好吧,这是改进后的脚本。请确保您阅读所有的注释和正确的东西,因为这是不准备使用的代码!
您connect.inc.php更改为(请确保您所有信息所必要的填写):
<?php
$dbhost = ""; //MySQL host (usually: localhost)
$dbuser = ""; //MySQL user
$dbpass = ""; //MySQL password
$dbname = ""; //MySQL database name
$pdo = new PDO("mysql:host=".$dbhost.";dbname=". $dbname, $dbuser, $dbpass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>
更改hoping.php到:
<?php
require "connect.inc.php";
/*
Using md5 to encrypt a password is not secure.
I've written a much more secure function for password encryption.
However this requires your database to have enough room for it.
For example: `password` VARCHAR(128) NOT NULL
If you need to alter your database to make the room, please
execute this command in phpMyAdmin (change password to whatever
the column name is in your users table):
ALTER TABLE `users` MODIFY COLUMN `password` VARCHAR(128);
If your database has the room for this, please set the following
variable to true. Otherwise leave it false to keep using md5.
*/
$secureCrypt = false;
if(isset($_POST['login'])){
$sql = "SELECT * FROM users WHERE username = :user";
$pre = $pdo->prepare($sql);
$pre->bindValue(":user", $_POST['Username']);
if($pre->execute()){
$data = $pre->fetch();
if($secureCrypt){
//Please correct 'column_name_here'.
//I was unable to do this for you because I lacked the column name
//where the passwords are stored.
if(crypt($_POST['Password'], $data['column_name_here']) == $data['column_name_here']){
echo "You have succesfully logged in!<br />";
} else {
echo "Invalid password!<br />";
}
} else {
if(md5($_POST['Password']) == $data['column_name_here']){
echo "You have succesfully logged in!<br />";
} else {
echo "Invalid password!<br />";
}
}
} else {
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
}
}
if(isset($_POST['register'])){
$error = false;
$error_text = "";
//Check names for illegal characters
// Allows A-Z, a-z, underscore(_), dots(.), spaces and dashes(-)
function nameRegex($var){
if(!preg_match("/^[a-zA-Z_\. \-]+$/i", $var)){
return true;
} else {
return false;
}
}
//Check names for illegal characters
// Allows A-Z, a-z, underscore(_), dots(.) and dashes(-)
function userRegex($var){
if(!preg_match("/^[0-9a-zA-Z_\-]+$/i", $var)){
return true;
} else {
return false;
}
}
//Check for valid mail address
function mailFilter($var){
if(filter_var($var, FILTER_VALIDATE_EMAIL) === false){
return true;
} else {
return false;
}
}
//Check if 2 values match
function matchValues($var1, $var2){
if($var1 != $var2){
return true;
} else {
return false;
}
}
//Check if username already exists
function checkUser($user){
$sql = "SELECT username FROM users WHERE username = :user";
$pre = $pdo->prepare($sql);
$pre->bindValue(":user",$user);
if($pre->execute()){
$count = $pre->rowCount();
if($count > 0){
return true;
} else {
return false;
}
} else {
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
}
}
//Check for correct size
function checkSize($var, $size){
if(strlen($var) > $size){
return true;
} else {
return false;
}
}
//Securely encrypt user passwords
function cryptPass($pass, $rounds = 9){
$salt = "";
$saltChars = array_merge(range('A','Z'), range('a','z'), range(0,9));
for($i=0;$i<22;$i++){
$salt .= $saltChars[array_rand($saltChars)];
}
return crypt($pass, sprintf('$2y$%02d$', $rounds) . $salt);
}
if(nameRegex($_POST['fname'])){
$error = true;
$error_text .= "Your First Name contains illegal characters!<br />";
}
if(nameRegex($_POST['lname'])){
$error = true;
$error_text .= "Your Last Name contains illegal characters!<br />";
}
if(userRegex($_POST['username'])){
$error = true;
$error_text .= "Your Username contains illegal characters!<br />";
}
if(mailFilter($_POST['email'])){
$error = true;
