Php 表单在不向数据库提交任何内容的情况下响应成功。我的流量控制有问题吗?
这是代码 我真的不明白为什么它不提交我的信息Php 表单在不向数据库提交任何内容的情况下响应成功。我的流量控制有问题吗?,php,mysql,html,forms,Php,Mysql,Html,Forms,这是代码 我真的不明白为什么它不提交我的信息 <?php //Includes mass includes containing all the files needed to execute the full script //Also shows homepage elements without customs include ("includes/mass.php"); //Grabbing data form POST array and storing in varia
<?php
//Includes mass includes containing all the files needed to execute the full script
//Also shows homepage elements without customs
include ("includes/mass.php");
//Grabbing data form POST array and storing in variables plus the date
$username = ($_POST['username']);
$password = ($_POST['password']);
$conpassword= ($_POST['password2']);
$firstname = ($_POST['firstname']);
$lastname = ($_POST['lastname']);
$email = ($_POST['email']);
$submit = ($_POST['submit']);
$date = date("Y-m-d");
//Reigstration Form
$register = "<div id='registration'>
<h2>Register Here!</h2>
<form action='register.php' method='post'>
<table>
<tr>
<td>
Username
</td>
<td>
<input type='text' name='username' value='$username' >
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
<input type='password' name ='password'>
</td>
</tr>
<tr>
<td>
Confirm Password
</td>
<td>
<input type='password' name ='password2'>
</td>
</tr>
<tr>
<td>
Firstname
</td>
<td>
<input type='text' name='firstname' value='$firstname'>
</td>
</tr>
<tr>
<td>
Lastname
</td>
<td>
<input type='text' name='lastname' value='$lastname' >
</td>
</tr>
<tr>
<td>
Email
</td>
<td>
<input type='text' name='email' value= '$email' >
</td>
</tr>
<tr>
<td>
<input type='submit' class='button' name='submit' value='Sign Up'>
</td>
</tr>
</table>
</form>
</div>";
echo $register;
//Check to make sure user has submitted the correct details
echo "<div id='regform'>";
if (isset($submit))
{
//Querying the database for if the username already exists
$sql = "SELECT * FROM user WHERE username = '$username'";
$query = mysql_query($sql);
$numrows = mysql_num_rows($query);
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if (strlen($username)<2)
{
echo ("<br>You must enter a longer username</br>");
exit;
}
elseif (strlen($username) > 25)
{
echo ("You must enter a shorter username<br>");
exit;
}
if ($username==$dbusername)
{
echo ("That username already exists!");
exit;
}
elseif (strlen($password)<6)
{
echo ("<br>'Password must be be between 6 & 26 characters'<br>");
exit;
}
if ($password != $conpassword)
{
echo ("<br>Your passwords dont match<br>");
exit;
}
elseif (strlen($firstname)<=0)
{
echo ("<br>You must enter your firstname<br>");
exit;
}
if (strlen($lastname)<=0)
{
echo ("<br>You must enter your lastname<br>");
exit;
}
elseif (!preg_match('/@/',$email) || (strlen($email)<=6) )
{
echo ("</br>You must enter a proper email address!");
exit;
}
if (!isset($password))
{
echo "You must enter a password!";
exit;
}
elseif (!isset($conpassword))
{
echo ("You must confirm your password");
exit;
}
else
{
//Encrypt the password
$password = md5($password);
$conpassword = md5($conpassword);
//Start Session
session_start();
//push this information to the database
//Submit data to database plus store exec into variable.
$sqlsubmit ="INSERT INTO user VALUES ('','$firstname','$lastname','$username','$password','$email','$date',)";
mysql_query($sqlsubmit);
//echo success.
echo "successfully submitted to the database"."<br>"."<a href='user.php'>Click Here To Go To Your Accont</a>";
exit;
}
}
elseif(!isset($submit))
{
echo "</br>"."Enter your info here!!!!! :))";
}
echo "</div>";
?>
更新:正如Quassnoi微妙地指出的,您迫切需要保护您的输入。请参阅PHP手册中的章节
查询失败,因为行末尾有一个额外的逗号:
$sqlsubmit ="INSERT INTO user VALUES
('','$firstname','$lastname','$username','$password','$email','$date',)";
用于查找此类错误
此外,无论查询是否失败,都会输出成功消息。
您要添加一个条件:
if (mysql_query($sqlsubmit))
echo "successfully submitted ...";
else
echo "error submitting ..... ".mysql_error();
佩卡在评论中也提到了这一点。。。但由于这一点非常重要,我将在单独的(社区维基)回答中重复:
此代码容易受到最恶劣类型的SQL注入攻击。
你的代码绝对不安全。不应该使用它,不可能有任何借口。在继续之前,请先阅读和
提示:如果你在回答这样一个问题时嵌入这张图片,你总是会得到更多的分数:@Tapha不客气。还可以查看我编辑过的答案@卡斯努伊,你当然是对的:)这是我最后的else语句吗?另外,当用户单击“转到我的帐户链接”时,我可以将会话启动放在何处?再次感谢mate!。感谢您提供有关sql攻击风险的提示。我现在正在修理@Tapha该块将替换mysql_query()语句和随后的“success”echo。后者我不知道,但session_start()始终属于脚本的负责人。