我试图使用PDO创建一个用户注册页面,我以前从未使用过这个,所以我很难理解这些值是如何插入到我的表中的。
有人能看出我的代码出了什么问题吗?
<?php
include_once ('/_includes/classes/connection.class.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES ($firstname,$lastname,$email,$password,$accounttype)";
echo $query;
$count = $dbh->exec($query);
$dbh = null;
?>
<?php
$dsn = 'mysql:host=localhost;dbname=site.co.uk';
$username = 'access@site.co.uk';
$password = 'password';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userpassword = $_POST['password'];
$accounttype = $_POST['accounttype'];
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $userpassword);
$stmt->bindParam(':accounttype', $accounttype);
$stmt->execute();
?>
千万不要这样做,因为SQL注入
使用准备好的语句
http://php.net/manual/de/pdo.prepared-statements.php<?php
require_once ('_includes/classes/connection.class.php');
$stmt = $dbh->prepare('INSERT INTO users (firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)');
$stmt->execute(array($_POST));
出问题的是,您忘记了值的引号。但是对于预处理语句,你不需要引号。
http://www.w3schools.com/sql/sql_insert.asp请不要将纯文本密码保存到数据库中,使用散列
PHP密码的安全哈希和盐
如果你真的需要包含文件,最好使用"require"或"require_once"。
http://php.net/manual/en/function.require.php-
include_once ('/_includes/classes/connection.class.php');
将永远不包含任何内容。在本地文件系统的根目录下没有_includes目录 - 因为你没有提到任何错误-所以,你没有正确的错误报告设置。
有人能看出我的代码出了什么问题吗?
可能有其他错误,但观察代码不是正确的方法。可以使用来运行代码,来调试代码,并观察发生的错误。
我必须添加的唯一一件事作为旁注-你的代码像洪水一样潮湿。看看它:你把每个字段名写了六遍!
-
$firstname = $_POST['firstname'];
- 2x - (firstname) VALUES (:firstname) ' - 2x
-
bindParam(':firstname', $firstname);
- 2x
共6次重复
您需要绑定这些值,而不是使用字符串连接。
$dsn = 'mysql:host=localhost;dbname=mydb';
$username = 'myun';
$password = 'mypw';
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
);
$dbh = new PDO($dsn, $username, $password, $options);
$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES
(:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
//etc
$stmt->execute();
您应该真正使用准备好的语句。您应该这样做,假设:
- $dbh是一个PDO对象
- 你已经检查$_POST数组,以确保它包含所有的字段,你认为它应该
- 修复include语句
- 选择将散列密码保存在数据库中,而不是以明文形式存储
你的代码应该更像这样:
<?php
error_reporting(E_ALL);
include_once ('_includes/classes/connection.class.php');
$_POST['password'] = hash('md5', $_POST['password']);
$statement = $dbh->prepare("INSERT INTO
users(firstname,lastname,email,password,accounttype)
VALUES (:firstname, :lastname, :email, :password, :accounttype)");
if ($statement->execute($_POST) !== true) {
// there was some kind of error
// perhaps $statement->errorInfo() will tell you something
}