正确创建寄存器功能

时间:2018-01-14 23:26:28

标签: php post

我正在尝试创建一个网站,我有一个用户数据库,其中我有以下功能:

function createUser($nome, $email, $morada, $username, $password) {
    global $conn;
    $stmt = $conn->prepare("INSERT INTO utilizador (nome, email, morada,  permissao, username, password)
                                                VALUES ('".$nome."', '".$email."', '".$morada."', '2', '".$username."', '".$password."')");
    $stmt->execute(array($nome, $morada, $contacto, $permissao, $username, $password));
}

function isLoginCorrect($username, $password) {
    global $conn;
    $stmt = $conn->prepare("SELECT * FROM utilizador WHERE username = '".$username."' AND password = '".$password."'");
    $stmt->execute();
    return $stmt->fetch() == true;
}

function getPermissao($username){
    global $conn;
    $stmt = $conn->prepare("SELECT permissao
                            FROM utilizador
                            WHERE username = '".$username."'"
                          );
    $stmt->execute(array($username));
    return $stmt->fetchColumn(0);
}

我在注册时遇到麻烦:

    if (!$_POST['nome'] || !$_POST['email'] || !$_POST['morada'] || !$_POST['username'] || !$_POST['password']) {
          $_SESSION['error_messages'][] = 'Deve preencher todos os campos obrigatórios';
          //Guardar dados do formulário e redirecionar
          $_SESSION['form_values'] = $_POST;
          header("Location: $BASE_URL" . 'pages/users/register.php');
          exit;
        }

    // Variáveis post ( & Sanitize )
    $nome         = strip_tags($_POST['nome']);
    $contacto     = strip_tags($_POST['email']);
    $email       = strip_tags($_POST['morada']);
    $username     = strip_tags($_POST['username']);
    $password     = $_POST['password'];

    //Criar novo utilizador


  createUser($nome, $morada, $contacto, $username, $password);


        // Erros nos campos
        if (strpos($e->getMessage(), 'cliente_username_key') !== false) {
        $_SESSION['error_messages'][] = 'Ocorreu um erro ao efetuar o registo';
        $_SESSION['field_errors']['username'] = 'O Username introduzido já existe';
        }

    //Erro genérico
    else $_SESSION['error_messages'][] = 'Ocorreu um erro ao efetuar o registo';



    //Guardar dados do formulário & redirecionar
    $_SESSION['form_values'] = $_POST;
    header("Location: $BASE_URL" . 'pages/users/register.php');
    exit;


    // Registo efetuado com sucesso
    $_SESSION['success_messages'][] = 'Registo efetuado com sucesso';
    header("Location: $BASE_URL");

我的数据库已正确连接,我可以登录,但我无法注册,并收到以下错误:

  

致命错误:未捕获的异常' PDOException'与消息   ' SQLSTATE [08P01]:<>:7错误:绑定消息提供6   参数,但准备好的声明" pdo_stmt_00000001"要求0'在   /usr/users2/mieec2012/ee12083/public_html/trabalhosSiem/trabalhoPHP2/database/users.php:7   堆栈跟踪:#0   /usr/users2/mieec2012/ee12083/public_html/trabalhosSiem/trabalhoPHP2/database/users.php(7):   PDOStatement->执行(数组)#1   /usr/users2/mieec2012/ee12083/public_html/trabalhosSiem/trabalhoPHP2/actions/users/register.php(27):   createUser(' cliente',NULL,' iii @ ...',' cliente',' cliente')#2 {main}   投入   /usr/users2/mieec2012/ee12083/public_html/trabalhosSiem/trabalhoPHP2/database/users.php   第7行

1 个答案:

答案 0 :(得分:0)

您的问题是,您正在babel-eslint@7.2.1发送prepared statementsplaceholders尚未发送values {/ 1}}。

要做出正确的execute(),您可以执行以下操作:

PDO prepared statement

然后像这样执行:

$stmt = $conn->prepare("INSERT INTO utilizador 
        (nome, email, morada,  permissao, username, password) 
 VALUES (:nome, :email, :morada, :permissao, :username, :password)");

为您的所有陈述执行此操作。

不要将变量直接添加到预准备语句,而是使用占位符,稍后再使用这些值执行。否则您很容易 $stmt->execute(array('nome' => $nome, 'email' => $email, 'morada' => $morada, 'permissao' => '2', 'username' => $username, 'password' => $password));

SQL injection!

  

不需要引用准备语句的参数;驱动程序自动处理这个。如果应用程序专门使用预准备语句,开发人员可以确保不会发生SQL注入(但是,如果使用非转义输入构建查询的其他部分,仍然可以进行SQL注入)。

更多信息:http://php.net/pdo.prepared-statements

相关问题
最新问题