Okay, so I have a register.php script written and I get an unexpected T Variable when the command tries to execute. The error lies on line 15 at
('$_Post[username]','$_Post[sha_pass_hash]','$_Post[email]','2')";
I also have a second error in my syntax according to Dreamweaver at line 20 for
die('Error: ' . mysql_error());
If anyone could help it would be greatly appreciated. Thank you in advance.
分享 Inserting into a database directly from post is always a bad idea. This is the reason PHP is currently stuck with the very un-intuitive magic quotes.
You should at the very least be using mysql_real_escape_string() to escape your data. For example:
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
$query = "INSERT INTO users VALUES (
'" . mysql_real_escape_string($_POST["username"]) . "',
'" . mysql_real_escape_string($_POST["sha_pass_hash"]) . "',
'" . mysql_real_escape_string($_POST["email"]) . "',
'2'
)";
mysql_query($query);
The reason you have to do this is security based. For example if some malicious set the username field to '); DROP TABLE users; without first escaping your data. You would end up blindly running the following query:
INSERT INTO users VALUES (''); DROP TABLE users;
Which of course isn't going to end well for your application.
This is the minimum you should be doing.
In reality you should really be moving onto MySQLi Which is a much more modern MySQL interface. Here is an example
$mysqli = new mysqli('mysql_host', 'mysql_user', 'mysql_password', 'mysql_database');
$query = "INSERT INTO users VALUES (
'" . $mysqli->real_escape_string($_POST["username"]) . "',
'" . $mysqli->real_escape_string($_POST["sha_pass_hash"]) . "',
'" . $mysqli->real_escape_string($_POST["email"]) . "',
'2'
)";
$mysqli->query($query);
You can even use MySQL in a procedural style. So if Object orientated programing isn't with in your reach yet you will have no problems with MySQLi.
Hope that helps.
分享
