我的PHP注册表不起作用
我正在尝试创建一个注册表单,并在表单上传入我的PHP注册表不起作用,php,html,Php,Html,我正在尝试创建一个注册表单,并在表单上传入mysqli\u real\u escape\u string和salt。但是由于某些原因,我的代码无法继续。即使我在表单上输入正确的信息,它也不会正确地处理它。基本上我创建了一个函数来进行验证 这是我的密码: <?php session_start(); require("new-connection.php"); global $connection; $first_name = mysqli_real_escape_stri
mysqli\u real\u escape\u stringsalt<?php
session_start();
require("new-connection.php");
global $connection;
$first_name = mysqli_real_escape_string($connection, $_POST['first_name']);
$last_name = mysqli_real_escape_string($connection, $_POST['last_name']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$salt = bin2hex(openssl_random_pseudo_bytes(22));
$encrypted_password = md5($password . '' . $salt);
if(isset($_POST['action']) && ($_POST['action']) == 'register'){
//call to function
register_user($_POST); //use the ACTUAL POST
}
elseif(isset($_POST['action']) && ($_POST['action']) == 'login'){
login_user($_POST);
}else{
session_destroy();
header('Location: homepage.php');
die();
}
function register_user(){ //just a parameter called post
$_SESSION['errors'] = array();
if(empty($first_name)){
$_SESSION['errors'][] = "first name can't be blank!";
}
if(empty($last_name)){
$_SESSION['errors'][] = "last name can't be blank!";
}
if(empty($password)){
$_SESSION['errors'][] = "password is required!";
}
if($password != $post['confirm_password']){
$_SESSION['errors'][] = "passwords must match!";
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$_SESSION['errors'][] = "please use a valid email address!";
}
//end of validation
//now count errors
if(count($_SESSION['errors']) > 0){
header('Location: homepage.php');
die();
}else{
$query = "INSERT INTO users(first_name, last_name, password, email, created_at, updated_at)
VALUES ('$first_name', '$last_name','$password', '$email', NOW(), NOW())";
$result = run_mysql_query($query);
$_SESSION['message'] = "user successfully added";
header('Location: homepage.php');
die();
}
}
function login_user($post){ //just a parameter called post
$query = "SELECT * FROM users WHERE users.password = '{$post['password']}'
AND users.email = '{$post['email']}'";
$user = fetch($query); //go and grab all users on above condition
if(count($user) > 0){
$_SESSION['user_id'] = $user[0]['id'];
$_SESSION['first_name'] = $user[0]['first_name'];
$_SESSION['logged_in'] = true;
header('Location: success-homepage.php');
die();
}else{
$_SESSION['errors'][] = "cant find users";
header('Location: homepage.php');
die();
}
}
?>
什么是错误?如果您有白色页面,请在页面顶部插入:
error_reporting (E_ALL);
ini_set('display_errors',1);
<?php
session_start();
require("new-connection.php");
global $connection;
$first_name = mysqli_real_escape_string($connection, $_POST['first_name']);
$last_name = mysqli_real_escape_string($connection, $_POST['last_name']);
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$salt = bin2hex(openssl_random_pseudo_bytes(22));
$encrypted_password = md5($password . '' . $salt);
if(isset($_POST['action']) && ($_POST['action']) == 'register'){
//call to function
register_user($firstname, $last_name, $email, $password, $salt, $encrypted_password); //use the ACTUAL POST // Cant only use post because isn't escaped
}
elseif(isset($_POST['action']) && ($_POST['action']) == 'login'){
login_user($email, $password);
}else{
session_destroy();
header('Location: homepage.php');
die();
}
function register_user($firstname, $last_name, $email, $password, $salt, $encrypted_password){ // Pass all escaped variables here becasue the $_POST isn't escaped
$_SESSION['errors'] = array();
if(empty($first_name)){
$_SESSION['errors'][] = "first name can't be blank!";
}
if(empty($last_name)){
$_SESSION['errors'][] = "last name can't be blank!";
}
if(empty($password)){
$_SESSION['errors'][] = "password is required!";
}
if($password != $post['confirm_password']){
$_SESSION['errors'][] = "passwords must match!";
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
$_SESSION['errors'][] = "please use a valid email address!";
}
//end of validation
//now count errors
if(count($_SESSION['errors']) > 0){
header('Location: homepage.php');
die();
}else{
// Add backticks around column and table names to prevent mysql reserved words error
$query = "INSERT INTO `users` (`first_name`, `last_name`, `password`, `email`, `created_at`, `updated_at`)
VALUES ('$first_name', '$last_name','$password', '$email', NOW(), NOW())";
$result = mysqli_query($connection, $query);
$_SESSION['message'] = "user successfully added";
header('Location: homepage.php');
die();
}
}
function login_user($email, $password){ //just a parameter called post
// No need to add table name
$query = "SELECT * FROM `users` WHERE `password` = '$password'
AND `email` = '$email'";
$result = mysqli_query($connection, $query);
if(mysqli_num_rows($result) >= 1) {
$user = mysqli_fetch_assoc($result); //go and grab all users on above condition
// Check if there was atleast 1 user with the specified credentials
if(count($user) >= 1){
$_SESSION['user_id'] = $user['id'];
$_SESSION['first_name'] = $user['first_name'];
$_SESSION['logged_in'] = true;
header('Location: success-homepage.php');
die();
}else{
$_SESSION['errors'][] = "cant find users";
header('Location: homepage.php');
die();
}
} else {
echo 'no user was found';
}
}
?>
哪里定义了run\u mysql\u query
?它不是标准的PHP。register\u user()函数不知道$first\u name等是什么,除非您将它们设置为全局,或者将它们作为参数传递。您尚未发布实际执行查询的代码。这里没有试图检查MYSQL调用中的任何错误,所以我假设代码是相同的。如果没有正确的错误检查,您将无法知道发生了什么错误。请阅读有关SQL注入和PDO@MarcelBurkhard由于OP显然没有使用OOP,为什么即使考虑使用PDO,一个更明智的步骤就是使用mysqli OOP,但是mysqli\u*
仍然比mysql\u*
好。他正在逃避用户输入,但他也会通过将$\u POST
传递给函数来破坏它。这可能行得通,也可能行不通。它只是一个代码转储,没有试图解释你改变了什么(如果有的话)或者为什么,那么你还没有把注释写出来