0

我正在做一个注册脚本。这就是我所做的

连接.php

<?php

$Connessione = mysql_connect('localhost','root','');
$Database = mysql_select_db('my_database');

if(!$Connessione) {
    echo "Errore di connessione: ".mysql_error;
}
else { 
echo "";
}

?>

注册.php

<html>
 <head>
    <title>Registrati o loggati</title>
    <meta charset="utf-8">
 </head>
 <body>
    <h1>Sei nuovo? Registrati! Sei già registrato? Loggati!</h1>
    <form action="full.php" name="registrazione" method="post">
        NickName (Massimo 10 caratteri): <input type="text" name="nickname" maxlenght="10" required/>
        <br><br>
        Password: <input type="password" name="psw" required/><br>
        <input type="submit" value="Registrati" name="registrati"/>
    </form>
 </body>
</html>

完整的.php

<?php
   include('connect.php');

    if(isset($_POST['registrati'])) {       
        $Username = $_POST['nickname'];
        $Password = md5($_POST['password']);
        $Escape = mysql_real_escape_string($Username);
        $Query = "INSERT INTO sito (user, password) VALUES($Escape, $Password)";
        $Esecuzione = mysql_query($Query);

        if(!$Esecuzione) {
            echo "Errore: ".mysql_error();
        } else { 
            echo "";
        }
    }
?>

当我运行它并单击按钮时告诉我(例如在 nikcname 中,我输入了“John”)错误:“字段列表”中的“John”列未知。为什么?此代码对 SQL 注入开放?谢谢

4

2 回答 2

3

我相信您需要像这样引用您的价值观:

$Query = "INSERT INTO `sito` (`user`, `password`) VALUES('$Escape', '$Password')";

此外,您可能想要签出mysqliPDO不使用mysql_*函数。

于 2013-08-25T05:20:09.570 回答
0

希望你能检查一下。让我们将您的MySQL代码转换为MySQLiMySQL已被弃用。

连接.php

<?php

$con=mysqli_connect("localhost","root","","my_database");

if(mysqli_connect_errno()){

echo "Error".mysqli_connect_error();
}

?>

完整的.php

<?php
   include('connect.php');

   if(isset($_POST['registrati'])) {       
        $Username = $_POST['nickname'];
        $Password = md5($_POST['password']);
        $Escape = mysql_real_escape_string($Username);

        /* START OF CHECK IF INPUT IS ALREADY IN DATABASE */

        $result=mysqli_query($con,"SELECT * FROM sito WHERE user='$Escape'");

        if(mysqli_num_rows($result)==0){ /* IF USERNAME HASN'T TAKEN YET */

        mysqli_query($con,"INSERT INTO sito (user, password) VALUES ('$Escape','$Password')");

        }

        else {
        echo $Escape." is already taken.";
        }

   } /* END OF ISSET REGISTRATI */
 ?>
于 2014-03-27T06:13:27.070 回答