1

我正在使用以下数据库编写一个基本的 PHP 注册脚本:

DROP TABLE IF EXISTS authentication;
CREATE TABLE authentication (
    userID SERIAL UNIQUE REFERENCES users(userID),
    eMail TEXT PRIMARY KEY REFERENCES users(eMail),
    passwordSalt TEXT,
    hashedSalt TEXT,
    saltText TEXT,
    securityAnswer1 TEXT,
    securityAnswer2 TEXT, 
    securityAnswer3 TEXT
);

和以下注册脚本:

<?php
  include 'https.php';

  //Create a connection to the database. If the connection fails, kill the
  //process and issue an error message
  $conn = pg_connect("host=localhost user=myusername password=mypassword dbname=mydatabase");
  if (!$conn) {
    die("Failed to connect to database.");
  }

  //If the register button is pressed..
  if (isset($_POST['submit'])) {
    //Check to make sure password+confirmation match. If not, error out.
    if ($_POST['password'] != $_POST['confirm-password']) {
      echo 'ERROR: passwords do not match<br />';
      echo 'Return to <a href="registration.php">registration</a> page.<br />';
      break;
    }

    //Then check to make sure the username doesn't already exist in the DB.
    $result = pg_prepare($conn, "duplicateUser", 'SELECT username FROM mydatabase.users WHERE username = $1');
    $result = pg_execute($conn, "duplicateUser", array($_POST['username']));
    $row = pg_fetch_assoc($result);

    //If it already exists, set match to true.
    foreach ($row as $res) {
      if ($res == $_POST['username'])
        $match = true;
    }

    //If match is true, error out.
    if ($match == true) {
      echo 'ERROR: username already in use<br />';
      echo 'Return to <a href="registration.php">registration</a> page.<br />';
      $match = false;
      break;
    }
  }
?>

<html>
<head>
<title>Registration page</title>
</head>
<body>
<form method='POST' action='registration.php'>
Username (e-mail): <input type='text' name='username' /><br />
Password: <input type='password' name='password' /><br />
Confirm password: <input type='password' name='confirm-password' /><br />
<input type='submit' name='submit' value='Register' /><br />
</form>
Return to <a href='index.php'>login</a> page.<br />

</body>
</html>

<?php

  //If the registration button is pressed..
  if (isset($_POST['submit'])) {
    //Take the username and password, salt the password using an SHA1
    //encryption of a random number, concatenate the password to the
    //beginning of the salt, then save the SHA1 of that concatenation
    //as the hashed and salted password.
    $username = $_POST['username'];
    $confirmusername = $_POST['confirm-username'];
    $password = $_POST['password'];
    $confirmpassword = $_POST['confirm-password'];
    if ($username != $confirmusername)
        echo "Please make sure your username is consistent.";
    if ($password != $confirmpassword)
        echo "Please make sure your passwords match.";

    $salt = sha1(rand());
    $saltedPass = $password.$salt;
    $hashedSalt = sha1($saltedPass);

    //Store the username, hashed+salted password, and salt in the
    //authentication table.
    $result = pg_prepare($conn, "authentication", 'INSERT INTO mydatabase.authentication VALUES ($1, $2, $3)');
    $result = pg_execute($conn, "authentication", array($username, $salt, $hashedSalt));

    //Start the session, set the $_SESSION variables loggedin to true and
    //username to the supplied username, then redirect to index.php
    session_start();
    $_SESSION['loggedin'] = true;
    $_SESSION['username'] = $username;
    header("Location: index.php");
  }
?>

但是当我进入 PHPpgAdmin 时,这些行还没有被插入到数据库中。有任何想法吗?

谢谢。

4

2 回答 2

1

The code should test the result of pg_prepare and pg_execute, and show or log pg_last_error() on error. Otherwise you're in the dark on any problem.

Also, since it connects to a database named mydatabase and refers to tables as mydatabase.tablename, it can be reasonably suspected that you're applying this MySQL thing of prepending the database name to the table name. It doesn't apply to Postgres. The databases of MySQL are the equivalent of schemas in PostgreSQL.

So unless you have explicitly created a postgres schema named mydatabase, try without any prefix:

INSERT INTO authentication VALUES ($1, $2, $3)

This also apply to the previous SELECT that probably fails for the same reason, and it also lacks error checking.

于 2013-07-13T22:02:23.067 回答
1

首先想到的是您需要显式提交事务。这个答案似乎证实了 Postgres 没有自动提交。

于 2013-07-13T19:49:11.393 回答