PHP忽略注册脚本中的if/Else语句
我目前正在我的网站上的登录系统工作。每个用户在购买时都会收到一个唯一的密钥,然后使用该密钥在网站上注册。在使用密钥注册后,它会通过一个脚本来检查我的密钥数据库,以确保它没有被使用(如果它通过了该检查,则密钥被标记为“正在使用”)。然后,它将用户插入数据库,将其密钥和支付状态存储为“sub” 我的问题是我的脚本完全忽略了键检查if/else块。它无法将正在使用的更改为“Y”。它还告诉我注册成功,即使pay_status变量没有传递到最终的insert语句 我想知道是否有人可以试试我的php,看看是否有什么明显的我遗漏了。忽略可注入点,因为在再次保护代码之前,我将代码剥离以使其正常工作 以下是php:PHP忽略注册脚本中的if/Else语句,php,mysql,Php,Mysql,我目前正在我的网站上的登录系统工作。每个用户在购买时都会收到一个唯一的密钥,然后使用该密钥在网站上注册。在使用密钥注册后,它会通过一个脚本来检查我的密钥数据库,以确保它没有被使用(如果它通过了该检查,则密钥被标记为“正在使用”)。然后,它将用户插入数据库,将其密钥和支付状态存储为“sub” 我的问题是我的脚本完全忽略了键检查if/else块。它无法将正在使用的更改为“Y”。它还告诉我注册成功,即使pay_status变量没有传递到最终的insert语句 我想知道是否有人可以试试我的php,看看是
<?php
include_once 'link_auth.php';
include_once 'link_global.php';
$error_msg = "";
if (isset($_POST['username'], $_POST['email'], $_POST['p'], $_POST['firstname'], $_POST['lastname'], $_POST['regkey'])) {
// Sanitize and validate the data passed in
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$firstname = filter_input(INPUT_POST, 'firstname', FILTER_SANITIZE_STRING);
$lastname = filter_input(INPUT_POST, 'lastname', FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
$regkey = $_POST['regkey'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
// Not a valid email
$error_msg .= '<p class="error">The email address you entered is not valid</p>';
}
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
if (strlen($password) != 128) {
// The hashed pwd should be 128 characters long.
// If it's not, something really odd has happened
$error_msg .= '<p class="error">Invalid password configuration.</p>';
}
// Username validity and password validity have been checked client side.
// This should should be adequate as nobody gains any advantage from
// breaking these rules.
//
//Check if the registration key is in use --> If so, close statement, if not, mark key as in_use = Y and add it to the user's account, set payment status from trial (if trial) to sub
$prep_stmt = "SELECT id, regkey, in_use FROM keylist WHERE regkey = '$regkey' LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->execute();
$keystatus = $stmt->fetch();
if ($keystatus['in_use'] == 'N') {
//The key is available
$sql_updatekey = "UPDATE `keylist` SET in_use = 'Y' WHERE `regkey` = '$regkey'";
$pay_status = "sub";
$mysqli->query($sql_updatekey);
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">This key is already in use. If you feel this is an error, please contact support@hospitaldatasolutions.com</p>';
$stmt->close();
}
$prep_stmt = "SELECT id FROM members WHERE email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing email
if ($stmt) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this email address already exists
$error_msg .= '<p class="error">A user with this email address already exists.</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error Line 39</p>';
$stmt->close();
}
// check existing username
$prep_stmt = "SELECT id FROM members WHERE username = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this username already exists
$error_msg .= '<p class="error">A user with this username already exists</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error line 55</p>';
$stmt->close();
}
// TODO:
// We'll also have to account for the situation where the user doesn't have
// rights to do registration, by checking what type of user is attempting to
// perform the operation.
if (empty($error_msg)) {
// Create a random salt
//$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Did not work
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password
$password = hash('sha512', $password . $random_salt);
// Insert the new user into the database
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, firstname, lastname, regkey, salt, payment_status) VALUES (?, ?, ?, ?, ?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssssssss', $username, $email, $password, $firstname, $lastname, $regkey, $random_salt, $pay_status);
// Execute the prepared query.
