我希望我的登录是超级安全的,或者至少是安全的,但我需要帮助我的注册脚本。使这个脚本成为安全登录脚本的下一步是什么?我有登录和注册部分,我只需要安全部分。
include('configdb.php');
if(isset($_POST['submit']))
{
//whether the username is blank
if($_POST['username'] == '')
{
$_SESSION['error']['username'] = "User Name is required.";
}
//whether the email is blank
if($_POST['email'] == '')
{
$_SESSION['error']['email'] = "E-mail is required.";
}
else
{
//whether the email format is correct
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9._-]+)+$/", $_POST['email']))
{
//if it has the correct format whether the email has already exist
$email= $_POST['email'];
$sql1 = "SELECT * FROM user WHERE email = '$email'";
$result1 = mysqli_query($mysqli,$sql1) or die(mysqli_error());
if (mysqli_num_rows($result1) > 0)
{
$_SESSION['error']['email'] = "This Email is already used.";
}
}
else
{
//this error will set if the email format is not correct
$_SESSION['error']['email'] = "Your email is not valid.";
}
}
//whether the password is blank
if($_POST['password'] == '')
{
$_SESSION['error']['password'] = "Password is required.";
}
//if the error exist, we will go to registration form
if(isset($_SESSION['error']))
{
header("Location: index.php");
exit;
}
else
{
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$com_code = md5(uniqid(rand()));
$sql2 = "INSERT INTO user (username, email, password, com_code) VALUES ('$username', '$email', '$password', '$com_code')";
$result2 = mysqli_query($mysqli,$sql2) or die(mysqli_error());
答案 0 :(得分:0)
似乎很容易受到SQL注入攻击。你可以阻止它,这里是如何使用mysqli_real_escape_string防止参数转义字符串的指南
https://stackoverflow.com/questions/4034441/sql-injection-attack