1. 首頁
  2. 問答
  3. 在連接數據庫期間準備的語句

在連接數據庫期間準備的語句

2017-06-18 53 views
0

我想讓我的網站免受sql注入。所以我決定改變我的代碼並用準備好的語句替換它。我認爲我在下面的代碼中犯了一個小錯誤。在連接數據庫期間準備的語句

<?php 
session_start(); 


$host= 'localhost'; 
$user='root'; 
$pass=''; 
$db='gameforum'; 


$conn= mysqli_connect($host, $user, $pass, $db); 
    if ($conn->connect_error) { 
     die("Connection failed: " . $conn->connect_error); 
} 

    $username = $_POST['username']; 
    $password = $_POST['password']; 
    $rpassword = $_POST['rpassword']; 
    $email = $_POST['email']; 

    if ($password!==$rpassword) { 
$_SESSION['err']="Passwords did not match, please try again!"; 
header("Location: index.php"); 
    $conn->close(); 
} 
else { 
    $stmt = $conn->prepare("INSERT INTO users (username, password, rpassword, email) VALUES (?, ?, ?, ?)"); 
    if(!$stmt){ 
      echo "false"; 
    }else { 
    $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
     if ($stmt->execute === TRUE) { 
     $redirectUrl = 'index.php'; 

    $_SESSION['registrationsuccessful']="Your account was successfully created! You may now log in to your account."; 
    header("Location: index.php"); 
}else{ 
    $_SESSION['alreadyexists']="Username or email already exists!"; 
header("Location: index.php"); 
    $stmt->close(); 
    $conn->close(); 
    } 
$stmt->close(); 
$conn->close(); 
} 
    }

我現在面臨的問題是,我得到消息「用戶已存在」當我試圖創建一個實際上並不存在的賬號。謝謝!

來源

2017-06-18 Daniel Smith

+0

不要調用'$ stmt-> execute()'兩次 - 而是將它分配給一個變量並測試它是否爲真 – RamRaider

回答

0

您已經執行了執行語句。刪除其中一個。或者只檢查執行語句中的一個是否成功

來源

2017-06-18 13:05:51 Akintunde007

+0

好吧我更新了上面的代碼。我現在得到一個空白頁面,現在這意味着$ stmt = $ conn-> prepare現在失敗 –

0

我認爲問題的原因是第二次使用$stmt->execute() - 但可以對代碼進行一些其他修改。

創建數據庫連接如果初始邏輯if ($password!==$rpassword)測試成功〜否則似乎毫無意義。我會爲此使用一個會話變量而不是3 - 這可能會稍後更容易在其他頁面上檢查值。

將第一個$stmt->execute()的結果分配給一個變量,並在需要時在進一步的邏輯測試中使用該變量。

至於錯誤消息 - 顯示詳細的錯誤信息用於開發但從未投入生產 - 因此刪除了$conn->connect_error。其他

一件事的proceduralobject orientated代碼混合恐怕不是好的做法 - 更好地堅持一個或其他(OO很容易,我認爲)

<?php 
    session_start(); 

    $username = $_POST['username']; 
    $password = $_POST['password']; 
    $rpassword = $_POST['rpassword']; 
    $email = $_POST['email']; 
    $_SESSION['registration_status']=""; 

    if ($password!==$rpassword) { 
     $_SESSION['registration_status']="Passwords did not match, please try again!"; 
     exit(header("Location: index.php")); 

    } else { 

     $host= 'localhost'; 
     $user='root'; 
     $pass=''; 
     $db='gameforum'; 


     $conn= mysqli_connect($host, $user, $pass, $db); 
     if($conn->connect_error) die("Connection failed"); 


     $stmt = $conn->prepare("INSERT INTO users (`username`, `password`, `rpassword`, `email`) VALUES (?, ?, ?, ?)"); 
     if($stmt){ 

      $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
      $result = $stmt->execute(); 

      /* use the return value from stmt->execute() */ 
      $_SESSION['registration_status'] = $result ? "Your account was successfully created! You may now log in to your account." : "Username or email already exists!"; 

      $stmt->close(); 
     } 

     $conn->close(); 

     exit(header("Location: index.php")); 
     } 
    } 
?>

來源

2017-06-18 13:12:22 RamRaider

0

你可以試試這個,

<?php 
// if session not start, start now 
!session_id() ? session_start() : null; 
$mysql_server = "localhost"; 
$mysql_user = "root"; 
$mysql_password = ""; 
$mysql_db = "gameforum"; 
// connect db connection 
$conn = new mysqli($mysql_server, $mysql_user, $mysql_password, $mysql_db); 
// chck if connection has error 
if ($conn->connect_errno) { 
    printf("Connection failed: %s \n", $conn->connect_error); 
    exit(); 
} 
// db encoding 
$conn->set_charset("utf8"); 
// when POST happen 
if (isset($_POST) && !empty($_POST)) { 
    // convert POST array key as PHP variable 
    extract($_POST); 
    // if password matched with confirm password 
    if ($password === $rpassword) { 
     // create insert query with prepare 
     $stmt = $conn->prepare("INSERT INTO users (username, password, rpassword, email) VALUES (?, ?, ?, ?)"); 
     // if prepare fine, there is no query or mysql error 
     if ($stmt) { 
      // bind real values 
      $stmt->bind_param("ssss", $username, $password, $rpassword, $email); 
      // if query executed 
      if ($stmt->execute()) { 
       // success message & redirect 
       $_SESSION['registrationsuccessful'] = "Your account was successfully created! You may now log in to your account."; 
       header("Location: index.php"); 
       exit(); 
      } else { 
       // query error & redirect 
       $_SESSION['alreadyexists'] = "There was an error or Username/Email already exists!"; 
       header("Location: index.php"); 
       exit(); 
      } 
     } 
    } else { 
     // password matched failed 
     $_SESSION['err'] = "Passwords did not match, please try again!"; 
     header("Location: index.php"); 
     exit(); 
    } 
}

我沒有關閉連接,因爲PHP會在腳本結束時關閉所有打開的文件和連接。

來源

2017-06-18 13:34:32

相關問題

 相關問題