if (! $insert_stmt->execute()) {
header('Location: ../error.php?err=Registration failure: INSERT');
}
}
header('Location: register_success.php');
}
}
if-else部分存在逻辑错误,我认为“key ready used”的els块与if($stmt)放错了位置。我假设您的密钥列表中有in_use='N'表示未使用的密钥
<?php
include_once 'link_auth.php';
include_once 'link_global.php';
$error_msg = "";
if (isset($_POST['username'], $_POST['email'], $_POST['p'], $_POST['firstname'], $_POST['lastname'], $_POST['regkey'])) {
// Sanitize and validate the data passed in
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$firstname = filter_input(INPUT_POST, 'firstname', FILTER_SANITIZE_STRING);
$lastname = filter_input(INPUT_POST, 'lastname', FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
$regkey = $_POST['regkey'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
// Not a valid email
$error_msg .= '<p class="error">The email address you entered is not valid</p>';
}
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
if (strlen($password) != 128) {
// The hashed pwd should be 128 characters long.
// If it's not, something really odd has happened
$error_msg .= '<p class="error">Invalid password configuration.</p>';
}
// Username validity and password validity have been checked client side.
// This should should be adequate as nobody gains any advantage from
// breaking these rules.
//
//Check if the registration key is in use --> If so, close statement, if not, mark key as in_use = Y and add it to the user's account, set payment status from trial (if trial) to sub
$prep_stmt = "SELECT id, regkey, in_use FROM keylist WHERE regkey = '$regkey' LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->execute();
$stmt->bind_result($col1, $col2,$col3);
$keystatus = $stmt->fetch();
if ($keystatus && $col3=="N") {
//The key is available
$sql_updatekey = "UPDATE `keylist` SET in_use = 'Y' WHERE `regkey` = '$regkey'";
$pay_status = "sub";
$mysqli->query($sql_updatekey);
$stmt->close();
}
else {
$error_msg .= '<p class="error">This key is already in use. If you feel this is an error, please contact support@hospitaldatasolutions.com</p>';
$stmt->close();
}
}
$prep_stmt = "SELECT id FROM members WHERE email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing email
if ($stmt) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this email address already exists
$error_msg .= '<p class="error">A user with this email address already exists.</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error Line 39</p>';
$stmt->close();
}
// check existing username
$prep_stmt = "SELECT id FROM members WHERE username = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this username already exists
$error_msg .= '<p class="error">A user with this username already exists</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error line 55</p>';
$stmt->close();
}
// TODO:
// We'll also have to account for the situation where the user doesn't have
// rights to do registration, by checking what type of user is attempting to
// perform the operation.
if (empty($error_msg)) {
// Create a random salt
//$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Did not work
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password
$password = hash('sha512', $password . $random_salt);
// Insert the new user into the database
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, firstname, lastname, regkey, salt, payment_status) VALUES (?, ?, ?, ?, ?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssssssss', $username, $email, $password, $firstname, $lastname, $regkey, $random_salt, $pay_status);
// Execute the prepared query.
if (! $insert_stmt->execute()) {
header('Location: ../error.php?err=Registration failure: INSERT');
}
}
header('Location: register_success.php');
}
}
到目前为止,您做了哪些调试工作?我可以说,在我在“检查注册密钥是否正在使用”下添加块之前,代码已经完全正常运行。到目前为止,我只是直接更改了它下面的语句/行,并检查了数据库是否以正确的方式更新。我想我只是想知道是否有语法方面的原因导致它一起跳过了那个块。之后,如果成功(它说是),它将转到注册成功页面,这意味着$errmsg var从未被任何其他块填充。我是新来的,所以不知道该去哪里。是的,表中填写了N表示所有未使用的键。将尝试重新工作OK现在它告诉我密钥已在使用,但它不是请添加另一行var_dump($keystatus);$keystatus=$stmt->fetch()之后;然后将输出发送给我,这样我就可以找到所发生的事情。我认为$stmt->fetch()给出了布尔值,您需要使用$stmt->bind_result()将结果存储到变量?我又改变了,希望它能工作,但我没有测试,因为我这里没有数据。是的,这正是问题所在。事实证明,上一个查询仍在运行,因为即使我将其限制为一个结果,仍有更多可能的行要拉,因此它被卡在上一个查询中,并阻止新的查询发生。Store_result()存储整个结果集,并释放查询以获得新语句。谢谢你的帮助!现在它已经完全修好了,运行也很完美!
