0

我对 PHP 比较陌生,我正在尝试制作一个注册 + 登录系统。当我尝试将用户“用户名”和“密码”安全地插入我的数据库时,我遇到了一个问题。

我收到此错误:

http://puu.sh/2SUOg.png

我正在按照本指南...

如何防止 PHP 中的 SQL 注入?

..除非我是盲人并且我 30 分钟的搜索/谷歌搜索失败了,否则我的语法似乎是正确的?

有任何想法吗?

错误指向第 107 行。

<?php include('assets/repository/mysql.php') ?>

<?php
  /* 
  * -------------------------------------------------------------------------------------
  * -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
  * -------------------------------------------------------------------------------------
  */

  // variable declaration from previous page (register/login page)
  $EMAIL                 = strtoupper($_POST["email"]);
  $PASSWORD              = $_POST["password"];
  $PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
  * -------------------------------------------------------------------------------------
  * loginerr=0 -> passwords don't match
  * loginerr=1 -> username already exists in DB
  * loginerr=2 -> registration is currently disabled
  * loginerr=3 -> password is too long and/or too short
  * loginerr=4 -> email isn't in proper format
  * loginerr=5 -> email is too long and/or too short
  */

  // ----- Do passwords match? loginerr=0 -----
  // Working 2013/05/13
  if($PASSWORD != $PASSWORD_CONFIRMATION){
    header('Location: http://127.0.0.1/login.php?loginerr=0') ;
    exit();
  }

  // ----- Does username already exist in the DB? loginerr=1 -----
  // Working 2013/05/13
  $findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
  $result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=1');
    exit();
  }

  // ----- Is registration currently allowed in the system? loginerr=2 -----
  // Working 2013/05/13
  $isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
  $result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=2');
    exit();
  }

  // ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
  // Working 2013/05/13
  if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=3');
    exit();
  }

  // ----- Is email in proper format? (regex) loginerr=4 -----
  // Working 2013/05/13
  if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
    header('Location: http://127.0.0.1/login.php?loginerr=4');
    exit();
  }

  // ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
  // Working 2013/05/13
  if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=5');
    exit();
  }
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
  * -------------------------------------------------------------------------------------
  */

  //TODO: Hash password + salt + pepper?

  // Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
  $query = $dbConnection->prepare(
    'INSERT INTO users (
      EMAIL,PASSWORD
    ) VALUES (
      :email,:password
    )'
  );

  // Replacing the ":XXXXX" in the above statement with the actual values we want to insert
  $query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);

  // Perform the actual query; and if it returns false (AKA if there is an error), print the error
  /*if (!mysqli_query($dbConnection,$query)){
    die('Error: ' . mysqli_error($dbConnection));
  }*/

  // Never forget to close the connection, otherwise memory leaks will happen!
  mysqli_close($dbConnection);
?>

<?php include('header.php') ?>
<?php include('footer.php') ?>
4

1 回答 1

1

您似乎使用的是 PDO 语法而不是 mysqli。

从 Ln 替换。96 到 Ln。107 与

// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = 'INSERT INTO users (
            EMAIL, 
            PASSWORD
          ) VALUES (
            ?,
            ?
          )';

$stmt = $mysqli->prepare($query);    
$stmt->bind_param("ss", $EMAIL, $PASSWORD);    
$stmt->execute();
于 2013-05-13T22:46:46.640 回答