我正在尝试用PHP编写注册表单。 我检查字段是否为空。 如果一个字段是空的,我创建一个$ var,如果设置了$ var,我会显示错误并且不进行查询。 但是当我测试源时,它运行查询,如果字段为空则不显示错误..
请帮助我,我找不到问题.. <?php
require_once('./lib/recaptchalib.php');
$username = ($_POST["username"]);
$real_name = ($_POST["real_name"]);
$password = ($_POST["password"]);
$password1 = ($_POST["password1"]);
$email = ($_POST["email"]);
$socialid = ($_POST["socialid"]);
function generateRandomString($length = 25) {
$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$randomString = '';
for ($i = 0; $i < $length; $i++) {
$randomString .= $characters[rand(0, strlen($characters) - 1)];
}
return $randomString;
}
$random_activate = generateRandomString();
require_once('./lib/config_mail.php');
$scid_check = strlen($socialid);
if($scid_check != 7) {
$print_error = "Il PIN deve essere composto da 7 caratteri, al momento ne ha $scid_check";
$check_errors = 1;
}
if($password != $password1) {
$print_error = "Le password non corrispondono!";
$check_errors = 1;
}
if($username != "") {
$query = "SELECT * FROM $db_account.account WHERE login = '$username'";
if ($result = $mysqli->query($query)) {
$count = $result->num_rows;
if($count == 1) {
$print_error = "Username già presente";
$check_errors = 1;
}
}
}
if($email != "") {
$query1 = "SELECT * FROM $db_account.account WHERE email = '$email'";
if ($result1 = $mysqli->query($query1)) {
$count1 = $result1->num_rows;
if($count1 == 1) {
$print_error = "Indirizzo E-mail già presente";
$check_errors = 1;
}
}
}
if(!$resp->is_valid){
$resp_check = 2;
} else {
$resp_check = 1;
$print_error = "Il codice di verifica è errato!";
$check_errors = 1;
}
if ($username == "" || $real_name == "" || $password == "" || $password1 == "" || $email == "" || $social_id == ""){
$check_errors = 1;
}
if($check_errors == 1){
$print_empty = "Uno o più campi risultano vuoti!";
} else {
$status_account = "INACTIVE";
mysqli_query($mysqli, "INSERT INTO $db_account.account (`login`,`real_name`,`password`,`email`,`social_id`,`create_time`,`gold_expire`,`silver_expire`,`safebox_expire`,`autoloot_expire`,`fish_mind_expire`,`marriage_fast_expire`,`money_drop_rate_expire`,`securitycode`,`status`)
VALUES ('$username','$real_name',PASSWORD('$password'),'$email','$socialid','$create_time','$gold_expire','$silver_expire','$safebox_expire','$autoloot_expire','$fish_mind_expire','$marriage_fast_expire','$money_drop_rate_expire','$random_activate','$status_account')") or die(mysqli_error($mysqli));
$print_notice = "Account registrato, ti abbiamo inviato una e-mail di verifica a $email !";
$to = $email;
$subject = $site_name;
$headers = 'From: ' . $email_admin . "\r\n" .
'Reply-To: ' . $email_admin . "\r\n" .
'Content-type: text/html' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
}
?>
答案 0 :(得分:1)
将字符串分配给$ print_error或/和$ print_empty是不够的。您必须使用“echo”自行输出变量的内容。
但无论如何,你的mysql查询容易受到攻击且不安全!请学习“SQL-Injection”的所有内容。
请先阅读此内容,让您的脚本更安全一些: http://php.net/manual/en/security.database.sql-injection.php