doucou1892 2016-03-16 15:36
浏览 121
已采纳

为什么我的全局变量不起作用?

I am trying to create a signup form that allows potential users to input their first and last name, a username and a password. With this password, I want to use PHP's hash function and some "salts" to make the password secure. To do so, I created a function inside my PHP script to save on redundancy. To accomplish this, I changed variables $connection, $iniSalt, and $endSalt to global variables - thinking this would allow me to use them inside the function addUser(). Can someone tell me what I am doing wrong here? Any advice on how to go about this would be greatly appreciated. Here is my code: 

global $connection;
$connection = new mysqli($db_host, $user, $pass, $db);

if ($connection->connect_error) {
    die($connection->connect_error);
}

$query = "CREATE TABLE users (
firstname VARCHAR(32) NOT NULL,
lastname VARCHAR(32) NOT NULL,
username VARCHAR(32) NOT NULL UNIQUE,
password VARCHAR(32) NOT NULL
)";

$result = $connection->query($query);
if (!$result) {
    die($connection->error);
}

global $iniSalt, $endSalt;
$iniSalt = "xb&z*";
$endSalt = "nb!@";

function addUser($conn, $firstname, $lastname, $username, $password) {
    $token = hash('ripemd128', "$iniSalt$password$endSalt");
    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";
    $result = $connection->query($query);
    if (!$result) {
        die($connection->error);
    }
}

addUser($connection, 'Bill', 'Murray', 'bmurray', 'mysecret');
addUser($connection, 'Jacki', 'Hughes', 'jhughes', 'somepw');
  • 写回答

3条回答 默认 最新

  • dpkpaxhzffixp8426 2016-03-16 15:54
    关注

    Besides the other answers given in regards to the placement of global, and that I also pointed out in comments about its placement:

    Sidenote: Consult my footnotes.

    The $token variable is a string and it also must be quoted.

    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', $token)";

    When your query fires up, you will get a syntax error for it.

    So, quote the variable:

    $query = "INSERT INTO users VALUES('$firstname', '$lastname', '$username', '$token')";

    ripemd128 produces a string, not an integer

    ripemd128 32 789d569f08ed7055e94b4289a4195012

    Also, if you're planning on going live with this, you'd be better off using password_hash() or the compatibility pack for it.

    It's much safer.

    References:

    If and when you do decide to use password_hash() or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

    You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

    Footnotes:

    Read up on variable scope:

    If you're looking to protect against SQL injection which is something worthwhile doing, consult the following:

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 有赏,i卡绘世画不出
  • ¥15 如何用stata画出文献中常见的安慰剂检验图
  • ¥15 c语言链表结构体数据插入
  • ¥40 使用MATLAB解答线性代数问题
  • ¥15 COCOS的问题COCOS的问题
  • ¥15 FPGA-SRIO初始化失败
  • ¥15 MapReduce实现倒排索引失败
  • ¥15 ZABBIX6.0L连接数据库报错,如何解决?(操作系统-centos)
  • ¥15 找一位技术过硬的游戏pj程序员
  • ¥15 matlab生成电测深三层曲线模型代码