对于像我这样的非高级用户来说,有点难以理解,提取并应用高级用户从this或this等帖子提供的所有建议。
我需要一个简单但安全的MySQLi和PHP用户注册(用户名+密码); 我已尝试按照这些帖子中包含的建议进行操作,但我不确定我的代码是否可以防止注入,是否过时:
和registration.php:
$host = "localhost";
$dbuser = "xxxx";
$dbpassword = "xxxx";
$dbname = "xxxx";
$conn = mysql_connect($host, $dbuser, $dbpassword);
if($conn == 0){
echo "Connection Failed";
}
$db_select = mysqli_select_db($dbname, $conn);
$username = mysqli_real_escape_string($_POST['username']);
$password = $POST['password'];
if($user == '' or $password == ''){
echo "Compile all!";
}else{
$query = "Insert Into 'user' ('username' , 'password') VALUES ('$username' , '$password')";
$query2 = mysqli_query($query);
echo "Registration complete";
}
这当然需要很多改进,我希望能够理解你的所有建议,因为我对此很陌生。
答案 0 :(得分:1)
您需要与功能保持一致,mysql_*功能不能与mysqli_*功能互换。坚持mysqli_*功能并阅读prepared statements,它们将有助于防止注射。
就密码而言,您首先需要知道的是不在您的数据库中存储密码。这意味着什么是纯文本。如果您有权使用PHP5.5 +,请阅读these functions,它与哈希密码直接相关,您可以存储在数据库中。
答案 1 :(得分:1)
这是我用于我的注册的注册码。它运作良好。
<?php include('header.php'); ?>
<?php
include('config.php'); // Database connection and settings
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['register'])){
$name = trim(mysqli_escape_string($conn,$_POST['username']));
$first_name = trim(mysqli_escape_string($conn,$_POST['first_name']));
$last_name = trim(mysqli_escape_string($conn,$_POST['last_name']));
$display_name = trim(mysqli_escape_string($conn,$_POST['display_name']));
$email = trim(mysqli_escape_string($conn,$_POST['email']));
$passwords = trim(mysqli_escape_string($conn,$_POST['password']));
$password = password_hash($passwords, PASSWORD_DEFAULT); // for Better Hashing Password
or $password = md5($passwords);
$query_verify_email = "SELECT * FROM users WHERE email ='$email'";
$verified_email = mysqli_query($conn,$query_verify_email) or die("Error: ".mysqli_error($conn));
if (!$verified_email) {
echo ' System Error';
}
if (mysqli_num_rows($verified_email) == 0) {
// Generate a unique code:
$hash = md5(uniqid(rand(), true));
$query_create_user = "INSERT INTO users ( username, email, password, hash,first_name,last_name,display_name,pic,gender,isactive)
VALUES ( '$name', '$email', '$password', '$hash','$first_name','$last_name','$display_name','','',0)";
$created_user = mysqli_query($conn,$query_create_user) or die("Error: ".mysqli_error($conn));
if (!$created_user) {
echo 'Query Failed ';
}
if (mysqli_affected_rows($conn) == 1) { //If the Insert Query was successfull.
$subject = 'Activate Your Email';
$headers = "From: admin@infotuts.com \r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
$url= 'verify.php?email=' . urlencode($email) . "&key=$hash";
$message ='<p>To activate your account please click on Activate buttton</p>';
$message.='<table cellspacing="0" cellpadding="0"> <tr>';
$message .= '<td align="center" width="300" height="40" bgcolor="#000091" style="-webkit-border-radius: 5px; -moz-border-radius: 5px; border-radius: 5px;
color: #ffffff; display: block;">';
$message .= '<a href="'.$url.'" style="color: #ffffff; font-size:16px; font-weight: bold; font-family: Helvetica, Arial, sans-serif; text-decoration: none;
line-height:40px; width:100%; display:inline-block">Click to Activate</a>';
$message .= '</td> </tr> </table>';
mail($email, $subject, $message, $headers);
echo '<div class="alert alert-success">A confirmation email
has been sent to <b>'. $email.' </b> Please click on the Activate Button to Activate your account </div>';
} else { // If it did not run OK.
