问题是,无论如何在我的数据库中创建的用户名和密码,如何防止这种情况?我是新手所以我不太了解PHP。
if (isset($_POST['username']) && isset($_POST['password']))
{
$username = $_POST["username"];
$password = $_POST["password"];
RegisterErrors($username , $password);
$query = "INSERT INTO users (Username,Password) VALUES ('{$username}','{$password}')";
$query_result = mysqli_query($connection , $query);
echo "added";
}
以下是验证表单注册的功能:
function RegisterErrors($username , $password)
{
if (null == $_POST["username"] || null == $_POST["password"])
{
echo "username or password cant be empty";
return false;
}
if (empty($_POST["username"]) || empty($_POST["password"]))
{
echo "username or password cant be empty";
return false;
}
if (strlen($_POST["username"]) > 14)
{
echo "username must be less than 14 character";
return false;
}
if (strlen($_POST["password"]) < 6)
{
echo "password must be at least 6 character";
return false;
}
}
答案 0 :(得分:2)
相反,您应该检查验证/检查错误并将它们存储在数组中,然后只需检查该数组是否为空。
这不仅允许您一次性检查,而且允许您以所需的格式向用户显示特定错误,同时您应该使用准备好的查询来阻止SQL注入或逃避报价等问题。
eu-central-1错误将是一个数组,您可以将元素放在表单中的正确位置。
<?php
function RegisterErrors($username, $password) {
$errors = [];
// validate username
if (empty($username)) {
$errors['username'] = "username cant be empty";
} elseif (strlen($username) > 14) {
$errors['username'] = "username must be less than 14 character";
}
// validate password
if (empty($password)) {
$errors['password'] = "password cant be empty";
} elseif (strlen($password) < 6) {
$errors['password'] = "password must be at least 6 character";
}
return $errors;
}
if (isset($_POST['username']) && isset($_POST['username'])) {
$username = $_POST["username"];
$password = $_POST["password"];
$errors = RegisterErrors($username, $password);
if (empty($errors)) {
$stmt = $connection->prepare('INSERT INTO users (Username,Password) VALUES (?, ?)');
$stmt->bind_param('ss', $username, password_hash($password, PASSWORD_DEFAULT));
$stmt->execute();
echo "added";
}
}
?>
修改:因为我已添加password_hash(),您需要通过用户名将您的登录代码更改为<?= (!empty($errors['username']) ? $errors['username'] : null) ?>
,然后使用password_verify ($_POST['password'], $dbresult['password'])检查$ _POST&#39密码?
有关此处的更多信息:Best way to store password in database
答案 1 :(得分:0)
您不使用错误检查功能中返回的值。
所以,在最后RegisterErrors添加}之前return true;的底部,然后:
if (isset($_POST['username']) && isset($_POST['username']))
{
$username = $_POST["username"];
$password = $_POST["password"];
$test=RegisterErrors($username , $password);//get the value returned, true\false; dont need to parse variables when your using the globals.
if($test){// if true, passed the tests then insert
$query = "INSERT INTO users (Username,Password) VALUES ('{$username}','{$password}')";
$query_result = mysqli_query($connection , $query);
echo "added";
}
}
答案 2 :(得分:0)
if (isset($_POST['username']) && isset($_POST['password']))
{
$username = $_POST["username"];
$password = $_POST["password"];
if(RegisterErrors($username , $password)){
$query = "INSERT INTO users (Username,Password) VALUES ('{$username}','{$password}')";
$query_result = mysqli_query($connection , $query);
echo "added";
}
}
function RegisterErrors($username , $password)
{
if (null == $username || null == $password)
{
echo "username or password cant be empty";
return false;
}
if (empty($username) || empty($password))
{
echo "username or password cant be empty";
return false;
}
if (strlen($username) > 14)
{
echo "username must be less than 14 character";
return false;
}
if (strlen($password) < 6)
{
echo "password must be at least 6 character";
return false;
}
return true;
}