0

好的,我正在制作一个基于浏览器的口袋妖怪游戏,但我在制作它时遇到了麻烦,所以当用户注册到我的网站时,他们会获得一个他们选择的入门口袋妖怪。除了它为用户提供口袋妖怪的部分外,我已经完成了所有工作,现在它会将口袋妖怪输入数据库,但它不会将口袋妖怪提供给注册它的用户,因此将 belongsto 字段留空。我有点难以解释。

这是我的代码的一部分,它将数据输入到存储所有用户口袋妖怪的表中。

<?php

if ($_POST['starter'] == '1' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Bulbasaur','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '2' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Charmander','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '3' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Squirtle','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '4' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Chikorita','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '5' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Cyndaquil','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '6' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Totodile','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '7' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Treecko','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '8' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Torchic','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '9' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Mudkip','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '10' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Turtwig','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '11' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Chimchar','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '12' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Piplup','".$_SESSION['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}
?>

我想不通的是如何制作它,因此它采用用户注册的名称并将其替换为 .$_SESSION['username']。我知道这行不通,因为此人尚未登录,因为他们仍在注册。

这是我的表格。

<form action="" method="post">
        <div align="center">
          <ul>
            <p></p>
              Username* <br>
              <input type="text" name="username">

            <p></p>
              Password*<br>
              <input type="password" name="password">

            <p></p>
              Password again*<br>
              <input type="password" name="password_again">

            <p></p>
              First name<br>
              <input type="text" name="first_name">

            <p></p>
              Last name<br>
              <input type="text" name="last_name">

            <p></p>
              Email*<br>
              <input type="text" name="email">

            <p></p>
              Starter*<br>
              <select name="starter" id="" >
                <option value="1">Bulbasaur</option>
                <option value="2">Charmander</option>
                <option value="3">Squirtle</option>
                <option value="4">Chikorita</option>
                <option value="5">Cyndaquil</option>
                <option value="6">Totodile</option>
                <option value="7">Treecko</option>
                <option value="8">Torchic</option>
                <option value="9">Mudkip</option>
                <option value="10">Turtwig</option>
                <option value="11">Chimchar</option>
                <option value="12">Piplup</option>
              </select>

              <p></p>
              <input type="submit" value="Register">

            </ul>
          </div>
        <ul>
        </ul>
</form>

我很抱歉这个巨大的问题,但任何帮助将不胜感激:)

4

2 回答 2

1

伙计,看起来你真的是 PHP 新手,所以让我提供一些建议。

  1. 在查询中使用 $_POST/$_GET 值?不要那样做。永远不要相信用户。了解原因。

您必须假设您的访问者是一个疯狂的连环杀手,目的是破坏您的应用程序。你必须阻止它。

  1. 清理你的代码。正如其他人所建议的那样,循环/切换可能会对您有所帮助
  2. 也许对于您的项目来说还为时过早,但请尝试移动 OOP。(即使有时看起来有点矫枉过正,但缺点很低,优点很大)

顺便说一句,这应该可以解决问题,使用PDO

$dbh = new PDO('mysql:dbname=YOURDBNAME;host=localhost', $db_user, $db_passwd);
// Get the choosen starter pokemon
$starter = $_POST['starter'];
$pokemons = array(
    1 => 'Bulbasaur',
    2 => 'Charmander',
    //[.. and so on..]
);

// check if choosed pokemon is available
if(!in_array($starter, $pokemons))
{
    // Pokemon not available, throw exception, error, die(), whatever
}
else
{
    // Insert the pokemn into the db
    $insert = $dbh->prepare("INSERT INTO user_pokemon (pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES (:pokemon, :user, 100,:time ,1, 5 ,'Normal')");

    $user_name = $_POST['username']; // what about check the username? Sanitization, etc..

    if($insert->execute(array(':pokemon' => $pokemons[$starter], ':user' => $user_name, ':time' => time())))
    {
        // Success!
    }
    else
    {
        // Error!
        $error = $insert->errorInfo();
        print_r("There was an error: \ncode: %s\nmessage:%s", $error[1], $error[2]);
    }
}
于 2013-01-04T01:23:55.897 回答
0

您的代码有很多需要改进的地方。但这里有一个快速修复:

<?php

if ($_POST['starter'] == '1' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Bulbasaur','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '2' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Charmander','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '3' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Squirtle','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '4' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Chikorita','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '5' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Cyndaquil','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '6' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Totodile','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '7' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Treecko','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '8' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Torchic','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '9' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Mudkip','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '10' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Turtwig','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '11' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Chimchar','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}

if ($_POST['starter'] == '12' ) {
mysql_query("INSERT INTO user_pokemon 
(pokemon, belongsto, exp, time_stamp, slot, level,type) VALUES('Piplup','".$_POST['username']."', 100,'".time()."','1' ,'5','Normal' )
 ") or die(mysql_error());  
}
?>

这假设您的帖子是从您页面上的该表单提交的。就像别人说的,学习 PDO: http: //php.net/manual/en/book.pdo.php

您当前的代码容易发生 SQL 注入: http ://en.wikipedia.org/wiki/SQL_injection

这是不好的。

于 2013-01-04T01:03:24.247 回答