PHP脚本似乎已经开始自己创建SQL条目
好的,我有一个非常奇怪的问题,我不能提供一个好的答案,因为我不知道发生了什么 以下问题发生在 我为我的游戏编程和Web应用程序类创建了一个portfolio网站,作为其中的一部分,我们必须包括一个讨论板,它实现了HTML5表单、PHP和MySQL的使用。我的大部分工作都很出色,只是偶尔会创建一个没有任何信息的新帐户(我不认为是个人创建的) 我的用户SQL表是使用以下脚本创建的:PHP脚本似乎已经开始自己创建SQL条目,php,mysql,Php,Mysql,好的,我有一个非常奇怪的问题,我不能提供一个好的答案,因为我不知道发生了什么 以下问题发生在 我为我的游戏编程和Web应用程序类创建了一个portfolio网站,作为其中的一部分,我们必须包括一个讨论板,它实现了HTML5表单、PHP和MySQL的使用。我的大部分工作都很出色,只是偶尔会创建一个没有任何信息的新帐户(我不认为是个人创建的) 我的用户SQL表是使用以下脚本创建的: <?php require('conLocal.php'); $query = 'create table
<?php
require('conLocal.php');
$query = 'create table user (
UserID INT AUTO_INCREMENT Primary Key UNIQUE,
secLevel INT DEFAULT 1,
email VARCHAR(25) UNIQUE,
username VARCHAR(15) UNIQUE,
Password VARCHAR(64),
rname VARCHAR(35),
dateOfAction timestamp DEFAULT CURRENT_TIMESTAMP,
DateActive timestamp);';
if ($con->query ( $query )) {
echo '<h2>User Table created</h2>';
} else {
echo '<h2>Error creating table: ' . $con->error . ' ' . $con->errno . '</h2>';
}
$con->close();
?>
<form method="post" action="genUser.php">
<fieldset>
<legend>Register</legend>
<label>Username</label>
<input type="text" name="username" required /><br />
<label>Password</label>
<input type="password" name="Password" id="pass1" minlength="8" required /><br />
<label>Re-enter Password</label>
<input type="password" name="Password2" id="pass2"
minlength="8" required />
<label>Full Name</label>
<input type="text" name="rname" pattern="[a-zA-z]+[\w]{1}[a-zA-z]+"/><br />
<label>Email</label>
<input type="email" name="email" required /><br />
<input type="Submit" value="Submit" style="width: 50%;"/>
</fieldset>
</form>
登记
用户名
密码
重新输入密码
全名
电子邮件
<?php
require ('conLocal.php');
$email = HTMLSPECIALCHARS ( $_POST ['email'] );
$username = HTMLSPECIALCHARS ( $_POST ['username'] );
$Password = HTMLSPECIALCHARS ( $_POST ['Password'] );
$Password = md5 ( $Password );
$rname = HTMLSPECIALCHARS ( $_POST ['rname'] );
$sql = 'insert into user (email, username, Password, rname) values (?,?,?,?)';
$query = $con->prepare ( $sql );
$query->bind_param ( 'ssss', $email, $username, $Password, $rname );
if ($query->execute ()) {
$message = "New account created for " . $rname;
$sql = 'insert into notifications (UserID, message) values ("1", ?)';
$query2 = $con->prepare ( $sql );
$query2->bind_param ( 's', $message );
if ($query2->execute ()) {
// header ( "Refresh: 2; registerlogin.php" );
} else {
echo '<h2>Error creating table: ' . $con->error . ' ' . $con->errno . ' Test 1</h2>';
}
$sql = "select * from user where username='".$username."' and Password='".$Password."'";
if ($result3 = $con->query($sql)) {
$row = $result3->fetch_assoc ();
$UserID = $row ['UserID'];
} else {
echo '<h2>Login Failure</h2><h4>Redirecting to register page...</h4>';
//header ( "Refresh: 1; registerlogin.php" );
}
$sql = 'insert into notifications (UserID, message) values (?,"Hello, I would like to thank you for taking the time out of your day to explore the full functionality of my website. If you would like, look around my projects page and play some of the games I have worked on. I recently launched the discussion board functionality of this site, so feel free to post and interact with other members of this site. ~ Stephen McIntosh")';
$query4 = $con->prepare ( $sql );