echo '<div class="alert alert-info">You could not be registered due to a system
error. We apologize for any
inconvenience.</div>';
die(mysqli_error($conn));
}
}
else{
echo '<div class="alert alert-danger">Email already registered</div>';}
}
?>
<div class="row">
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
<form role="form" action='' method="post" enctype="multipart/form-data">
<h2>Please Sign Up <small>It's free and always will be.</small></h2>
<hr class="colorgraph">
<div class="row">
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="text" name="first_name" id="first_name" class="form-control input-lg" placeholder="First Name" tabindex="1">
</div>
</div>
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="text" name="last_name" id="last_name" class="form-control input-lg" placeholder="Last Name" tabindex="2">
</div>
</div>
</div>
<div class="form-group">
<input type="text" name="username" id="username" class="form-control input-lg" placeholder="User Name" tabindex="3">
</div>
<div class="form-group">
<input type="text" name="display_name" id="display_name" class="form-control input-lg" placeholder="Display Name" tabindex="3">
</div>
<div class="form-group">
<input type="email" name="email" id="email" class="form-control input-lg" placeholder="Email Address" tabindex="4">
</div>
<div class="row">
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="password" name="password" id="password" class="form-control input-lg" placeholder="Password" tabindex="5">
</div>
</div>
<div class="col-xs-12 col-sm-6 col-md-6">
<div class="form-group">
<input type="password" name="password_confirmation" id="password_confirmation" class="form-control input-lg" placeholder="Confirm Password" tabindex="6">
</div>
</div>
</div>
<div class="row">
<div class="col-xs-4 col-sm-3 col-md-3">
<span class="button-checkbox">
<button type="button" class="btn" data-color="info" tabindex="7">I Agree</button>
<input type="checkbox" name="t_and_c" id="t_and_c" class="hidden" value="1">
</span>
</div>
<div class="col-xs-8 col-sm-9 col-md-9">
By clicking <strong class="label label-primary">Register</strong>, you agree to the <a href="#" data-toggle="modal" data-target="#t_and_c_m">Terms and Conditions</a> set out by this site, including our Cookie Use.
</div>
</div>
<hr class="colorgraph">
<div class="row">
<div class="col-xs-12 col-md-6"><input type="submit" name='register' value="Register" class="btn btn-primary btn-block btn-lg" tabindex="7"></div>
<div class="col-xs-12 col-md-6"><a href="login.php" class="btn btn-success btn-block btn-lg">Sign In</a></div>
</div>
</form>
</div>
</div>
</div>
答案 2 :(得分:0)
您的代码存在很多问题。 主要问题是您使用过时的数据库连接方法(mysql_ *函数)。您还尝试与它交换mysqli_ *函数。我建议您废弃该代码并学习PDO。我确信它已经成为新版PHP版本的标准(或者有人告诉我)。
除此之外,您还要检查数据库连接是否有效,但即使代码不会继续运行查询也是如此。如果您对UX不感兴趣如果db连接失败,那么你可以调用die($ string);这将杀死脚本并回显字符串。 另一件事,&#39;或&#39;不是一个有效的运营商。它是||为或。 您还引用了一个错误的超全局变量。它&#39; $ _ POST&#39;,而不是&#39; $ POST&#39;。 您还没有哈希密码。你应该查看如何哈希密码,但要注意像md5等破解算法。我通常倾向于使用随机字节盐的crypt。关于最好的问题存在很大争议。但总的来说,如果你编写一个好的系统,那么你就不应该过分担心数据是否已被散乱。 (错误的术语)。
我希望这有帮助。我的建议是在沉迷于登录系统等项目之前学习PHP,这些项目可能会使用户的数据面临风险。