-1
我想为我的网站做一个PHP注册,我试图将使用mysql的旧脚本转换为mysqli。当我在任何文本字段中输入任何字母(abc)时,数据未导入到数据库中时出现问题。如果我在所有的盒子中使用数字(123),那么它就可以正常导入。我已经尝试将它与一些字母作为密码的用户名和数字进行混合,以查看是否只有一个文本框导致了问题,但任何带有字母的框都会导致脚本无法工作。Mysqli没有导入字母
这是我的PHP脚本:
<?php
$mysqli = new mysqli("localhost","root","","users_db");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
/* Define username */
if(isset($_POST['username'])){
$username = $_POST['username'];
}
/* Define email */
if(isset($_POST['email'])){
$email = $_POST['email'];
}
/* Define password */
if(isset($_POST['password'])){
$password = $_POST['password'];
}
/* Define cpassword */
if(isset($_POST['cpassword'])){
$cpassword = $_POST['cpassword'];
}
if (trim($username) == ''){
echo 'No username entered.';
exit();
}
if (strlen($username) <= 5 || strlen($username) >= 30){
echo 'Username needs to be between 5 and 30 characters';
exit();
}
if (trim($email) == ''){
echo 'No email entered.';
exit();
}
if (trim($password) == ''){
echo 'Invalid password.';
exit();
}
if ($password != $cpassword){
echo 'Passwords do not match';
exit();
}
$run = mysqli_query($mysqli, "SELECT * FROM users WHERE username='$username'");
if (mysqli_num_rows($run)>0){
echo 'Username already exists';
exit();
}
$import = "INSERT INTO users (username,email,password) VALUES ($username,$email,$password)";
if (mysqli_query($mysqli, $import)){
echo 'Registration Successful';
$result = mysqli_query($mysqli, "SELECT * FROM users WHERE username='$username'");
$row = mysqli_fetch_array($result);
$id = $row['id'];
mkdir("../users/" . $id, 0777, true);
fopen("../users/" . $id . "/" . "New User.txt", "w") or die("Unable to create file");
}else{
echo 'Failed to import';
}
?>
我很新的PHP和mysqli的,所以如果我做了一些愚蠢的:)
您有一个SQL注入漏洞。 – SLaks 2014-09-01 18:39:03
阅读关于使用绑定变量的准备语句的几个教程:不仅可以保护自己免受SQL注入的攻击,还可以不用担心引用字符串 – 2014-09-01 18:41:08
**不要以纯文本形式存储密码** – SLaks 2014-09-01 18:41:22