0

我在我的网站上创建了一个注册表单,应该在名为 mayan_users 的数据库中注册用户,但是当我在表单中输入详细信息并提交时,出现“查询错误”,任何人都可以看到我可能在哪里犯了错误?我已经包含了下面的代码。谢谢。

<?php
     include("dbconnect.php");
     $firstname=$_POST['first_name'];
     $lastname=$_POST['last_name'];
     $address=$_POST['address'];
     $postcode=$_POST['postcode'];
     $emailaddress=$_POST['emailaddress'];
     $password=$_POST['password'];
     $query = "select emailaddress FROM mayan_users  where emailaddress='$emailaddress'";
      $link = mysql_query($query);
     if (!$link) {
      die('query error');
     }
     $num=mysql_num_rows($link);
     if ($num>0){
      die('email already exists'); //email already taken
     }
     $query = "insert into mayan_users (firstname, lastname, address, postcode, emailaddress, password) values('$firstname','$lastname','$address','$postcode', '$emailaddress','$password')";
     $link = @ mysql_query($query);
     if (!$link) {
      die('table write error');
     }
     ?>
4

2 回答 2

0

只需尝试以下方法。,

HTML部分:

<form action="" method="post" name="register">
<table>
<tr><td>First Name</td><td><input type="text" name="first_name" /></td></tr>
<tr><td>Last Name</td><td><input type="text" name="last_name" /></td></tr>
<tr><td>Address</td><td><input type="text" name="address" /></td></tr>
<tr><td>Postal Code</td><td><input type="text" name="postcode" /></td></tr>
<tr><td>Email</td><td><input type="text" name="emailaddress" /></td></tr>
<tr><td>Password</td><td><input type="password" name="password" /></td></tr>
<tr><td colspan="2" align="center"><input type="submit" name="register" value="Register" /></td></tr>
</table>
</form>

PHP部分:

<?php
$con = mysql_connect("localhost","root","") or die(mysql_error());
$select_db = mysql_select_db("mayan",$con);
if(isset($_POST['register']))
{
     $firstname = mysql_real_escape_string($_POST['first_name']);
     $lastname = mysql_real_escape_string($_POST['last_name']);
     $address = mysql_real_escape_string($_POST['address']);
     $postcode = mysql_real_escape_string($_POST['postcode']);
     $emailaddress = mysql_real_escape_string($_POST['emailaddress']);
     $password = mysql_real_escape_string($_POST['password']);

     $query = "select emailaddress FROM mayan_users where emailaddress='$emailaddress'";
     $link = mysql_query($query)or die(mysql_error());
     $num = mysql_num_rows($link);

     if ($num>0){
      echo 'Email already exists'; //email already taken
     }

     else {
     $insert_query = "insert into `mayan_users`(`firstname`,`lastname`,`address`,`postcode`,`emailaddress`,`password`) values('$firstname','$lastname','$address','$postcode','$emailaddress','$password')";
     $result = mysql_query($insert_query)or die(mysql_error());
     echo "Registered Successfully!";
     }
}
?>

MySQL表结构:

CREATE TABLE IF NOT EXISTS `mayan_users` (
  `uid` int(11) NOT NULL AUTO_INCREMENT,
  `firstname` varchar(255) NOT NULL,
  `lastname` varchar(255) NOT NULL,
  `address` varchar(255) NOT NULL,
  `postcode` varchar(255) NOT NULL,
  `emailaddress` varchar(255) NOT NULL,
  `password` varchar(255) NOT NULL,
  PRIMARY KEY (`uid`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

我认为这可以帮助您解决问题。

于 2013-01-05T19:31:32.243 回答
-1

首先,您需要知道您的代码容易受到 SQL 注入的影响。您收到“查询错误”错误的原因可能是 $_POST['emailaddress'] 值中的输入格式。

还要确保您不在数据库中存储明文密码。如果网站/应用程序被黑客入侵,黑客可以很容易地收集密码。

如果您不希望从发布数据中删除 HTML,请删除 ipSafe 函数。

我建议你这样做:我添加了一些基本的安全性。请阅读有关功能和mysql_real_escape_stringwww.php.net内容。htmlspecialchars

$firstname = ipSafe($_POST['firstname']);
$lastname = ipSafe($_POST['lastname']);
$address = ipSafe($_POST['address']);
$postcode = ipSafe($_POST['postcode']);
$emailaddress = ipSafe($_POST['emailaddress']);
$password = $_POST['password']; // please use encryption! :(

$sql = "
    SELECT `emailaddress`
    FROM `mayan_users`
    WHERE `emailaddress` = '".dbSafe($emailaddress)."'
    LIMIT 1;
";

if ( ($query = mysql_query($sql)) && (mysql_num_rows($query) < 1) )
{
    $sqlinsert = "
        INSERT INTO `mayan_users`(
            `firstname`, 
            `lastname`, 
            `address`, 
            `postcode`, 
            `emailaddress`, 
            `password`
        )
        VALUES (
            '".dbSafe($firstname)."', 
            '".dbSafe($lastname)."', 
            '".dbSafe($address)."', 
            '".dbSafe($postcode)."', 
            '".dbSafe($emailaddress)."', 
            '".dbSafe($password)."'
        )
    ";

    if (mysql_query($sqlinsert))
    {
        print "User added.";
    }
    else
    {
        print "Something went wrong: ".mysql_error();
    }
}
else
{
    // email exists in database or error
    if (mysql_errno() > 0)
    {
        print "An error occured: ".mysql_error();
    }
}

function dbSafe ($string)
{
    if (get_magic_quotes_gpc())
    {
        $string = stripslashes($string);
    }

    return mysql_real_escape_string($string);
}

function ipSafe($string)
{
    return htmlspecialchars(strip_tags($string));
}
于 2013-01-05T18:53:19.617 回答