douqian1975 2019-04-21 16:31
浏览 47
已采纳

我怎样才能重新制作准备好的声明? [重复]

This question already has an answer here:

One dude says i need to use Prepared Statements in my code because it's more secure and better then what am doing right now.

I already did only php/mysqli codes whitout Prepared Statements for example this is my server.php one of codes 

<?php 
    session_start();

    // variable declaration
    $username = "";
    $email    = "";
    $errors = array(); 
    $_SESSION['success'] = "";

    // connect to database
    $db = mysqli_connect('localhost', 'root', 'root', 'root');

    // REGISTER USER
    if (isset($_POST['reg_user'])) {
        // receive all input values from the form
        $username = mysqli_real_escape_string($db, $_POST['username']);
        $email = mysqli_real_escape_string($db, $_POST['email']);
        $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
        $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);

        $steamid = mysqli_real_escape_string($db, $_POST['steamid']);
        $age = mysqli_real_escape_string($db, $_POST['age']);
        $rank = mysqli_real_escape_string($db, $_POST['rank']);
        $scode = mysqli_real_escape_string($db, $_POST['scode']);

        // form validation: ensure that the form is correctly filled
        if (empty($username)) { array_push($errors, "Username is required"); }
        if (empty($email)) { array_push($errors, "Email is required"); }
        if (empty($password_1)) { array_push($errors, "Password is required"); }

        if ($password_1 != $password_2) {
            array_push($errors, "The two passwords do not match");
        }

        // register user if there are no errors in the form
        if (count($errors) == 0) {
            $password = md5($password_1);//encrypt the password before saving in the database
            $query = "INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode) 
                      VALUES('$username', '$usertype', '$email', '$password', '$steamid', '$age', '$rank', '$scode')";
            mysqli_query($db, $query);

            $_SESSION['username'] = $username;
            $_SESSION['success'] = "You are now logged in";
            header('location: index.php');
        }

    }

?>

And how can i make this code whit Prepared Statements someone can help me only whit this example? I really need your help if i get final result of this code whit Prepared Statements i will understand how to use it and will more dedicated to re code my codes ( all )

Thank you for answer.

</div>
  • 写回答

1条回答 默认 最新

  • dongzhe3171 2019-04-21 16:45
    关注

    You can do prepared statements with PDO which is part of php by default. Your code could look like this:

    <?php

    session_start();

    // variable declaration
    $username = "";
    $email    = "";
    $errors = array();
    $_SESSION['success'] = "";

    // connect to database
    $db = mysqli_connect('localhost', 'root', 'root', 'root');

    // REGISTER USER
    if (isset($_POST['reg_user'])) {
        // receive all input values from the form

        if (empty($_POST['username'])) { array_push($errors, "Username is required"); }
        if (empty($_POST['email'])) { array_push($errors, "Email is required"); }
        if (empty($_POST['password_1'])) { array_push($errors, "Password is required"); }

        if ($_POST['password_1']!= $_POST['password_2']) {
            array_push($errors, "The two passwords do not match");
        }

        // register user if there are no errors in the form
        if (count($errors) == 0) {

            $password = md5($_POST['password_1']);//encrypt the password before saving in the database
            $pdo = new PDO('mysql:host=localhost;dbname=yourdbname', 'yourdbusername', 'yourdbpass');

            $stmt = $pdo->prepare("INSERT INTO users (username, usertype, email, password, steamid, age, rank, scode) VALUES (:username, :usertype, :email, :password, :steamid, :age, :rank, :scode)");

            $stmt->bindValue(':username', $_POST['username']);
            $stmt->bindValue(':usertype', $_POST['usertype']);
            $stmt->bindValue(':email', $_POST['email']);
            $stmt->bindValue(':password', $_POST['password']);
            $stmt->bindValue(':steamid', $_POST['steamid']);
            $stmt->bindValue(':age', $_POST['age']);
            $stmt->bindValue(':rank', $_POST['rank']);
            $stmt->bindValue(':scode', $_POST['scode']);

            $result = $stmt->execute();


            $_SESSION['username'] = $username;
            $_SESSION['success'] = "You are now logged in";
            header('location: index.php');
        }

    }

?>

    You could aso use ?-signs instead of the :propname pattern, this is question of personal preference.

    What bindValue() does, is basically the same thing what you are doing with mysqli_real_escape_string. It makes your variable SQL safe to prevent SQL injection. You can find more infos about PHP here: https://www.php.net/manual/en/book.pdo.php

    It is worh learning, that is the most used tool for database handling (as far as I know)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 Revit2020下载问题
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大
  • ¥15 单片机无法进入HAL_TIM_PWM_PulseFinishedCallback回调函数
  • ¥15 Oracle中如何从clob类型截取特定字符串后面的字符
  • ¥15 想通过pywinauto自动电机应用程序按钮,但是找不到应用程序按钮信息
  • ¥15 如何在炒股软件中,爬到我想看的日k线