doucou1892 2016-03-16 15:36
浏览 122
已采纳

为什么我的全局变量不起作用?

I am trying to create a signup form that allows potential users to input their first and last name, a username and a password. With this password, I want to use PHP's hash function and some "salts" to make the password secure. To do so, I created a function inside my PHP script to save on redundancy. To accomplish this, I changed variables $connection, $iniSalt, and $endSalt to global variables - thinking this would allow me to use them inside the function addUser(). Can someone tell me what I am doing wrong here? Any advice on how to go about this would be greatly appreciated. Here is my code: 

global $connection;
$connection = new mysqli($db_host, $user, $pass, $db);

if ($connection->connect_error) {
    die($connection->connect_error);
}

$query = "CREATE TABLE users (
firstname VARCHAR(32) NOT NULL,
lastname VARCHAR(32) NOT NULL,
username VARCHAR(32) NOT NULL UNIQUE,
password VARCHAR(32) NOT NULL
)";

$result = $connection->query($query);
if (!$result) {
    die($connection->error);
}

global $iniSalt, $endSalt;
$iniSalt = "xb&z*";
$endSalt = "nb!@";

function addUser($conn, $firstname, $lastname, $username, $password) {
    $token = hash('ripemd128', "$iniSalt$password$endSalt");
    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";
    $result = $connection->query($query);
    if (!$result) {
        die($connection->error);
    }
}

addUser($connection, 'Bill', 'Murray', 'bmurray', 'mysecret');
addUser($connection, 'Jacki', 'Hughes', 'jhughes', 'somepw');
  • 写回答

3条回答 默认 最新

  • dpkpaxhzffixp8426 2016-03-16 15:54
    关注

    Besides the other answers given in regards to the placement of global, and that I also pointed out in comments about its placement:

    Sidenote: Consult my footnotes.

    The $token variable is a string and it also must be quoted.

    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";

    When your query fires up, you will get a syntax error for it.

    So, quote the variable:

    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', '$token')";

    ripemd128 produces a string, not an integer

    ripemd128 32 789d569f08ed7055e94b4289a4195012

    Also, if you're planning on going live with this, you'd be better off using password_hash() or the compatibility pack for it.

    It's much safer.

    References:

    If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

    You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

    Footnotes:

    Read up on variable scope:

    If you're looking to protect against SQL injection which is something worthwhile doing, consult the following:

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 nginx中的CORS策略应该如何配置
  • ¥30 信号与系统实验:采样定理分析
  • ¥100 我想找人帮我写Python 的股票分析代码,有意请加mathtao
  • ¥20 Vite 打包的 Vue3 组件库,图标无法显示
  • ¥15 php 同步电商平台多个店铺增量订单和订单状态
  • ¥15 关于logstash转发日志时发生的部分内容丢失问题
  • ¥17 pro*C预编译“闪回查询”报错SCN不能识别
  • ¥15 微信会员卡接入微信支付商户号收款
  • ¥15 如何获取烟草零售终端数据
  • ¥15 数学建模招标中位数问题