0

下面的代码是我用来提交表单数据的代码。表单提交得很好并且重定向没有问题。

当我查看数据库中的行数据时,我注意到 companyname、firstname 和 lastname 被插入为 0。我还注意到,在将电子邮件地址插入数据库时​​,它正在删除 @ 和 . 从地址。

任何帮助,将不胜感激。

<?php
include("inc/conf.inc.php"); // Includes the db and form info.
if (!isset($_POST['submit'])) { // If the form has not been submitted.

} else { // The form has been submitted.
    $companyname = form($_POST['companyname']);
    $firstname = form($_POST['firstname']);
    $lastname = form($_POST['lastname']);
    $username = form($_POST['emailaddress']);
    $password1 = md5($_POST['password1']); // Encrypts the password.
    $password2 = md5($_POST['password2']);

    if (($companyname == "") || ($firstname == "") || ($lastname == "") || ($username == "") || ($password1 == "") || ($password2 == "")) { // Checks for blanks.
        exit("There was a field missing, please correct the form.");
    }

    $q = mysql_query("SELECT * FROM `users` WHERE emailaddress = '$username'") or die (mysql_error()); // mySQL Query
    $r = mysql_num_rows($q); // Checks to see if anything is in the db.

    if ($r > 0) { // If there are users with the same username/email.
        exit("That email address is already in use!");
    } else {
        mysql_query("INSERT INTO `users` (companyname,firstname,lastname,emailaddress,password) VALUES ('$companyname','$firstname','$lastname','$username','$password1')") or die (mysql_error()); // Inserts the user.
    header("Location: thankyou.php"); // Back to login.
    }
}
mysql_close($db_connect); // Closes the connection.
?>




   <?php
$db_user = ""; // Username
$db_pass = ""; // Password
$db_database = ""; // Database Name
$db_host = "localhost"; // Server Hostname
$db_connect = mysql_connect ($db_host, $db_user, $db_pass); // Connects to the database.
$db_select = mysql_select_db ($db_database); // Selects the database.

function form($data) { // Prevents SQL Injection
   global $db_connect;
   $data = preg_replace('/[^A-Za-z0-9_]/', '', $data);
   $data = mysql_real_escape_string(trim($data), $db_connect);
   return stripslashes($data);
}
?>
4

2 回答 2

1

如果您注意到,您提到的字段由函数 form() 处理。您可能希望打印它们以检查 form() 函数的返回值。

此外,代替支票,

  ($companyname == "")

采用 :

  empty($companyname)

它检查的内容不仅仅是空字符串。

以下内容被认为是空的:

""(一个空字符串)

0(0 为整数)

0.0(0 作为浮点数)

"0" (0 作为字符串)

空值

错误的

array() (一个空数组)

$var; (声明的变量,但没有值)

于 2012-10-10T02:58:13.757 回答
0

任何帮助,将不胜感激

所以让我从这个开始:) 对不起,但你的代码非常无组织......

假设您的新配置(或 lib)文件与此类似:

文件:config.php

<?php

/**
 * 
 * @param string $host Mysql host
 * @param string $user Mysql username
 * @param string $passw Mysql password
 * @param string $db Mysql database to work with 
 * @return TRUE if could connect and select given database
 */
function connect($host ='ur host', $user='ur username', $passw='ur passw', $db='ur dbname'){
  if ( !mysql_pconnect($host, $user, $passw) ){
     die("Can't connect to SQL server");
   }

  if ( mysql_select_db($db) ){
   die("Can't select database");
  }

 return true;
}

/**
 * Determine whether user has been registered before
 * @param string $email
 * @return boolean
 */
function userAlreadyExists($username){
   if ( connect() ) { //ensure we are connected
      #Prevent injection right here:
      $username = mysql_real_escape_string($username); 

      $result = mysql_query("SELECT * FROM `users` WHERE emailaddress = '$username' LIMIT 1");

      if ( mysql_num_rows($result) > 0){
         # True means that user exists
         return true;
       } else {
         #False means that user do not exists: 
        return false;
       }
   }

  /**
   * 
   * @return boolean
   * TRUE if could insert new row
   * FALSE if this row already exists or error in sql server
   */
  function addNewUser($companyname, $firstname, $lastname, $username, $password1){

  $companyname = mysql_real_escape_string($companyname);
  $firstname = mysql_real_escape_string($firstname);
  $lastname = mysql_real_escape_string($lastname);
  $username = mysql_real_escape_string($username);
  $password1 = md5($password1);

    if ( connect() ){
      return mysql_query("INSERT INTO `users`   (`companyname`,`firstname`,`lastname`,`emailaddress`,`password`) VALUES ('$companyname','$firstname','$lastname','$username','$password1')");

   }

  }

  /**
   * Function that compare password that makes sure
   * if they're the same
   */
  function pass_compare($pass1, $pass2){

    if ($pass1 !== $pass2){
       die("Passwords are not the same");
    }
    return true;
  }

文件handler.php

<?php

if ( !empty($_POST) ){ //This code runs when form has been submitted 

 //Maybe we should check if some value is missing, before we connect SQL //server!? 

  #Check if some field is missing:
  foreach ($_POST as $key => $val){

    if ( empty($key) ){
      sprintf('The field %s is missing', $key);
       die();
    }
  }

  #connect mysql server
  connect();

  if (userAlreadyExists($_POST['email'])){

    die(printf('The <b>%s</b> is already in use', $_POST['email']));

  } else {

   if ( pass_compare($_POST['password'], $_POST['password_confirm']) ){  

   addNewUser($_POST['companyname'], $_POST['firstname'], $_POST['lastname'], $_POST['username'], $_POST['password']);
    }
  }


}

这对你有用

于 2012-10-10T03:46:03.963 回答