<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="ureviewdu"; // Database name
$tbl_name="Student"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
/* Obliterate bad input */
$secUser = mysql_real_escape_string($_POST['reguser']);
$badpasses = $_POST['regpass'];
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$secPass = md5($badpasses.$salt);
$sql = "INSERT INTO Student (uname, pass, fname, lname, email, currGrade) VALUES('$secUser','$secPass','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')";
$result = mysql_query($sql);
if ($result) {
echo "Thanks for signing up!";
} else {
echo "Failed.";
}
?>
HTML
<form action="inc/register/register.php" method="post" id="userRegistration">
<div class="cen"><h5>User Credentials</h5></div>
<div class="field required">
Username: <input type="text" name="reguser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="password" name="regpass" tabindex="2" /><br />
</div>
<div class="cen"><h5>User Details</h5></div>
<div class="field required">
First Name:<input type="text" name="regfirst" tabindex="3" /><br />
</div>
<div class="field required">
Last Name:<input type="text" name="reglast" tabindex="4" /><br />
</div>
<div class="field required">
Email:<input type="text" name="regemail" tabindex="5" /><br />
</div>
<div class="field required">
Current Class:<select name="regclassrank" tabindex="6">
<option disabled="disabled">Select Class</option>
<option value="1">Freshman</option>
<option value="2">Sophomore</option>
<option value="3">Pre-Junior</option>
<option value="4">Junior</option>
<option value="5">Senior</option>
<option></option>
</select>
</div>
<br />
<div class="cen"><input type="submit" name="submitUser" /></div>
</form>
有人看到这个有什么问题吗?它提交正常,但没有任何东西被插入数据库......
答案 0 :(得分:2)
您必须使用mysql_query执行查询。
$sql = "INSERT INTO Student (uname, pass, fname, lname, email, currGrade) VALUES('$secUser','$secPass','$_POST[regfirst]','$_POST[reglast]','$_POST[regemail]','$_POST[regclassrank]')";
$result = mysql_query($sql);
if ($result) {
echo "Thanks for signing up!";
} else {
echo "There was an error processing your request. Please try again.";
}
答案 1 :(得分:1)
您正在创建一个允许SQL注入(安全问题)的SQL字符串(以最坏的方式),然后将其分配给变量'$ sql'。
就是这样。我没有看到你以任何其他方式使用该字符串。你当然不会把它提交给mysql。
答案 2 :(得分:1)
另一种方法是使用PDO ......
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="ureviewdu"; // Database name
$tbl_name="Student"; // Table name
$return='';
if(isset($_POST)){
$continue=true;
if(empty($_POST['reguser']) || strlen($_POST['reguser']) < 3){$continue=false;}
if(empty($_POST['regpass']) || strlen($_POST['regpass']) < 6){$continue=false;}
if(empty($_POST['regfirst']) || strlen($_POST['regfirst']) < 3){$continue=false;}
if(empty($_POST['reglast']) || strlen($_POST['reglast']) < 3){$continue=false;}
if(empty($_POST['regemail']) || filter_var($_POST['regemail'], FILTER_VALIDATE_URL)==false){$continue=false;}
if(empty($_POST['regclassrank']) || is_int($_POST['regclassrank'])==false){$continue=false;}
if($continue===true){
//Attempt to insert
try{
$dbh = new PDO("mysql:host=$host;dbname=$db_name", $username, $password);
/*** set the error reporting attribute ***/
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
/*** variables ***/
foreach($_POST as $key=>$value){
if(get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$values[$key]=$value;
}
/*** prepare the SQL statement ***/
$stmt = $dbh->prepare("INSERT INTO $tbl_name (uname, pass, fname, lname, email, currGrade)
VALUES(:uname,:upass,:fname,:lname,:email,:currGrade)");
/*** bind the paramaters ***/
$salt = '~Z`!@#$%I^&*()_-+Q=}]{[\|"><';
$stmt->bindParam(':uname', $values['reguser']);
$stmt->bindParam(':upass', sha1($salt.$values['regpass']));
$stmt->bindParam(':fname', $values['regfirst']);
$stmt->bindParam(':lname', $values['reglast']);
$stmt->bindParam(':email', $values['regemail']);
$stmt->bindParam(':currGrade', (int)$values['regclassrank']);
/*** execute the prepared statement ***/
$stmt->execute();
$return='Thanks for signing up!';
/*** close the database connection ***/
$dbh = null;
}catch(PDOException $e){
$return='Failed:'. $e->getMessage();
}
}else{
$return='All fields are required';
}
}
echo $return.
'<form ...........';
?>