我的数据库验证工作正常;如果已经有注册用户,则“用户”表不会更新。但是,我的$ error_message变量不会显示错误消息字符串。这是我的代码:
HTML / PHP:
public Cat(Animal animal) { super(animal); }
提交表单后不会显示任何错误消息。此外,我没有收到任何PHP错误,所以我不确定是什么问题。
任何建议都会很棒。
谢谢,詹姆斯。
答案 0 :(得分:2)
请记住mysqli和sql注入。
此扩展在PHP 5.5.0中已弃用,已被删除 在PHP 7.0.0中。相反,MySQLi或PDO_MySQL扩展应该是 使用
mysqli::real_escape_string- mysqli_real_escape_string - 转义字符串中的特殊字符以用于SQL语句, 考虑到当前连接的字符集。注意 ::如果没有打开任何连接,
mysqli_real_escape_string()将返回一个空字符串!SQL注入是一种恶意用户可以注入SQL的技术 通过网页输入将命令输入到SQL语句中。
注入的SQL命令可以改变SQL语句并破坏 Web应用程序的安全性。
<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$conn = mysqli_connect("localhost", "root", "", "demo");
// Check connection
if($conn === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
if(isset($_POST['user_forename']) && strlen(trim($_POST['user_forename']) > 0))
{
}
else
{
$error_message = "Please enter forename";
}
if(isset($_POST['user_surname']) && strlen(trim($_POST['user_surname']) > 0))
{
$surname = trim($_POST['user_surname']);
}
else
{
$error_message = "Please enter surname";
}
if(isset($_POST['user_gender']) && strlen(trim($_POST['user_gender']) > 0))
{
$gender = trim($_POST['user_gender']);
}
else
{
$error_message = "Please enter gender"; // if it is an input field.
}
if(isset($_POST['user_email']) && strlen(trim($_POST['user_email']) > 0))
{
if(filter_var(trim($_POST['user_email']), FILTER_VALIDATE_EMAIL))
{
$mail = trim($_POST['user_gender']);
}
else
{
$error_message = "Please enter valid email";
}
}
else
{
$error_message = "Please enter email";
}
if(isset($_POST['user_password']) && strlen(trim($_POST['user_password']) > 0))
{
$password = trim($_POST['user_password']);
}
else
{
$error_message = "Please enter password";
}
if(isset($_POST['user_city']) && strlen(trim($_POST['user_city']) > 0))
{
$city = trim($_POST['user_city']);
}
else
{
$error_message = "Please enter city";
}
if(isset($_POST['user_bio']) && strlen(trim($_POST['user_bio']) > 0))
{
$bio = trim($_POST['user_bio']);
}
else
{
$error_message = "Please enter Biography";
}
// Escape user inputs for security
$forename = mysqli_real_escape_string($conn, $forename);
$surname = mysqli_real_escape_string($conn, $surname);
$gender = mysqli_real_escape_string($conn, $gender);
$email = mysqli_real_escape_string($conn, $email);
$password = mysqli_real_escape_string($conn, $password);
$city = mysqli_real_escape_string($conn, $city);
$team = mysqli_real_escape_string($conn, $team);
$bio = mysqli_real_escape_string($conn, $bio);
// checking existing email
if ($emailcheckquery = mysqli_query($conn, "SELECT * FROM User WHERE U_Email='$email'"))
{
if(mysqli_num_rows($emailcheckquery) > 0)
{
$error_message = "email is already taken!";
}
}
if(!isset($error_message))
{
// attempt insert query execution
$insertsql = "INSERT INTO persons (U_Forename,U_Surname,U_Gender, U_Email,U_Password,U_City,U_Team,U_Biography) VALUES ('$forename', '$surname','$gender',$email,$password,$city,$team,$biography)";
if(mysqli_query($conn, $sql)){
echo "Records added successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
}
// close connection
mysqli_close($conn);
?>
<div class="wrapper">
<h1>Register, it's free!</h1>
<div>
<?php
if (isset($error_message)) {
echo "<h2>".$error_message."</h2>";
}
?>
</div>
</div>