$error_text .= "Your Email Address does not appear to be valid!<br />";
}
if(mailFilter($_POST['email2'])){
$error = true;
$error_text .= "Your 2nd Email Address does not appear to be valid!<br />";
}
if(matchValues($_POST['email'], $_POST['email2'])){
$error = true;
$error_text .= "It appears both Email Addresses did not match!<br />";
}
if(matchValues($_POST['password'], $_POST['password2'])){
$error = true;
$error_text .= "It appears both Passwords did not match!<br />";
}
if(checkUser($_POST['username'])){
$error = true;
$error_text .= "The Username is already taken by another user!<br />";
}
if(checkSize($_POST['fname'], 25)){
$error = true;
$error_text .= "The First Name contains to many characters!<br />";
}
if(checkSize($_POST['lname'], 50)){
$error = true;
$error_text .= "The Last Name contains to many characters!<br />";
}
if(checkSize($_POST['username'], 16)){
$error = true;
$error_text .= "The Username contains to many characters!<br />";
}
if(checkSize($_POST['username'], 125)){
$error = true;
$error_text .= "The Email address contains to many characters!<br />";
}
if(!$error){
if($secureCrypt){
$hashPass = cryptPass($_POST['password']);
} else {
$hashPass = md5($_POST['password']);
}
$sql = "INSERT INTO users VALUES ('',':username',':fname',':lname',':email',':password',':date','0')";
$pre = $pdo->prepare($sql);
$pre->bindValue(":username",$_POST['username']);
$pre->bindValue(":fname",$_POST['fname']);
$pre->bindValue(":lname",$_POST['lname']);
$pre->bindValue(":email",$_POST['email']);
$pre->bindValue(":password",$_POST['password']);
$pre->bindValue(":date",date("Y-m-d"));
if($pre->execute()){
echo "You are succesfully registered. Welcome!";
} else {
echo "\nMySQL returned error:\n";
print_r($pdo->errorInfo());
}
} else {
echo "There are some problems with your registration.<br />";
echo "Please correct the following errors:<br /><br />";
echo $error_text;
echo "<br />";
}
}
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Login Page</title>
<style>
#div1 {
width: 800px;
margin: 0px auto 0px auto;
}
#td1 {
width: 60%;
vertical-align: top;
}
#td2 {
width: 40%;
}
</style>
</head>
<body>
<div id="div1">
<table>
<tr>
<td id="td1">
<h2>Already a member? Sign in below!</h2>
<form action="hoping.php" method="post" id="user_login" accept-charset="utf-8">
<input type="text" name="username" size="25" placeholder="Username"/><br /><br />
<input type="password" name="Password" size="25" placeholder="Password"/><br /><br />
<input type="submit" name="login" value="Login!">
</form>
</td>
<td id="td2">
<h2>Sign Up Below!</h2>
<form action="hoping.php" method="post" id="user_register" accept-charset="utf-8">
<input type="text" name="fname" size="25" placeholder="First Name" value="<?php echo $_POST['fname'] ?>" /><br /><br />
<input type="text" name="lname" size="25" placeholder="Last Name" value="<?php echo $_POST['lname'] ?>" /><br /><br />
<input type="text" name="username" size="25" placeholder="username" value="<?php echo $_POST['username'] ?>" /><br /><br />
<input type="text" name="email" size="25" placeholder="Email Address" value="<?php echo $_POST['email'] ?>" /><br /><br />
<input type="text" name="email2" size="25" placeholder="Email Address (again)" value="<?php echo $_POST['email2'] ?>" /><br /><br />
<input type="text" name="password" size="25" placeholder="Password"/><br /><br />
<input type="text" name="password2" size="25" placeholder="Password (again)"/><br /><br />
<input type="submit" name="register" value="Sign Up!">
</form>
</td>
</tr>
</table>
</div>
</body>
</html>
不要使用mysql * !它已被弃用,非常不安全。像这样你可以开放SQL注入。 – icecub 2014-11-02 00:51:45
问题是什么? “它不使用这个代码”是什么意思? – 2014-11-02 01:03:50
这意味着使用此代码时,它不会注册用户。 – ilikeyoyo 2014-11-02 01:12:00