使用PHP API插入MySQL数据库

Question

继以下this教程，了解如何为Android创建API。检查了我的DB_Functions.php文件，一切正常连接并正常运行（90％确定）。为确保帖子正常工作，我使用名为Postman的Chrome加载项。 This我在网上发现的其他问题与我的问题类似。这是我输入/收到的。
下面是代码

<?php 

/* 
Function tests 

require_once 'include/DB_Functions.php'; 
$db = new DB_Functions(); 

$insert = $db->storeUser("InsertTest", "input@test.com", "apple"); 
print_r($insert); 

$user = $db->getUserByEmailAndPassword("input@test.com", "apple"); 
print_r($user); 

$exist = $db->isUserExisted("input@test.com"); 
echo $exist; */ 

/** 
* File to handle all API requests 
* Accepts GET and POST 
* 
* Each request will be identified by TAG 
* Response will be JSON data 

/** 
* check for POST request 
*/ 

if (isset($_POST['tag']) && $_POST['tag'] != '') { 
$tag = $_POST['tag']; 

require_once 'include/DB_Functions.php'; 
$db = new DB_Functions(); 
$response = array("tag" => $tag, "error" => FALSE); 

// check for tag type 
if ($tag == 'login') { 
    // Request type is check Login 
    $email = $_POST['email']; 
    $password = $_POST['password']; 

    // check for user 
    $user = $db->getUserByEmailAndPassword($email, $password); 
    if ($user != false) { 
     // user found 
     $response["error"] = FALSE; 
     $response["uid"] = $user["unique_id"]; 
     $response["user"]["name"] = $user["name"]; 
     $response["user"]["email"] = $user["email"]; 
     $response["user"]["created_at"] = $user["created_at"]; 
     $response["user"]["updated_at"] = $user["updated_at"]; 
     echo json_encode($response); 
    } else { 
     // user not found 
     // echo json with error = 1 
     $response["error"] = TRUE; 
     $response["error_msg"] = "Incorrect email or password!"; 
     echo json_encode($response); 
    } 
} else if ($tag == 'register') { 
    // Request type is Register new user 
    $name = $_POST['name']; 
    $email = $_POST['email']; 
    $password = $_POST['password']; 

    // check if user is already existed 
    if ($db->isUserExisted($email)) { 
     // user is already existed - error response 
     $response["error"] = TRUE; 
     $response["error_msg"] = "User already existed"; 
     echo json_encode($response); 
    } else { 
     // store user 
     $user = $db->storeUser($name, $email, $password); 
     if ($user) { 
      // user stored successfully 
      $response["error"] = FALSE; 
      $response["uid"] = $user["unique_id"]; 
      $response["user"]["name"] = $user["name"]; 
      $response["user"]["email"] = $user["email"]; 
      $response["user"]["created_at"] = $user["created_at"]; 
      $response["user"]["updated_at"] = $user["updated_at"]; 
      echo json_encode($response); 
     } else { 
      // user failed to store 
      $response["error"] = TRUE; 
      $response["error_msg"] = "Error occured in Registartion"; 
      echo json_encode($response); 
     } 
    } 
} else { 
    // user failed to store 
    $response["error"] = TRUE; 
    $response["error_msg"] = "Unknown 'tag' value. It should be either  'login' or 'register'"; 
    echo json_encode($response); 
} 
} else { 
$response["error"] = TRUE; 
$response["error_msg"] = "Required parameter 'tag' is missing!"; 
echo json_encode($response); 
} 
?> 

而且DB_Functions.php代码

<?php 

class DB_Functions{ 

private $db; 
public $connection; 

function __construct(){ 
    require_once ('DB_Connect.php'); 
    $this->db = new DB_Connect(); 
    $this->connection = $this->db->connect(); 
} 

function __destruct(){ 

} 

public function storeUser($name, $email, $password){ 
    $uuid = uniqid('', true); 
    $hash = $this->hashSSHA($password); 
    $encrypted_password = $hash["encrypted"]; 
    $salt = $hash["salt"]; 
    $sql = "INSERT INTO users(unique_id, name, email, encrypted_password, salt, created_at) 
    VALUES ('$uuid', '$name', '$email', '$encrypted_password', '$salt', NOW())"; 
    $result = $this->connection->query($sql); 

    if($result){ 
     $uid = mysqli_insert_id($this->connection); 
     $sql = "SELECT * FROM users WHERE uid = '" . $uid . "';"; 
     $result = $this->connection->query($sql); 
     return mysqli_fetch_array($result); 
    }else{ 
     return false; 
    } 
} 

public function getUserByEmailAndPassword($email, $password){ 
    $sql = "SELECT * FROM users WHERE email = '" . $email . "';"; 
    $result = $this->connection->query($sql); 
    $no_of_rows = mysqli_num_rows($result); 

    if($no_of_rows > 0){ 
     $result = mysqli_fetch_array($result); 
     $salt = $result['salt']; 
     $encrypted_password = $result['encrypted_password']; 
     $hash = $this->checkhashSSHA($salt, $password); 

     if($encrypted_password == $hash){ 
      return $result; 
     } 
    }else{ 
     return false; 
    } 
} 

public function isUserExisted($email){ 
    $sql = "SELECT * FROM users WHERE email = '" . $email . "';"; 
    $result = $this->connection->query($sql); 
    $no_of_rows = mysqli_num_rows($result); 

    if($no_of_rows > 0){ 
     return true; 
    }else{ 
     return false; 
    } 
} 

public function hashSSHA($password){ 
    $salt = sha1(rand()); 
    $salt = substr($salt, 0, 10); 
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt); 
    $hash = array("salt" => $salt, "encrypted" => $encrypted); 
    return $hash; 
} 

public function checkhashSSHA($salt, $password){ 
    $hash = base64_encode(sha1($password . $salt, true) . $salt); 
    return $hash; 
} 

} 
?> 

有谁知道为什么邮政不工作？

Answer 1

你没有做一个真正的职位。它可能使用http POST动词，但是你将数据填充到请求中作为标题，这是错误的。 POST请求看起来像

header1: value1 
header2: value2 
... 
headerN: valueN 

field1=value1&field2=value2&etc.... 

既然你不发送身体您的文章，有NO数据PHP挑开，并加载到$ _ POST。

最重要的是，您可以在sql injection attacks的范围内开放。