Php SQL正在提交0而不是实际值。还删除@和。在电子邮件地址中
下面的代码是我用来提交表单数据的代码。表单提交得很好,重定向时没有问题 当我查看数据库中的行数据时,我注意到companyname、firstname和lastname被作为0插入。我还注意到,当电子邮件地址被插入数据库时,它会删除@和。从地址 任何帮助都将不胜感激Php SQL正在提交0而不是实际值。还删除@和。在电子邮件地址中,php,mysql,forms,submit,Php,Mysql,Forms,Submit,下面的代码是我用来提交表单数据的代码。表单提交得很好,重定向时没有问题 当我查看数据库中的行数据时,我注意到companyname、firstname和lastname被作为0插入。我还注意到,当电子邮件地址被插入数据库时,它会删除@和。从地址 任何帮助都将不胜感激 <?php include("inc/conf.inc.php"); // Includes the db and form info. if (!isset($_POST['submit'])) { // If the fo
<?php
include("inc/conf.inc.php"); // Includes the db and form info.
if (!isset($_POST['submit'])) { // If the form has not been submitted.
} else { // The form has been submitted.
$companyname = form($_POST['companyname']);
$firstname = form($_POST['firstname']);
$lastname = form($_POST['lastname']);
$username = form($_POST['emailaddress']);
$password1 = md5($_POST['password1']); // Encrypts the password.
$password2 = md5($_POST['password2']);
if (($companyname == "") || ($firstname == "") || ($lastname == "") || ($username == "") || ($password1 == "") || ($password2 == "")) { // Checks for blanks.
exit("There was a field missing, please correct the form.");
}
$q = mysql_query("SELECT * FROM `users` WHERE emailaddress = '$username'") or die (mysql_error()); // mySQL Query
$r = mysql_num_rows($q); // Checks to see if anything is in the db.
if ($r > 0) { // If there are users with the same username/email.
exit("That email address is already in use!");
} else {
mysql_query("INSERT INTO `users` (companyname,firstname,lastname,emailaddress,password) VALUES ('$companyname','$firstname','$lastname','$username','$password1')") or die (mysql_error()); // Inserts the user.
header("Location: thankyou.php"); // Back to login.
}
}
mysql_close($db_connect); // Closes the connection.
?>
<?php
$db_user = ""; // Username
$db_pass = ""; // Password
$db_database = ""; // Database Name
$db_host = "localhost"; // Server Hostname
$db_connect = mysql_connect ($db_host, $db_user, $db_pass); // Connects to the database.
$db_select = mysql_select_db ($db_database); // Selects the database.
function form($data) { // Prevents SQL Injection
global $db_connect;
$data = preg_replace('/[^A-Za-z0-9_]/', '', $data);
$data = mysql_real_escape_string(trim($data), $db_connect);
return stripslashes($data);
}
?>
如果您注意到,您提到的字段由函数form()处理。您可能希望打印它们以检查form()函数的返回值 还有,不是支票
($companyname == "")
使用:
它检查的内容不仅仅是空字符串
以下内容被认为是空的:
“”(空字符串)
0(0作为整数)
0.0(0作为浮点数)
“0”(0作为字符串)
空的
假的
array()(空数组)
$var;(声明了一个变量,但没有值)
任何帮助都将不胜感激
让我从这里开始:)
对不起,但是
你的代码非常杂乱无章
让我们假设您的新配置(或库)文件与此文件类似:
文件:config.php
<?php
/**
*
* @param string $host Mysql host
* @param string $user Mysql username
* @param string $passw Mysql password
* @param string $db Mysql database to work with
* @return TRUE if could connect and select given database
*/
function connect($host ='ur host', $user='ur username', $passw='ur passw', $db='ur dbname'){
if ( !mysql_pconnect($host, $user, $passw) ){
die("Can't connect to SQL server");
}
if ( mysql_select_db($db) ){
die("Can't select database");
}
return true;
}
/**
* Determine whether user has been registered before
* @param string $email
* @return boolean
*/
function userAlreadyExists($username){
if ( connect() ) { //ensure we are connected
#Prevent injection right here:
$username = mysql_real_escape_string($username);
$result = mysql_query("SELECT * FROM `users` WHERE emailaddress = '$username' LIMIT 1");
if ( mysql_num_rows($result) > 0){
# True means that user exists
return true;
} else {
#False means that user do not exists:
return false;
}
}
/**
*
* @return boolean
* TRUE if could insert new row
* FALSE if this row already exists or error in sql server
*/
function addNewUser($companyname, $firstname, $lastname, $username, $password1){
$companyname = mysql_real_escape_string($companyname);
$firstname = mysql_real_escape_string($firstname);
$lastname = mysql_real_escape_string($lastname);
$username = mysql_real_escape_string($username);
$password1 = md5($password1);
if ( connect() ){
return mysql_query("INSERT INTO `users` (`companyname`,`firstname`,`lastname`,`emailaddress`,`password`) VALUES ('$companyname','$firstname','$lastname','$username','$password1')");
}
}
/**
* Function that compare password that makes sure
* if they're the same
*/
function pass_compare($pass1, $pass2){
if ($pass1 !== $pass2){
die("Passwords are not the same");
}
return true;
}
<?php
if ( !empty($_POST) ){ //This code runs when form has been submitted
//Maybe we should check if some value is missing, before we connect SQL //server!?
#Check if some field is missing:
foreach ($_POST as $key => $val){
if ( empty($key) ){
sprintf('The field %s is missing', $key);
die();
}
}
#connect mysql server
connect();
if (userAlreadyExists($_POST['email'])){
die(printf('The <b>%s</b> is already in use', $_POST['email']));
} else {
if ( pass_compare($_POST['password'], $_POST['password_confirm']) ){
addNewUser($_POST['companyname'], $_POST['firstname'], $_POST['lastname'], $_POST['username'], $_POST['password']);
}
}
}
这将对您起作用表单函数是什么样子的?
form()
函数正在做一些奇怪的事情,比如可能将字符串转换为整数(这会导致非数字字符串为0)。我可以看到SQL注入的一些可能性,您可能想看看您应该真正使用PDO和准备好的语句。其他注意事项:密码永远不会为空,md5(“”)仍将返回一个值。[更不用说md5不够强大,无法为一个严肃的项目加密密码]。另外,你没有比较password1和password2是相同的。我刚刚意识到查看我的数据库…那些列被设置为INT,而不是varchar修复了INT问题。这些列现在在提交时正确填充。
<?php
if ( !empty($_POST) ){ //This code runs when form has been submitted
//Maybe we should check if some value is missing, before we connect SQL //server!?
#Check if some field is missing:
foreach ($_POST as $key => $val){
if ( empty($key) ){
sprintf('The field %s is missing', $key);
die();
}
}
#connect mysql server
connect();
if (userAlreadyExists($_POST['email'])){
die(printf('The <b>%s</b> is already in use', $_POST['email']));
} else {
if ( pass_compare($_POST['password'], $_POST['password_confirm']) ){
addNewUser($_POST['companyname'], $_POST['firstname'], $_POST['lastname'], $_POST['username'], $_POST['password']);
}
}
}