一个家伙说我需要在我的代码中使用预处理语句,因为它比现在的操作更安全,更好。
我只做过php / mysqli代码,没有准备好的语句 例如,这是我的server.php代码之一
<?php
session_start();
// variable declaration
$username = "";
$email = "";
$errors = array();
$_SESSION['success'] = "";
// connect to database
$db = mysqli_connect('localhost', 'root', 'root', 'root');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
$steamid = mysqli_real_escape_string($db, $_POST['steamid']);
$age = mysqli_real_escape_string($db, $_POST['age']);
$rank = mysqli_real_escape_string($db, $_POST['rank']);
$scode = mysqli_real_escape_string($db, $_POST['scode']);
// form validation: ensure that the form is correctly filled
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode)
VALUES('$username', '$usertype', '$email', '$password', '$steamid', '$age', '$rank', '$scode')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
?>
我如何才能使此代码带有“准备好的语句”,有人可以仅在此示例的帮助下帮助我?如果我获得了此代码的最终结果,我真的需要您的帮助,我将了解如何使用它,并且将更加致力于重新编码我的代码(全部)
谢谢您的回答。
答案 0 :(得分:-1)
默认情况下,您可以使用PDO做准备好的语句,而PDO是php的一部分。 您的代码可能如下所示:
<?php
session_start();
// variable declaration
$username = "";
$email = "";
$errors = array();
$_SESSION['success'] = "";
// connect to database
$db = mysqli_connect('localhost', 'root', 'root', 'root');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
if (empty($_POST['username'])) { array_push($errors, "Username is required"); }
if (empty($_POST['email'])) { array_push($errors, "Email is required"); }
if (empty($_POST['password_1'])) { array_push($errors, "Password is required"); }
if ($_POST['password_1']!= $_POST['password_2']) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($_POST['password_1']);//encrypt the password before saving in the database
$pdo = new PDO('mysql:host=localhost;dbname=yourdbname', 'yourdbusername', 'yourdbpass');
$stmt = $pdo->prepare("INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode) VALUES (:username, :usertype, :email, :password, :steamid, :age, :rank, :scode)");
$stmt->bindValue(':username', $_POST['username']);
$stmt->bindValue(':usertype', $_POST['usertype']);
$stmt->bindValue(':email', $_POST['email']);
$stmt->bindValue(':password', $_POST['password']);
$stmt->bindValue(':steamid', $_POST['steamid']);
$stmt->bindValue(':age', $_POST['age']);
$stmt->bindValue(':rank', $_POST['rank']);
$stmt->bindValue(':scode', $_POST['scode']);
$result = $stmt->execute();
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
?>
您也可以使用?符号代替:propname模式,这是个人喜好问题。
bindValue()的作用与使用mysqli_real_escape_string所做的基本上相同。它使您的变量SQL安全,以防止SQL注入。 您可以在此处找到有关PHP的更多信息: https://www.php.net/manual/en/book.pdo.php
这是值得学习的东西,据我所知,这是最常用的数据库处理工具