1
我在php中做了一個簡單的註冊系統,即使我輸入了所有正確的細節,它也沒有進入數據庫,即使所有條目都正確,它仍然會回顯withError = 1。這是我的PHP代碼。即使所有輸入都正確,PHP代碼仍然顯示錯誤。我的代碼有什麼問題?
<?php
if($submit)
{
if ($fullname && $email && $username && $password && $conPassword)
{
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $email))
{
$query1 = "SELECT Email FROM tbl_userAccounts WHERE Email='$email'";
$result1 = mysqli_query($mysqli,$query1) or die(mysqli_error());
if (mysqli_num_rows($result1) < 0)
echo "email is already used. ";
$withError = true;
}
else
{
echo "invalid email address. ";
$withError = true;
}
if (strlen($username) < $charMinimum)
{
echo "minimum of 6 characters for username. ";
$withError = true;
}
else
{
$query2 = "SELECT Username FROM tbl_userAccounts WHERE Username='$username'";
$result2 = mysqli_query($mysqli,$query2) or die(mysqli_error());
if (mysqli_num_rows($result2) < 0)
{
echo "username is already used. ";
$withError = true;
}
}
if($password == $conPassword)
{
echo $withError;
if($withError == false)
{
if (strlen($password) < $charMinimum)
{
echo "minimum of 6 characters for password. ";
$withError = true;
}
else
{
$query3 = "INSERT INTO tbl_userAccounts VALUES ('', '$fullname', '$username', '$password','$date', '$email')";
$result3 = mysqli_query($mysqli,$query3) or die(mysqli_error());
if($result3 && $withError == false)
echo "account has been successfully registered!";
else
echo "failed registration. ";
}
}
}
else
{
echo "passwords do not match. ";
$withError = true;
}
}
}
else
{
echo "fill out all fields. ";
$withError = true;
}
?>
我得到擔心,當我看到不使用[PHP預處理語句(PHP代碼http://php.net/manual/en/pdo.prepared- statement.php)來防止[SQL Injection](http://en.wikipedia.org/wiki/SQL_injection)漏洞。我希望你在這裏沒有粘貼的代碼中清理你的變量。如果不是,請考慮重新編寫代碼以使用PDO Prepared Statements,而不是試圖清理變量。 – sarnold 2011-12-15 02:57:25