1. 首页
  2. 问答
  3. 在连接数据库期间准备的语句

在连接数据库期间准备的语句

2017-06-18 26 views
0

我想让我的网站免受sql注入。所以我决定改变我的代码并用准备好的语句替换它。我认为我在下面的代码中犯了一个小错误。在连接数据库期间准备的语句

<?php 
session_start(); 


$host= 'localhost'; 
$user='root'; 
$pass=''; 
$db='gameforum'; 


$conn= mysqli_connect($host, $user, $pass, $db); 
    if ($conn->connect_error) { 
     die("Connection failed: " . $conn->connect_error); 
} 

    $username = $_POST['username']; 
    $password = $_POST['password']; 
    $rpassword = $_POST['rpassword']; 
    $email = $_POST['email']; 

    if ($password!==$rpassword) { 
$_SESSION['err']="Passwords did not match, please try again!"; 
header("Location: index.php"); 
    $conn->close(); 
} 
else { 
    $stmt = $conn->prepare("INSERT INTO users (username, password, rpassword, email) VALUES (?, ?, ?, ?)"); 
    if(!$stmt){ 
      echo "false"; 
    }else { 
    $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
     if ($stmt->execute === TRUE) { 
     $redirectUrl = 'index.php'; 

    $_SESSION['registrationsuccessful']="Your account was successfully created! You may now log in to your account."; 
    header("Location: index.php"); 
}else{ 
    $_SESSION['alreadyexists']="Username or email already exists!"; 
header("Location: index.php"); 
    $stmt->close(); 
    $conn->close(); 
    } 
$stmt->close(); 
$conn->close(); 
} 
    }

我现在面临的问题是,我得到消息“用户已存在”当我试图创建一个实际上并不存在的账号。谢谢!

来源

2017-06-18 Daniel Smith

+0

不要调用'$ stmt-> execute()'两次 - 而是将它分配给一个变量并测试它是否为真 – RamRaider

回答

0

您已经执行了执行语句。删除其中一个。或者只检查执行语句中的一个是否成功

来源

2017-06-18 13:05:51 Akintunde007

+0

好吧我更新了上面的代码。我现在得到一个空白页面,现在这意味着$ stmt = $ conn-> prepare现在失败 –

0

我认为问题的原因是第二次使用$stmt->execute() - 但可以对代码进行一些其他修改。

创建数据库连接如果初始逻辑if ($password!==$rpassword)测试成功〜否则似乎毫无意义。我会为此使用一个会话变量而不是3 - 这可能会稍后更容易在其他页面上检查值。

将第一个$stmt->execute()的结果分配给一个变量,并在需要时在进一步的逻辑测试中使用该变量。

至于错误消息 - 显示详细的错误信息用于开发但从未投入生产 - 因此删除了$conn->connect_error。其他

一件事的proceduralobject orientated代码混合恐怕不是好的做法 - 更好地坚持一个或其他(OO很容易,我认为)

<?php 
    session_start(); 

    $username = $_POST['username']; 
    $password = $_POST['password']; 
    $rpassword = $_POST['rpassword']; 
    $email = $_POST['email']; 
    $_SESSION['registration_status']=""; 

    if ($password!==$rpassword) { 
     $_SESSION['registration_status']="Passwords did not match, please try again!"; 
     exit(header("Location: index.php")); 

    } else { 

     $host= 'localhost'; 
     $user='root'; 
     $pass=''; 
     $db='gameforum'; 


     $conn= mysqli_connect($host, $user, $pass, $db); 
     if($conn->connect_error) die("Connection failed"); 


     $stmt = $conn->prepare("INSERT INTO users (`username`, `password`, `rpassword`, `email`) VALUES (?, ?, ?, ?)"); 
     if($stmt){ 

      $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
      $result = $stmt->execute(); 

      /* use the return value from stmt->execute() */ 
      $_SESSION['registration_status'] = $result ? "Your account was successfully created! You may now log in to your account." : "Username or email already exists!"; 

      $stmt->close(); 
     } 

     $conn->close(); 

     exit(header("Location: index.php")); 
     } 
    } 
?>

来源

2017-06-18 13:12:22 RamRaider

0

你可以试试这个,

<?php 
// if session not start, start now 
!session_id() ? session_start() : null; 
$mysql_server = "localhost"; 
$mysql_user = "root"; 
$mysql_password = ""; 
$mysql_db = "gameforum"; 
// connect db connection 
$conn = new mysqli($mysql_server, $mysql_user, $mysql_password, $mysql_db); 
// chck if connection has error 
if ($conn->connect_errno) { 
    printf("Connection failed: %s \n", $conn->connect_error); 
    exit(); 
} 
// db encoding 
$conn->set_charset("utf8"); 
// when POST happen 
if (isset($_POST) && !empty($_POST)) { 
    // convert POST array key as PHP variable 
    extract($_POST); 
    // if password matched with confirm password 
    if ($password === $rpassword) { 
     // create insert query with prepare 
     $stmt = $conn->prepare("INSERT INTO users (username, password, rpassword, email) VALUES (?, ?, ?, ?)"); 
     // if prepare fine, there is no query or mysql error 
     if ($stmt) { 
      // bind real values 
      $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
      // if query executed 
      if ($stmt->execute()) { 
       // success message & redirect 
       $_SESSION['registrationsuccessful'] = "Your account was successfully created! You may now log in to your account."; 
       header("Location: index.php"); 
       exit(); 
      } else { 
       // query error & redirect 
       $_SESSION['alreadyexists'] = "There was an error or Username/Email already exists!"; 
       header("Location: index.php"); 
       exit(); 
      } 
     } 
    } else { 
     // password matched failed 
     $_SESSION['err'] = "Passwords did not match, please try again!"; 
     header("Location: index.php"); 
     exit(); 
    } 
}

我没有关闭连接,因为PHP会在脚本结束时关闭所有打开的文件和连接。

来源

2017-06-18 13:34:32

相关问题

 相关问题