我在做一個註冊腳本。這就是我所做的在php中註冊用戶?
Connect.php
<?php
$Connessione = mysql_connect('localhost','root','');
$Database = mysql_select_db('my_database');
if(!$Connessione) {
echo "Errore di connessione: ".mysql_error;
}
else {
echo "";
}
?>
Register.php
<html>
<head>
<title>Registrati o loggati</title>
<meta charset="utf-8">
</head>
<body>
<h1>Sei nuovo? Registrati! Sei già registrato? Loggati!</h1>
<form action="full.php" name="registrazione" method="post">
NickName (Massimo 10 caratteri): <input type="text" name="nickname" maxlenght="10" required/>
<br><br>
Password: <input type="password" name="psw" required/><br>
<input type="submit" value="Registrati" name="registrati"/>
</form>
</body>
</html>
full.php
<?php
include('connect.php');
if(isset($_POST['registrati'])) {
$Username = $_POST['nickname'];
$Password = md5($_POST['password']);
$Escape = mysql_real_escape_string($Username);
$Query = "INSERT INTO sito (user, password) VALUES($Escape, $Password)";
$Esecuzione = mysql_query($Query);
if(!$Esecuzione) {
echo "Errore: ".mysql_error();
} else {
echo "";
}
}
?>
當我運行它,我按一下按鈕告訴我(例如在nikcname我把「約翰」)Errore:'領域列表'中的未知列'約翰'。爲什麼?此代碼對SQL注入開放?由於
字符串必須用引號引起來,並確保你總是過濾用戶輸入,所以你從SQL注入安全。 – Shomz
不要使用mysql,也不要在您的sql語句中使用變量。請使用PDO或MSQLi,並附上準備好的語句 – underscore
@ఠ_ఠprepaid lol – Class