PHP mysql註冊頁面問題

Question

下午好！ 我試圖在我的網頁上註冊，我有一個問題 - 註冊正在發生，但它可以創建多個用戶使用相同的符號和相同的電子郵件，並且當密碼不匹配時不會給出錯誤。

這裏是形式 -

<form action = "register.php" method = "post"> 
        Select username:<br> 
        <input type = "text" name = "username"><br> 
        Your e-mail:<br> 
        <input type = "email" name = "email"><br> 
        Set password:<br> 
        <input type = "password" name = "password1"><br> 
        Repeat password:<br> 
        <input type = "password" name = "password2"><br> 
        <button>&nbsp;</button> 
       </form> 

這裏是PHP代碼 -

<?php 



     if (isset($_POST['username']) && isset($_POST['email']) && isset($_POST['password1']) && isset($_POST['password2'])){ 


      $query = 'select * from users where username = "'.addslashes($_POST['username']).'"'; 
      $numrows = mysqli_num_rows($link,$query); 
      if($numrows == 0){ 
        $query_mail = 'select * from users where email = "'.addslashes($_POST['email']).'"'; 
        $numrows_mail = mysqli_num_rows($link,$query_mail); 
        if($numrows_mail == 0){ 
         if(isset($_POST['password1']) == isset($_POST['password2'])){ 
          $sql = 'INSERT INTO users (username,password,email) VALUES("'.addslashes($_POST['username']).'","'.addslashes($_POST['password1']).'","'.addslashes($_POST['email']).'")'; 

          $result = mysqli_query($link,$sql) or die(mysqli_error($link)); 

        if($result){ 
         echo 'Account sucsessfully created! You can now log in.'; 
        }else{ 
         var_dump($result); 
        } 
       }else { 
        echo 'Passwords must match!'; 
       } 
       }else { 
        echo 'E-mail allready registered!'; 
       } 
      }else{ 
       echo 'Username allready in use!'; 
      } 
     } 
    ?> 

有人能解釋一下什麼是不正確嗎？

Answer 1

當你這樣做if(isset($_POST['password1']) == isset($_POST['password2']))你正在檢查兩者都存在或兩者都不存在，如果你想檢查密碼是否匹配，你必須更改它爲if($_POST['password1'] == $_POST['password2'])。

Answer 2

我已經對您的代碼進行了一些修改，以便您瞭解如何使用帶佔位符的參數化查詢。 這是非常重要的安全明智，你不應該「稍後添加」，因爲它很可能永遠不會完成。下面的代碼片段也正確哈希您的密碼，因爲這也是非常重要。永遠不要忽視安全性，並始終是構建應用程序時首先考慮的事情。

<?php 
if (isset($_POST['username'], $_POST['email'], $_POST['password1'], $_POST['password2'])) { 
    $errors = array(); 

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE username=?"); 
    $stmt->bind_param("s", $_POST['username']); 
    $stmt->execute(); 
    $stmt->bind_result($count_username); 
    $stmt->fetch(); 
    $stmt->close; 

    $stmt = $link->prepare("SELECT COUNT(id) FROM users WHERE email=?"); 
    $stmt->bind_param("s", $_POST['email']); 
    $stmt->execute(); 
    $stmt->bind_result($count_email); 
    $stmt->fetch(); 
    $stmt->close; 

    if ($count_username) 
     $error[] = "That username already exists"; 

    if ($count_email) 
     $error[] = "That email already exists"; 

    if ($_POST['password1'] !==$_POST['password2']) 
     $errors[] = "Passwords doesn't match"; 

    if (empty($errors)) { 
     $password = password_hash($_POST['password1'], PASSWORD_DEFAULT); 

     $stmt = $link->prepare("INSERT INTO users (username, password, email) VALUES (?, ?, ?)"); 
     $stmt->bind_param("sss", $_POST['username'], $_POST['email'], $password); 
     if (!$stmt->execute()) { 
      if ($db->errno == 1062) { 
       /* Some unique values in the database was attempted inserted, might want to add some error-handling */ 
      } 
     } else { 
      /* Execution of query failed, TODO: add error-handling */ 
     } 
     $stmt->close(); 
    } else { 
     foreach ($errors as $e) 
      echo $e."\n"; 
    } 
} 

注：隨着password_hash()使用，密碼欄應該至少長255，而當你以後驗證登錄，您必須通過password_verify()驗證它 - 說明書上持有例子如何做到這一點。

我建議您通讀這些鏈接，因爲它們與登錄系統高度相關，但通常會處理用戶輸入和密碼。

Readingmaterial和引用

• http://php.net/mysqli-stmt.prepare
• http://php.net/mysqli-stmt.bind-param
• How can I prevent SQL injection in PHP?
• http://php.net/password-hash/http://php.net/password-verify
• What way is the best way to hash a password?