<?php
include_once 'link_auth.php';
include_once 'link_global.php';
$error_msg = "";
if (isset($_POST['username'], $_POST['email'], $_POST['p'], $_POST['firstname'], $_POST['lastname'], $_POST['regkey'])) {
// Sanitize and validate the data passed in
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
$firstname = filter_input(INPUT_POST, 'firstname', FILTER_SANITIZE_STRING);
$lastname = filter_input(INPUT_POST, 'lastname', FILTER_SANITIZE_STRING);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
$regkey = $_POST['regkey'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
// Not a valid email
$error_msg .= '<p class="error">The email address you entered is not valid</p>';
}
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
if (strlen($password) != 128) {
// The hashed pwd should be 128 characters long.
// If it's not, something really odd has happened
$error_msg .= '<p class="error">Invalid password configuration.</p>';
}
// Username validity and password validity have been checked client side.
// This should should be adequate as nobody gains any advantage from
// breaking these rules.
//
//Check if the registration key is in use --> If so, close statement, if not, mark key as in_use = Y and add it to the user's account, set payment status from trial (if trial) to sub
$prep_stmt = "SELECT id, regkey, in_use FROM keylist WHERE regkey = '$regkey' LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->execute();
$stmt->bind_result($col1, $col2,$col3);
$keystatus = $stmt->fetch();
if ($keystatus && $col3=="N") {
//The key is available
$sql_updatekey = "UPDATE `keylist` SET in_use = 'Y' WHERE `regkey` = '$regkey'";
$pay_status = "sub";
$mysqli->query($sql_updatekey);
$stmt->close();
}
else {
$error_msg .= '<p class="error">This key is already in use. If you feel this is an error, please contact support@hospitaldatasolutions.com</p>';
$stmt->close();
}
}
$prep_stmt = "SELECT id FROM members WHERE email = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
// check existing email
if ($stmt) {
$stmt->bind_param('s', $email);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this email address already exists
$error_msg .= '<p class="error">A user with this email address already exists.</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error Line 39</p>';
$stmt->close();
}
// check existing username
$prep_stmt = "SELECT id FROM members WHERE username = ? LIMIT 1";
$stmt = $mysqli->prepare($prep_stmt);
if ($stmt) {
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->store_result();
if ($stmt->num_rows == 1) {
// A user with this username already exists
$error_msg .= '<p class="error">A user with this username already exists</p>';
$stmt->close();
}
$stmt->close();
} else {
$error_msg .= '<p class="error">Database error line 55</p>';
$stmt->close();
}
// TODO:
// We'll also have to account for the situation where the user doesn't have
// rights to do registration, by checking what type of user is attempting to
// perform the operation.
if (empty($error_msg)) {
// Create a random salt
//$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Did not work
$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));
// Create salted password
$password = hash('sha512', $password . $random_salt);
// Insert the new user into the database
if ($insert_stmt = $mysqli->prepare("INSERT INTO members (username, email, password, firstname, lastname, regkey, salt, payment_status) VALUES (?, ?, ?, ?, ?, ?, ?, ?)")) {
$insert_stmt->bind_param('ssssssss', $username, $email, $password, $firstname, $lastname, $regkey, $random_salt, $pay_status);
// Execute the prepared query.
if (! $insert_stmt->execute()) {
header('Location: ../error.php?err=Registration failure: INSERT');
}
}
header('Location: register_success.php');
}
}