私はPHP/MySQLの新機能ですので、私のサイトに複雑なログインシステムを実装しようとしています。これまでのところ、登録は完了しましたが、準備済みのステートメントを使用していないので、代わりにMySQLiを使用しました。 SQLインジェクションを防ぐ必要があるので、私は何とかこのコードをプリペアドステートメントに変更する必要があります。私は無数の時を試して、文の実行に失敗しました。MySQLiをプリペアドステートメントに変換するにはどうしたらいいですか?
これは最初の、動作していますが、準備されていないコードです。これは大きな質問である可能性があるので、誰かに手伝ってほしいと思っています。
//Declaring variables as whitespace so nothing will be displayed below the form until submission.
$fe_firstName = " ";
$fe_lastName = " ";
$fe_email = " ";
$fe_emailconf = " ";
$fe_username = " ";
$fe_pw = " ";
$fe_pwconf = " ";
$fe_terms = " ";
$fe_usernameInvalid = " ";
$fe_emailInvalid = " ";
//Declaring verification variables to ensure duplicate users aren't created.
$verifyUsername = $_POST['username'];
$verifyEmail = $_POST['email'];
//Setting up array, if zero errors occur the array will stay empty.
$errors = array();
//The URL of the signup page.
//The full URL of the page the form was submitted from.
$current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
$referrer = $_SERVER['HTTP_REFERER'];
//Ensure form comes from VAL website.
if ($referrer == $current) {
if($_SERVER['REQUEST_METHOD'] == 'POST'){
/**
* Validate forms
* Match regex
* Ensure pass & email confirmations match
*/
if(0 === preg_match("/^[a-z\-]{2,20}$/i", $_POST['firstName'])){
$errors['e_firstName'] = "Your first name cannot be empty.";
$fe_firstName = "Your first name cannot be empty.";
}
if(0 === preg_match("/^[a-z\-]{2,20}$/i", $_POST['lastName'])){
$errors['e_lastName'] = "Your last name cannot be empty.";
$fe_lastName = "Your last name cannot be empty.";
}
if(0 === preg_match("/^[a-zA-Z0-9]+[a-zA-Z0-9_.-]+[a-zA-Z0-9_-][email protected][a-zA-Z0-9]+[a-zA-Z0-9.-]+[a-zA-Z0-9]+.[a-z]{2,4}$/", $_POST['email'])){
$errors['e_email'] = "Please enter a valid E-Mail address.";
$fe_email = "Please enter a valid E-Mail address.";
}
if(0 !== strcmp($_POST['email'], $_POST['emailconf'])){
$errors['e_emailconf'] = "Please ensure your E-Mail addresses match.";
$fe_emailconf = "Please ensure your E-Mail addresses match.";
}
if(0 === preg_match("/^[a-z\d_]{3,20}$/i", $_POST['username'])){
$errors['e_username'] = "Please enter a valid username.";
$fe_username = "Please enter a valid username.";
}
if(0 === preg_match("/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[a-zA-Z\d]{8,56}$/", $_POST['pw'])){
$errors['e_pw'] = "Please follow the password instructions. You must have at least one number, one lower-case, and one upper-case letter.";
$fe_pw = "Please follow the password instructions. You must have at least one number, one lower-case, and one upper-case letter.";
}
if(0 !== strcmp($_POST['pw'], $_POST['pwconf'])){
$errors['e_pwconf'] = "Please ensure your passwords match.";
$fe_pwconf = "Please ensure your passwords match.";
}
if(!isset($_POST['terms'])){
$errors['e_terms'] = "You must accept the Terms and Conditions.";
$fe_terms = "You must accept the Terms and Conditions.";
}
/**
* Check if username and email address already exist.
* If so, add error to validity array.
*/
$usernameCheck = mysqli_query($con, "SELECT * FROM users WHERE username='".$verifyUsername."'");
if($usernameCheck->num_rows){
$errors['e_usernameInvalid'] = "Username already exists.";
$fe_usernameInvalid = "Username already exists.";
}
$emailCheck = mysqli_query($con, "SELECT * FROM users WHERE email='".$verifyEmail."'");
if($emailCheck->num_rows){
$errors['e_emailInvalid'] = "Email already exists.";
$fe_emailInvalid = "Email already exists.";
}
//If no validation errors
if(0 === count($errors)){
/***
* Sanitize code
* Clean dangerous chars for DB
*/
$send_firstName = mysqli_real_escape_string($con, $_POST['firstName']);
$send_lastName = mysqli_real_escape_string($con, $_POST['lastName']);
$send_email = mysqli_real_escape_string($con, $_POST['email']);
$send_username = mysqli_real_escape_string($con, $_POST['username']);
$password = mysqli_real_escape_string($con, $_POST['pw']);
//HASH & ready password
//
// Instantiate new instance of class
$hash_password = new Hash_Password();
// Hash the password
$hash = $hash_password->hash($password);
$send_pw = $hash;
//Autoset non-user-input values to 0
$send_wins = 0;
$send_losses = 0;
$send_played = 0;
$send_earnings = 0;
//Obtain time of form submission = Time registered.
$datum = new DateTime();
$send_regDate = $datum->format('Y-m-d H:i:s');
$send_lastLogin = $send_regDate;
$send_rolePermissions = 0;
//Insert query time.
$sql = "
INSERT INTO users (first_name, last_name, username, password, email, last_login, date_joined, wins, losses, played, earnings, permissions) VALUES
('{$send_firstName}','{$send_lastName}','{$send_username}','{$send_pw}','{$send_email}','{$send_lastLogin}','{$send_regDate}','{$send_wins}','{$send_losses}','{$send_played}','{$send_earnings}','{$send_rolePermissions}')
";
//Redirecting based on the connection result.
if(!mysqli_query($con, $sql)){
if (!headers_sent()) {
exit(header("Location: registration_fail.php"));
} else{
?>
<script> location.replace("registration_fail.php"); </script>
<?php
}
} else{
if (!headers_sent()) {
exit(header("Location: registration_success.php"));
} else{
?>
<script> location.replace("registration_success.php"); </script>
<?php
}
mysqli_close($con);
}
}
}
}
多くのコードは検証であり、 "fe_"変数はフォームの下にエコー表示されます。変更が必要なのは、$ sql変数、real_escape_strings、$ usernameCheckと$ emailCheckです。
もう一度、私のすてきな質問に対する私の最大の謝罪が、私は答えを他の場所で見つけることができませんでした。 P.S - データベースはPDO経由で接続されており、問題はありません。
あなたはSQLインジェクションが起こらないようにしようとしているので、アップしています。 –
Imはphpには入っていませんが、パラメータ化された文を使用してください。 http://php.net/manual/es/mysqli.prepare.php –
ありがとう、私は間違った質問をしていたことに気付きました。あなたはいつでも助けてくれますか? – Lewis