$query4->bind_param ( 'i', $UserID );
if ($query4->execute ()) {
//header ( "Refresh: 0; registerlogin.php" );
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 2</h2>';
}
include 'logUser.php';
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 3</h2>';
require 'registerlogin.php';
}
?>
如果看不到genUser.php
脚本的作用,就无法判断,但是:HTMLrequired
属性不会阻止任何人向服务器发布空数据
浏览器需要支持并强制执行所需的
,否则它什么也不做
提交表单时,将创建一个普通HTTP请求并发送到服务器您不需要浏览器来发送HTTP请求。HTTP请求可以通过一百万种不同的方式直接发送到您的服务器,而无需查看HTML表单,当然也无需注意required
属性
我的猜测是,一个机器人或搜索引擎蜘蛛碰巧击中了您的genUser.php
页面,该页面不进行数据验证,只插入一个空行
这里的解决方案是在尝试将数据保存到数据库之前验证服务器上的数据 如果不了解genUser.php
脚本的功能,就无法判断,但是:HTMLrequired
属性不会阻止任何人向服务器发布空数据
浏览器需要支持并强制执行所需的
,否则它什么也不做
提交表单时,将创建一个普通HTTP请求并发送到服务器您不需要浏览器来发送HTTP请求。HTTP请求可以通过一百万种不同的方式直接发送到您的服务器,而无需查看HTML表单,当然也无需注意required
属性
我的猜测是,一个机器人或搜索引擎蜘蛛碰巧击中了您的genUser.php
页面,该页面不进行数据验证,只插入一个空行
这里的解决方案是在尝试将数据保存到数据库之前验证服务器上的数据 无论何时调用脚本,无论从何处调用,它都将执行,默认情况下POST只是一个空白数组
虽然我建议进一步验证,但您至少可以将genUser.php中的代码包装在if(!empty($\u POST)){..}
if(!empty($_POST)){
require ('conLocal.php');
$email = HTMLSPECIALCHARS ( $_POST ['email'] );
$username = HTMLSPECIALCHARS ( $_POST ['username'] );
$Password = HTMLSPECIALCHARS ( $_POST ['Password'] );
$Password = md5 ( $Password );
$rname = HTMLSPECIALCHARS ( $_POST ['rname'] );
$sql = 'insert into user (email, username, Password, rname) values(?,?,?,?)';
$query = $con->prepare ( $sql );
$query->bind_param ( 'ssss', $email, $username, $Password, $rname );
if ($query->execute ()) {
$message = "New account created for " . $rname;
$sql = 'insert into notifications (UserID, message) values ("1", ?)';
$query2 = $con->prepare ( $sql );
$query2->bind_param ( 's', $message );
if ($query2->execute ()) {
// header ( "Refresh: 2; registerlogin.php" );
} else {
echo '<h2>Error creating table: ' . $con->error . ' ' . $con->errno . ' Test 1</h2>';
}
$sql = "select * from user where username='".$username."' and Password='".$Password."'";
if ($result3 = $con->query($sql)) {
$row = $result3->fetch_assoc ();
$UserID = $row ['UserID'];
} else {
echo '<h2>Login Failure</h2><h4>Redirecting to register page...</h4>';
//header ( "Refresh: 1; registerlogin.php" );
}
$sql = 'insert into notifications (UserID, message) values (?,"Hello, I would like to thank you for taking the time out of your day to explore the full functionality of my website. If you would like, look around my projects page and play some of the games I have worked on. I recently launched the discussion board functionality of this site, so feel free to post and interact with other members of this site. ~ Stephen McIntosh")';
$query4 = $con->prepare ( $sql );
$query4->bind_param ( 'i', $UserID );
if ($query4->execute ()) {
//header ( "Refresh: 0; registerlogin.php" );
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 2</h2>';
}
include 'logUser.php';
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 3</h2>';
require 'registerlogin.php';
}
}
if(!empty($\u POST)){
require('conLocal.php');
$email=HTMLSPECIALCHARS($_POST['email']);
$username=HTMLSPECIALCHARS($_POST['username']);
$Password=HTMLSPECIALCHARS($_POST['Password']);
$Password=md5($Password);
$rname=HTMLSPECIALCHARS($_POST['rname']);
$sql='插入用户(电子邮件、用户名、密码、rname)值(?、、?、?)';
$query=$con->prepare($sql);
