Question

我正在尝试转换我的mysqli数据库，该数据库非常容易受到PDO预处理语句的攻击。我想我几乎得到了它，因为它实际上将注册数据输入数据库而不是其他数据库。所以我认为这些查询肯定存在一些问题，但我无法弄清楚。以下是我的代码。

<?php
session_start();
// DATABASE CONNECTION
$user = '****';
$pass = '****';

//CREATE CONNECTION
// $conn = new mysqli($dbserver, $dbusername, $dbpassword, $db);
$pdo = new PDO('mysql:host=localhost;dbname=****', $user, $pass);



// ASSIGN VARIABLE FROM FORM
$username = $_POST['username'];
$password = $_POST['password'];
$email    = $_POST['email'];

$password = password_hash($password, PASSWORD_BCRYPT);

// CHECK IF USER IS UNIQUE

    $stmt = $pdo->prepare("SELECT username FROM users WHERE username = :name");
    $stmt->bindParam(':name', $username);
    $stmt->execute();

    if ($stmt->rowCount() > 0) {
        echo "That username already exist!";
    } else {
        //INSERT DATA INTO DATABASE
        $sql = "INSERT INTO users ( username, password, email )
    VALUES ( :username, :password, :email )";
        $sql1 = "INSERT INTO stats (id, username)
VALUES ((SELECT id FROM users WHERE username=':username'), (SELECT username FROM users WHERE username=':username'))";
        $sql2 = "INSERT INTO progression (id, username)
VALUES ((SELECT id FROM users WHERE username=':username'), (SELECT username FROM users WHERE username=':username'))";
        $sql3 = "INSERT INTO powervalues (id, username)
VALUES ((SELECT id FROM users WHERE username=':username'), (SELECT username FROM users WHERE username=':username'))";


        // EXECUTE AND PREPARE
        $query = $pdo->prepare($sql);
        $query1 = $pdo->prepare($sql1);
        $query2 = $pdo->prepare($sql2);
        $query3 = $pdo->prepare($sql3);
        $result = $query->execute(array( ':username'=>$username, ':password'=>$password, ':email'=>$email ));
        $result1 = $query1->execute(array( ':username'=>$username ));
        $result2 = $query2->execute(array( ':username'=>$username ));
        $result3 = $query3->execute(array( ':username'=>$username ));
        //EXECUTE QUERY
        if ($result && $result1 && $result2 && $result3) {
            $_SESSION['Accountsucess'] = "Account has been added sucessfully.";
            header("location: ../../index.php?page=index");
        } else {
            echo "Error database failure";
        }
    }

Answer 1

在用户表中插入用户后，不再连续选择各种信息部分，而是获取最后一个插入ID，然后在后续调用中使用...

  $sql = "INSERT INTO users ( username, password, email )
    VALUES ( :username, :password, :email )";
  $sql1 = "INSERT INTO stats (id, username)
    VALUES (:id,:username)";


    // EXECUTE AND PREPARE
    $query = $pdo->prepare($sql);
    $query1 = $pdo->prepare($sql1);

    $result = $query->execute(array( ':username'=>$username, ':password'=>$password, ':email'=>$email ));
    // Fetch id of new user
    $id = $pdo->lastInsertId();
    $result1 = $query1->execute(array( ':id' => $id, ':username'=>$username ));

对每个其他陈述重复相同的逻辑。

如何判断哪个查询有错误？

1 个答案: