这个问题在这里已有答案:
一位老兄说我需要在我的代码中使用Prepared Statements,因为它比现在正在做的更安全,更好。
我已经只做了php / mysqli代码whitout Prepared Statements例如这是我的server.php代码之一
<?php
session_start();
// variable declaration
$username = "";
$email = "";
$errors = array();
$_SESSION['success'] = "";
// connect to database
$db = mysqli_connect('localhost', 'root', 'root', 'root');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
$steamid = mysqli_real_escape_string($db, $_POST['steamid']);
$age = mysqli_real_escape_string($db, $_POST['age']);
$rank = mysqli_real_escape_string($db, $_POST['rank']);
$scode = mysqli_real_escape_string($db, $_POST['scode']);
// form validation: ensure that the form is correctly filled
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode)
VALUES('$username', '$usertype', '$email', '$password', '$steamid', '$age', '$rank', '$scode')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
?>
我怎样才能使这段代码成为准备好的声明有人可以帮助我这个例子?我真的需要你的帮助,如果我得到这个代码的最终结果。准备好的声明我会理解如何使用它,并将更专注于重新编码我的代码(所有)
谢谢你的答案。
您可以使用PDO执行预准备语句,默认情况下这是PD的一部分。您的代码可能如下所示:
<?php
session_start();
// variable declaration
$username = "";
$email = "";
$errors = array();
$_SESSION['success'] = "";
// connect to database
$db = mysqli_connect('localhost', 'root', 'root', 'root');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
if (empty($_POST['username'])) { array_push($errors, "Username is required"); }
if (empty($_POST['email'])) { array_push($errors, "Email is required"); }
if (empty($_POST['password_1'])) { array_push($errors, "Password is required"); }
if ($_POST['password_1']!= $_POST['password_2']) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($_POST['password_1']);//encrypt the password before saving in the database
$pdo = new PDO('mysql:host=localhost;dbname=yourdbname', 'yourdbusername', 'yourdbpass');
$stmt = $pdo->prepare("INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode) VALUES (:username, :usertype, :email, :password, :steamid, :age, :rank, :scode)");
$stmt->bindValue(':username', $_POST['username']);
$stmt->bindValue(':usertype', $_POST['usertype']);
$stmt->bindValue(':email', $_POST['email']);
$stmt->bindValue(':password', $_POST['password']);
$stmt->bindValue(':steamid', $_POST['steamid']);
$stmt->bindValue(':age', $_POST['age']);
$stmt->bindValue(':rank', $_POST['rank']);
$stmt->bindValue(':scode', $_POST['scode']);
$result = $stmt->execute();
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
?>
您可以使用?-signs而不是:propname模式,这是个人偏好的问题。
bindValue()的作用与mysqli_real_escape_string的作用基本相同。它使您的变量SQL安全,以防止SQL注入。你可以在这里找到更多关于PHP的信息:https://www.php.net/manual/en/book.pdo.php
值得学习,这是最常用的数据库处理工具(据我所知)