PHP mysql注册页面问题

Question

下午好！ 我试图在我的网页上注册，我有一个问题 - 注册正在发生，但它可以创建多个用户使用相同的符号和相同的电子邮件，并且当密码不匹配时不会给出错误。

这里是形式 -

<form action = "register.php" method = "post"> 
        Select username:<br> 
        <input type = "text" name = "username"><br> 
        Your e-mail:<br> 
        <input type = "email" name = "email"><br> 
        Set password:<br> 
        <input type = "password" name = "password1"><br> 
        Repeat password:<br> 
        <input type = "password" name = "password2"><br> 
        <button>&nbsp;</button> 
       </form> 

这里是PHP代码 -

<?php 



     if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['password1']) && isset($_POST['password2'])){ 


      $query = 'select * from users where username = "'.addslashes($_POST['username']).'"'; 
      $numrows = mysqli_num_rows($link,$query); 
      if($numrows == 0){ 
        $query_mail = 'select * from users where email = "'.addslashes($_POST['email']).'"'; 
        $numrows_mail = mysqli_num_rows($link,$query_mail); 
        if($numrows_mail == 0){ 
         if(isset($_POST['password1']) == isset($_POST['password2'])){ 
          $sql = 'INSERT INTO users (username,password,email) VALUES("'.addslashes($_POST['username']).'","'.addslashes($_POST['password1']).'","'.addslashes($_POST['email']).'")'; 

          $result = mysqli_query($link,$sql) or die(mysqli_error($link)); 

        if($result){ 
         echo 'Account sucsessfully created! You can now log in.'; 
        }else{ 
         var_dump($result); 
        } 
       }else { 
        echo 'Passwords must match!'; 
       } 
       }else { 
        echo 'E-mail allready registered!'; 
       } 
      }else{ 
       echo 'Username allready in use!'; 
      } 
     } 
    ?> 

有人能解释一下什么是不正确吗？

Answer 1

当你这样做if(isset($_POST['password1']) == isset($_POST['password2']))你正在检查两者都存在或两者都不存在，如果你想检查密码是否匹配，你必须更改它为if($_POST['password1'] == $_POST['password2'])。

Answer 2

我已经对您的代码进行了一些修改，以便您了解如何使用带占位符的参数化查询。 这是非常重要的安全明智，你不应该“稍后添加”，因为它很可能永远不会完成。下面的代码片段也正确哈希您的密码，因为这也是非常重要。永远不要忽视安全性，并始终是构建应用程序时首先考虑的事情。

<?php 
if (isset($_POST['username'], $_POST['email'], $_POST['password1'], $_POST['password2'])) { 
    $errors = array(); 

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE username=?"); 
    $stmt->bind_param("s", $_POST['username']); 
    $stmt->execute(); 
    $stmt->bind_result($count_username); 
    $stmt->fetch(); 
    $stmt->close; 

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE email=?"); 
    $stmt->bind_param("s", $_POST['email']); 
    $stmt->execute(); 
    $stmt->bind_result($count_email); 
    $stmt->fetch(); 
    $stmt->close; 

    if ($count_username) 
     $error[] = "That username already exists"; 

    if ($count_email) 
     $error[] = "That email already exists"; 

    if ($_POST['password1'] !==$_POST['password2']) 
     $errors[] = "Passwords doesn't match"; 

    if (empty($errors)) { 
     $password = password_hash($_POST['password1'], PASSWORD_DEFAULT); 

     $stmt = $link->prepare("INSERT INTO users (username, password, email) VALUES (?, ?, ?)"); 
     $stmt->bind_param("sss", $_POST['username'], $_POST['email'], $password); 
     if (!$stmt->execute()) { 
      if ($db->errno == 1062) { 
       /* Some unique values in the database was attempted inserted, might want to add some error-handling */ 
      } 
     } else { 
      /* Execution of query failed, TODO: add error-handling */ 
     } 
     $stmt->close(); 
    } else { 
     foreach ($errors as $e) 
      echo $e."\n"; 
    } 
} 

注：随着password_hash()使用，密码栏应该至少长255，而当你以后验证登录，您必须通过password_verify()验证它 - 说明书上持有例子如何做到这一点。

我建议您通读这些链接，因为它们与登录系统高度相关，但通常会处理用户输入和密码。

Readingmaterial和引用

• http://php.net/mysqli-stmt.prepare
• http://php.net/mysqli-stmt.bind-param
• How can I prevent SQL injection in PHP?
• http://php.net/password-hash/http://php.net/password-verify
• What way is the best way to hash a password?