0
我對PHP/MySQL很陌生,所以請理解,但是我試圖在我的站點中實現一個複雜的登錄系統。到目前爲止,我已經完成了註冊,但是沒有使用準備好的語句來完成註冊,而只是使用了MySQLi。 由於有必要防止SQL注入,我需要以某種方式將此代碼更改爲預準備語句;我已經試過無情的時間,只是在執行語句時失敗。如何將MySQLi轉換爲預準備語句?
這是初始工作(但未準備好)的代碼。由於這可能是一個很大的問題,我很樂意向任何人支付一小筆費用。
//Declaring variables as whitespace so nothing will be displayed below the form until submission.
$fe_firstName = " ";
$fe_lastName = " ";
$fe_email = " ";
$fe_emailconf = " ";
$fe_username = " ";
$fe_pw = " ";
$fe_pwconf = " ";
$fe_terms = " ";
$fe_usernameInvalid = " ";
$fe_emailInvalid = " ";
//Declaring verification variables to ensure duplicate users aren't created.
$verifyUsername = $_POST['username'];
$verifyEmail = $_POST['email'];
//Setting up array, if zero errors occur the array will stay empty.
$errors = array();
//The URL of the signup page.
//The full URL of the page the form was submitted from.
$current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
$referrer = $_SERVER['HTTP_REFERER'];
//Ensure form comes from VAL website.
if ($referrer == $current) {
if($_SERVER['REQUEST_METHOD'] == 'POST'){
/**
* Validate forms
* Match regex
* Ensure pass & email confirmations match
*/
if(0 === preg_match("/^[a-z\-]{2,20}$/i", $_POST['firstName'])){
$errors['e_firstName'] = "Your first name cannot be empty.";
$fe_firstName = "Your first name cannot be empty.";
}
if(0 === preg_match("/^[a-z\-]{2,20}$/i", $_POST['lastName'])){
$errors['e_lastName'] = "Your last name cannot be empty.";
$fe_lastName = "Your last name cannot be empty.";
}
if(0 === preg_match("/^[a-zA-Z0-9]+[a-zA-Z0-9_.-]+[a-zA-Z0-9_-][email protected][a-zA-Z0-9]+[a-zA-Z0-9.-]+[a-zA-Z0-9]+.[a-z]{2,4}$/", $_POST['email'])){
$errors['e_email'] = "Please enter a valid E-Mail address.";
$fe_email = "Please enter a valid E-Mail address.";
}
if(0 !== strcmp($_POST['email'], $_POST['emailconf'])){
$errors['e_emailconf'] = "Please ensure your E-Mail addresses match.";
$fe_emailconf = "Please ensure your E-Mail addresses match.";
}
if(0 === preg_match("/^[a-z\d_]{3,20}$/i", $_POST['username'])){
$errors['e_username'] = "Please enter a valid username.";
$fe_username = "Please enter a valid username.";
}
if(0 === preg_match("/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,56}$/", $_POST['pw'])){
$errors['e_pw'] = "Please follow the password instructions. You must have at least one number, one lower-case, and one upper-case letter.";
$fe_pw = "Please follow the password instructions. You must have at least one number, one lower-case, and one upper-case letter.";
}
if(0 !== strcmp($_POST['pw'], $_POST['pwconf'])){
$errors['e_pwconf'] = "Please ensure your passwords match.";
$fe_pwconf = "Please ensure your passwords match.";
}
if(!isset($_POST['terms'])){
$errors['e_terms'] = "You must accept the Terms and Conditions.";
$fe_terms = "You must accept the Terms and Conditions.";
}
/**
* Check if username and email address already exist.
* If so, add error to validity array.
*/
$usernameCheck = mysqli_query($con, "SELECT * FROM users WHERE username='".$verifyUsername."'");
if($usernameCheck->num_rows){
$errors['e_usernameInvalid'] = "Username already exists.";
$fe_usernameInvalid = "Username already exists.";
}
$emailCheck = mysqli_query($con, "SELECT * FROM users WHERE email='".$verifyEmail."'");
if($emailCheck->num_rows){
$errors['e_emailInvalid'] = "Email already exists.";
$fe_emailInvalid = "Email already exists.";
}
//If no validation errors
if(0 === count($errors)){
/***
* Sanitize code
* Clean dangerous chars for DB
*/
$send_firstName = mysqli_real_escape_string($con, $_POST['firstName']);
$send_lastName = mysqli_real_escape_string($con, $_POST['lastName']);
$send_email = mysqli_real_escape_string($con, $_POST['email']);
$send_username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['pw']);
//HASH & ready password
//
// Instantiate new instance of class
$hash_password = new Hash_Password();
// Hash the password
$hash = $hash_password->hash($password);
$send_pw = $hash;
//Autoset non-user-input values to 0
$send_wins = 0;
$send_losses = 0;
$send_played = 0;
$send_earnings = 0;
//Obtain time of form submission = Time registered.
$datum = new DateTime();
$send_regDate = $datum->format('Y-m-d H:i:s');
$send_lastLogin = $send_regDate;
$send_rolePermissions = 0;
//Insert query time.
$sql = "
INSERT INTO users (first_name, last_name, username, password, email, last_login, date_joined, wins, losses, played, earnings, permissions) VALUES
('{$send_firstName}','{$send_lastName}','{$send_username}','{$send_pw}','{$send_email}','{$send_lastLogin}','{$send_regDate}','{$send_wins}','{$send_losses}','{$send_played}','{$send_earnings}','{$send_rolePermissions}')
";
//Redirecting based on the connection result.
if(!mysqli_query($con, $sql)){
if (!headers_sent()) {
exit(header("Location: registration_fail.php"));
} else{
?>
<script> location.replace("registration_fail.php"); </script>
<?php
}
} else{
if (!headers_sent()) {
exit(header("Location: registration_success.php"));
} else{
?>
<script> location.replace("registration_success.php"); </script>
<?php
}
mysqli_close($con);
}
}
}
}
很多代碼是驗證,並且「fe_」變量在表單下面回顯。我相信所有需要改變的是$ sql變量,real_escape_strings和$ usernameCheck和$ emailCheck。
再一次,我對這個不整潔的問題表示最大的歉意,但我在其他地方找不到答案。 P.S - 數據庫通過PDO連接,沒有問題。
由於您試圖阻止SQL注入發生,因此得到了Upvoted。 –
我不進php,但你應該使用parametrized語句。 http://php.net/manual/es/mysqli.prepare.php –
謝謝,我也意識到我有錯誤的問題,現在已經改變了。你有能力幫忙嗎? – Lewis