这是代码中有问题的部分:
$query = mysql_query("INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES ('$_POST[user]','$_POST[pass]', '$_POST[mail]',
'$_POST[country]', '$_POST[city]', '$_POST[www]', '$_POST[credo]')")
or die ("Error - Couldn't register user.");
我弄错了
我如何才能找到更具体的无法执行的部分
我试图一个接一个地消除字段,但没有结果。
这应该会向您说明查询失败的原因,并且至少可以防止一些安全问题:
小改进
// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
$dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}
// try to perform the INSERT query or die with the returned mysql error
$query = mysql_query("
INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES (
'".$dataArr["user"]."',
'".$dataArr["pass"]."',
'".$dataArr["mail"]."',
'".$dataArr["country"]."',
'".$dataArr["city"]."',
'".$dataArr["www"]."',
'".$dataArr["credo"]."'
)
") or die ("Error:<br/>".mysql_error());
介质改进
// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
$dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}
// escape everything
$query = sprintf("
INSERT INTO members
(user, pass, mail, country, city, www, credo)
value ('%s', '%s', '%s', '%s', '%s', '%s', '%s')",
mysql_real_escape_string($dataArr["user"]),
mysql_real_escape_string($dataArr["pass"]),
mysql_real_escape_string($dataArr["mail"]),
mysql_real_escape_string($dataArr["country"]),
mysql_real_escape_string($dataArr["city"]),
mysql_real_escape_string($dataArr["www"]),
mysql_real_escape_string($dataArr["credo"])
);
// try to perform the INSERT query or die with the returned mysql error
$result = mysql_query($query) or die ("Error:<br/>".mysql_error());
高级改进
如果你正在启动一个新项目,或者你仍然可以改变你的方式,我强烈建议你使用PHP PDO来防止与你正在使用的当前数据库连接相关的许多安全问题。
INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES
('".$_POST['user']."','".$_POST['pass']."', '".$_POST['mail']."',
'".$_POST['country']."', '".$_POST['city']."', '".$_POST['www']."', '".$_POST['credo']."')")
只是一个简短的警告。将POST值直接插入数据库可能会导致安全漏洞。在将所有用户输入插入数据库之前,请确保对其进行验证和筛选。
您的Sql查询错误。此处
VALUES ('$_POST[user]')
你必须使用
$_POST['user']
您正在将值直接插入数据库中。。!!!这完全是一种糟糕的感觉。让它逃离
$user = mysql_real_escape_string(trim($_POST['user']));
$pass = mysql_real_escape_string(trim($_POST['pass']));
$mail = mysql_real_escape_string(trim($_POST['mail']));
$country = mysql_real_escape_string(trim($_POST['country']));
$city = mysql_real_escape_string(trim($_POST['city']));
$www = mysql_real_escape_string(trim($_POST['www']));
$credo = mysql_real_escape_string(trim($_POST['credo']));
然后将其插入数据库,
$query = mysql_query("INSERT INTO members
(user, pass, mail, country, city, www, credo)
VALUES ($user,$pass, $mail,$country, $city, $www, $credo)")
or die ("Error - Couldn't register user.");
该代码现在是安全的,可以插入数据库,并且是一个干净的代码。。