$query->bind_参数('ssss',$email,$username,$Password,$rname);
如果($query->execute()){
$message=“为“$rname”创建的新帐户;
$sql='插入通知(用户ID、消息)值(“1”、?)';
$query2=$con->prepare($sql);
$query2->bind_参数('s',$message);
如果($query2->execute()){
//标题(“Refresh:2;registerlogin.php”);
}否则{
echo“创建表时出错:”.$con->Error.'.$con->errno.“测试1”;
}
$sql=“从用户名=”、“$username.”和密码=”、“$Password.”的用户中选择*;
如果($result3=$con->query($sql)){
$row=$result3->fetch_assoc();
$UserID=$row['UserID'];
}否则{
echo“登录失败重定向到注册页面…”;
//标题(“Refresh:1;registerlogin.php”);
}
$sql='插入通知(用户ID、消息)值(?,"您好,我想感谢您抽出一天的时间来探索我的网站的全部功能。如果您愿意,请查看我的项目页面并玩一些我参与过的游戏。我最近启动了此网站的讨论板功能,因此请随时发布此网站的其他成员并与之互动~斯蒂芬·麦金托什);
$query4=$con->prepare($sql);
$query4->bind_参数('i',$UserID);
如果($query4->execute()){
//标题(“Refresh:0;registerlogin.php”);
}否则{
回显“错误:”.$con->Error.“.$con->errno.“测试2”;
}
包括“logUser.php”;
}否则{
回显“错误:”.$con->Error.“.$con->errno.“测试3”;
需要“registerlogin.php”;
}
}
.任何时候调用脚本,无论从何处调用,它都将执行,默认情况下POST只是一个空白数组
虽然我建议进一步验证,但您至少可以将genUser.php中的代码包装在if(!empty($\u POST)){..}
if(!empty($_POST)){
require ('conLocal.php');
$email = HTMLSPECIALCHARS ( $_POST ['email'] );
$username = HTMLSPECIALCHARS ( $_POST ['username'] );
$Password = HTMLSPECIALCHARS ( $_POST ['Password'] );
$Password = md5 ( $Password );
$rname = HTMLSPECIALCHARS ( $_POST ['rname'] );
$sql = 'insert into user (email, username, Password, rname) values(?,?,?,?)';
$query = $con->prepare ( $sql );
$query->bind_param ( 'ssss', $email, $username, $Password, $rname );
if ($query->execute ()) {
$message = "New account created for " . $rname;
$sql = 'insert into notifications (UserID, message) values ("1", ?)';
$query2 = $con->prepare ( $sql );
$query2->bind_param ( 's', $message );
if ($query2->execute ()) {
// header ( "Refresh: 2; registerlogin.php" );
} else {
echo '<h2>Error creating table: ' . $con->error . ' ' . $con->errno . ' Test 1</h2>';
}
$sql = "select * from user where username='".$username."' and Password='".$Password."'";
if ($result3 = $con->query($sql)) {
$row = $result3->fetch_assoc ();
$UserID = $row ['UserID'];
} else {
echo '<h2>Login Failure</h2><h4>Redirecting to register page...</h4>';
//header ( "Refresh: 1; registerlogin.php" );
}
$sql = 'insert into notifications (UserID, message) values (?,"Hello, I would like to thank you for taking the time out of your day to explore the full functionality of my website. If you would like, look around my projects page and play some of the games I have worked on. I recently launched the discussion board functionality of this site, so feel free to post and interact with other members of this site. ~ Stephen McIntosh")';
$query4 = $con->prepare ( $sql );
$query4->bind_param ( 'i', $UserID );
if ($query4->execute ()) {
//header ( "Refresh: 0; registerlogin.php" );
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 2</h2>';
}
include 'logUser.php';
} else {
echo '<h2>Error: ' . $con->error . ' ' . $con->errno . ' Test 3</h2>';
require 'registerlogin.php';
}
}
if(!empty($\u POST)){
require('conLocal.php');
$email=HTMLSPECIALCHARS($_POST['email']);
$username=HTMLSPECIALCHARS($_POST['username']);
$Password=HTMLSPECIALCHARS($_POST['Password']);
$Password=md5($Password);
$rname=HTMLSPECIALCHARS($_POST['rname']);
$sql='insert