0
..其中我無法弄清楚確切的問題是什麼和/或爲什麼interepreter抱怨這一點。我會後我的代碼:SQL:無法正確識別用戶名和密碼
<?php
$path = realpath(dirname(__FILE__));
require("../data/userhandler.class.php");
$db = connectViaPdo();
//var_dump($db);
$userHandler = new UserHandler($db);
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$ip = $_SERVER['REMOTE_ADDR'];
$query = "select username, password from users where ip = {$ip}";
$stmt = $db->prepare($query);
$result = $stmt->fetch();
if(!$result)
{
$isBanned = $userHandler->checkIfBanned($ip);
if (!$isBanned)
{
$query = "INSERT INTO users(username, password, ip, email) VALUES({$username}, {$password}, {$ip}, {$email})";
$stmt = $db->prepare($query);
$result = $stmt->execute();
}
else
{
echo "You are BANNED from this server. Leave now and do not come back.";
exit();
}
}
else
{
$query = "UPDATE users SET username = {$username}, password = {$password}, email = {$email} WHERE ip = {$ip} ";
$stmt = $db->prepare($query);
$result = $stmt->execute();
}
?>
我看到以下的輸出:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.193.239, [email protected])' at line 1' in /home/someuser/somedomain.com/portfolio/private_html/modules/register_user.script.php:29 Stack trace: #0 /home/someuser/somedomain.com/portfolio/private_html/modules/register_user.script.php(29): PDOStatement->execute() #1 {main} thrown in /home/someuser/somedomain.com/portfolio/private_html/modules/register_user.script.php on line 29
雖然我沒有遵循堆棧跟蹤,它並沒有真正似乎什麼幫助:我的PDOStatement對象是正確的。
您有SQL注入漏洞。另外,**不要以純文本**存儲密碼! – SLaks
SQL注入?那是什麼?至於密碼,我應該只使用mcrypt嗎? – zeboidlund
http://xkcd.com/327/ – SLaks