作为如何使用预准备语句的示例,您可以使用以下(未经测试的顺便说一句)
在原始代码中,您在输出html代码后发送标题 – 这将导致错误,除非您使用输出缓冲,因此我在生成任何html内容之前移动了所有相关的PHP代码,如果有任何错误输出它们.
我还注意到mysqli连接的参数没有被引用 – 如果这些参数被定义为常量,那么这样就可以了,否则也会产生错误.
继续使用mysqli或pdo – 因为当您采用我试图在此处展示的预准备语句时,您可以更好地保护您的站点免受恶意用户的攻击.
require_once("functions.php");
require_once("db-const.php");
session_start();
if (logged_in() == true) {
redirect_to("profile.php");
}
$errors=array();
if( $_SERVER['REQUEST_METHOD'] == 'POST' ) {
if( isset( $_POST['username'], $_POST['password'], $_POST['first_name'], $_POST['last_name'], $_POST['email'] ) ) {
$username = !empty( $_POST['username'] ) ? $_POST['username'] : false;
$mainpass = !empty( $_POST['password'] ) ? $_POST['password'] : false;
$password = !empty( $mainpass ) ? hash('sha256', $mainpass) : false;
$first_name = !empty( $_POST['first_name'] ) ? $_POST['first_name'] : false;
$last_name = !empty( $_POST['last_name'] ) ? $_POST['last_name'] : false;
$email = !empty( $_POST['email'] ) ? $_POST['email'] : false;
if( $username && $password ){
$mysqli = new mysqli( DB_HOST, DB_USER, DB_PASS, DB_NAME );
if( $mysqli->connect_errno ) {
$errors[]=$mysqli->connect_error;
} else {
/* Assume all is ok so far */
$sql='select username from users where username=?';
$stmt=$mysqli->prepare($sql);
$stmt->bind_param('s',$username);
$stmt->execute();
$stmt->bind_result( $found );
$stmt->fetch();
if( !$found ){
/* username is not alreday taken */
$sql='insert into `users` (`username`,`password`,`first_name`,`last_name`,`email`) values (?,?,?,?,?);';
$stmt=$mysqli->prepare( $sql );
$stmt->bind_param('sssss',$username,$password,$first_name,$last_name,$email);
$stmt->execute();
header("Location: checklogin.php?msg=Registered Successfully!");
} else {
/* username is taken */
$errors[]='Sorry, that username is already in use.';
}
}
}
} else {
$errors[]='Please fill in all details';
}
}
?>
Prospekt Member AreaRegister Here
© Kirk Niverba
Username:
Password:
First name:
Last name:
Email:
if( !empty( $errors ) ){
echo implode( '
', $errors );
}
?>