我想让我的网站免受sql注入。所以我决定改变我的代码并用准备好的语句替换它。我认为我在下面的代码中犯了一个小错误。在连接数据库期间准备的语句
<?php
session_start();
$host= 'localhost';
$user='root';
$pass='';
$db='gameforum';
$conn= mysqli_connect($host, $user, $pass, $db);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$username = $_POST['username'];
$password = $_POST['password'];
$rpassword = $_POST['rpassword'];
$email = $_POST['email'];
if ($password!==$rpassword) {
$_SESSION['err']="Passwords did not match, please try again!";
header("Location: index.php");
$conn->close();
}
else {
$stmt = $conn->prepare("INSERT INTO users (username, password, rpassword, email) VALUES (?, ?, ?, ?)");
if(!$stmt){
echo "false";
}else {
$stmt->bind_param("ssss", $username, $password, $rpassword, $email);
if ($stmt->execute === TRUE) {
$redirectUrl = 'index.php';
$_SESSION['registrationsuccessful']="Your account was successfully created! You may now log in to your account.";
header("Location: index.php");
}else{
$_SESSION['alreadyexists']="Username or email already exists!";
header("Location: index.php");
$stmt->close();
$conn->close();
}
$stmt->close();
$conn->close();
}
}
我现在面临的问题是,我得到消息“用户已存在”当我试图创建一个实际上并不存在的账号。谢谢!
不要调用'$ stmt-> execute()'两次 - 而是将它分配给一个变量并测试它是否为真 – RamRaider