下午好! 我试图在我的网页上进行注册,我有一个问题 - 注册正在发生,但它可以创建多个用户具有相同的符号和相同的电子邮件,并且在密码不匹配时不会出错。
这是表格 -
<form action = "register.php" method = "post">
Select username:<br>
<input type = "text" name = "username"><br>
Your e-mail:<br>
<input type = "email" name = "email"><br>
Set password:<br>
<input type = "password" name = "password1"><br>
Repeat password:<br>
<input type = "password" name = "password2"><br>
<button> </button>
</form>
这是PHP代码 -
<?php
if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['password1']) && isset($_POST['password2'])){
$query = 'select * from users where username = "'.addslashes($_POST['username']).'"';
$numrows = mysqli_num_rows($link,$query);
if($numrows == 0){
$query_mail = 'select * from users where email = "'.addslashes($_POST['email']).'"';
$numrows_mail = mysqli_num_rows($link,$query_mail);
if($numrows_mail == 0){
if(isset($_POST['password1']) == isset($_POST['password2'])){
$sql = 'INSERT INTO users (username,password,email) VALUES("'.addslashes($_POST['username']).'","'.addslashes($_POST['password1']).'","'.addslashes($_POST['email']).'")';
$result = mysqli_query($link,$sql) or die(mysqli_error($link));
if($result){
echo 'Account sucsessfully created! You can now log in.';
}else{
var_dump($result);
}
}else {
echo 'Passwords must match!';
}
}else {
echo 'E-mail allready registered!';
}
}else{
echo 'Username allready in use!';
}
}
?>
有人可以解释这里的错误吗?
答案 0 :(得分:1)
我对您的代码进行了一些修改,以便您了解如何将参数化查询与占位符一起使用。 这是非常重要的安全性,你不应该“稍后添加”,因为它很可能永远不会完成。以下代码段也可以正确显示您的密码,因为这也是非常重要。永远不应忽视安全性,并且在构建应用程序时始终是您首先想到的。
<?php
if (isset($_POST['username'], $_POST['email'], $_POST['password1'], $_POST['password2'])) {
$errors = array();
$stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE username=?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$stmt->bind_result($count_username);
$stmt->fetch();
$stmt->close;
$stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE email=?");
$stmt->bind_param("s", $_POST['email']);
$stmt->execute();
$stmt->bind_result($count_email);
$stmt->fetch();
$stmt->close;
if ($count_username)
$error[] = "That username already exists";
if ($count_email)
$error[] = "That email already exists";
if ($_POST['password1'] !==$_POST['password2'])
$errors[] = "Passwords doesn't match";
if (empty($errors)) {
$password = password_hash($_POST['password1'], PASSWORD_DEFAULT);
$stmt = $link->prepare("INSERT INTO users (username, password, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $_POST['username'], $_POST['email'], $password);
if (!$stmt->execute()) {
if ($db->errno == 1062) {
/* Some unique values in the database was attempted inserted, might want to add some error-handling */
}
} else {
/* Execution of query failed, TODO: add error-handling */
}
$stmt->close();
} else {
foreach ($errors as $e)
echo $e."\n";
}
}
注意:使用
password_hash()
时,您的密码列的长度至少应为255,当您稍后验证登录时,必须按password_verify()
进行验证 - 手册保留关于如何做到这一点的例子。
我建议您仔细阅读这些链接,因为它们与登录系统高度相关,但通常会处理用户输入和密码。
答案 1 :(得分:0)
执行此操作时if(isset($_POST['password1']) == isset($_POST['password2']))
检查是否存在,或者两者都不存在,如果要检查密码是否匹配,则必须将其更改为if($_POST['password1'] == $_POST['password2'])
。