2013-08-25 173 views
0

我在做一個註冊腳本。這就是我所做的在php中註冊用戶?

Connect.php

<?php 

$Connessione = mysql_connect('localhost','root',''); 
$Database = mysql_select_db('my_database'); 

if(!$Connessione) { 
    echo "Errore di connessione: ".mysql_error; 
} 
else { 
echo ""; 
} 

?> 

Register.php

<html> 
<head> 
    <title>Registrati o loggati</title> 
    <meta charset="utf-8"> 
</head> 
<body> 
    <h1>Sei nuovo? Registrati! Sei già registrato? Loggati!</h1> 
    <form action="full.php" name="registrazione" method="post"> 
     NickName (Massimo 10 caratteri): <input type="text" name="nickname" maxlenght="10" required/> 
     <br><br> 
     Password: <input type="password" name="psw" required/><br> 
     <input type="submit" value="Registrati" name="registrati"/> 
    </form> 
</body> 
</html> 

full.php

<?php 
    include('connect.php'); 

    if(isset($_POST['registrati'])) {  
     $Username = $_POST['nickname']; 
     $Password = md5($_POST['password']); 
     $Escape = mysql_real_escape_string($Username); 
     $Query = "INSERT INTO sito (user, password) VALUES($Escape, $Password)"; 
     $Esecuzione = mysql_query($Query); 

     if(!$Esecuzione) { 
      echo "Errore: ".mysql_error(); 
     } else { 
      echo ""; 
     } 
    } 
?> 

當我運行它,我按一下按鈕告訴我(例如在nikcname我把「約翰」)Errore:'領域列表'中的未知列'約翰'。爲什麼?此代碼對SQL注入開放?由於

+0

字符串必須用引號引起來,並確保你總是過濾用戶輸入,所以你從SQL注入安全。 – Shomz

+0

不要使用mysql,也不要在您的sql語句中使用變量。請使用PDO或MSQLi,並附上準備好的語句 – underscore

+0

@ఠ_ఠprepaid lol – Class

回答

3

我相信你需要使用引號,像這樣的價值觀:

$Query = "INSERT INTO `sito` (`user`, `password`) VALUES('$Escape', '$Password')"; 

而且你可能想看看mysqliPDO而不是使用mysql_*功能。

+0

並引用列表名稱在後面的刻度,'\'用戶'' –

+1

謝謝,現在它工作! – Francesco64

0

希望你能檢查一下。讓我們將您的MySQL代碼改爲MySQLiMySQL已被棄用。

Connect.php

<?php 

$con=mysqli_connect("localhost","root","","my_database"); 

if(mysqli_connect_errno()){ 

echo "Error".mysqli_connect_error(); 
} 

?> 

full.php

<?php 
    include('connect.php'); 

    if(isset($_POST['registrati'])) {  
     $Username = $_POST['nickname']; 
     $Password = md5($_POST['password']); 
     $Escape = mysql_real_escape_string($Username); 

     /* START OF CHECK IF INPUT IS ALREADY IN DATABASE */ 

     $result=mysqli_query($con,"SELECT * FROM sito WHERE user='$Escape'"); 

     if(mysqli_num_rows($result)==0){ /* IF USERNAME HASN'T TAKEN YET */ 

     mysqli_query($con,"INSERT INTO sito (user, password) VALUES ('$Escape','$Password')"); 

     } 

     else { 
     echo $Escape." is already taken."; 
     } 

    } /* END OF ISSET REGISTRATI */ 
?>