {
printf("Error: %s\n", $conn->error);
}
}
mysqli_close($conn);
?>
此代码存在一些严重的安全问题,我没有修复这些问题以避免混淆问题。首先,代码很容易受到SQL注入的攻击,这可能会导致人们绕过您的凭据检查,如果它生效了。
此外,您的密码不会被散列,因此可以使用SQL注入漏洞读取,也可以使用其他方式窃取数据库。这将使您的用户&#39;风险安全,因为人们 - 尽管有业界的建议 - 经常会重复使用密码。