我建立一个基于MySQL的注册页面,并希望一个确认密码匹配我的问题是,即使我的if / else语句是正确的表单仍在处理中,我可以看到数据在MySQL数据库。
码:
<?php require('connect.php'); // If the values are posted, insert them into the database. if (isset($_POST['username']) && isset($_POST['password'])){ $username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; $confpassword = $_POST['confirm_password']; if ($_POST["password"] === $_POST["confirm_password"]) { $hashPassword = password_hash($password,PASSWORD_BCRYPT); } else { echo 'Password Match Failed', end;// failed :( } $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$password', '$email')"; $result = mysqli_query($connection, $query); if($result){ $smsg = "User Created Successfully."; }else{ $fmsg ="User Registration Failed"; } } ?>i am building a mysql based registration page and want a Confirm password to be matched my problem is that even if my if/else statements are correct form is still being processed i can see data in mysql db.
Code:
<?php require('connect.php'); // If the values are posted, insert them into the database. if (isset($_POST['username']) && isset($_POST['password'])){ $username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; $confpassword = $_POST['confirm_password']; if ($_POST["password"] === $_POST["confirm_password"]) { $hashPassword = password_hash($password,PASSWORD_BCRYPT); } else { echo 'Password Match Failed', end;// failed :( } $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$password', '$email')"; $result = mysqli_query($connection, $query); if($result){ $smsg = "User Created Successfully."; }else{ $fmsg ="User Registration Failed"; } } ?>最满意答案
您可能想要查看一个框架来帮助您提供像登录这样的常见任务。 它不仅会让你更轻松,而且使用经过验证的解决方案还具有增加安全性的好处。
就目前而言,你的代码有几个问题。
$username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; ... $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$password', '$email')"; $result = mysqli_query($connection, $query);此代码易受SQL注入攻击,这意味着攻击者可能会删除您的数据库或修改其用户帐户以获取管理员访问权限。
你用bcrypt散列这个密码是个不错的选择,但是你对这个散列没有做任何事情。 相反,普通密码存储在数据库中,使其不安全。
$password = $_POST['password']; $confpassword = $_POST['confirm_password']; if ($_POST["password"] === $_POST["confirm_password"]) { echo 'Password Matched'; }由于这两个值都是通过POST提交的,因此攻击者可以通过在请求中传递两个值来轻松绕过认证。
由于符合if或else条件时代码将继续存在,因此插入数据的部分也会保存。 这就是为什么每次调用插入用户的脚本时(或者由于重复的唯一字段而导致数据库错误)。
您的问题的完整解决方案很难做到这一点。 但我会先分开注册过程(创建用户)和登录(检查用户是否存在以及密码是否匹配)。 只需查看我的个人资料,您就可以轻松获取我的一些社交帐户。 随时与我联系,我会尽量安排闲聊或环聊会议,以便我可以提供更多帮助。
You might want to check out a framework to help you with providing common tasks like login. Not only will it make things easier for you, but using a proven solution also has the benefit of added security.
As it stands your code has a few issues.
$username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password']; ... $query = "INSERT INTO `user` (username, password, email) VALUES ('$username', '$password', '$email')"; $result = mysqli_query($connection, $query);This code is vulnerable to SQL injection, meaning an attacker could delete your database or modify their user account to gain admin access.
You hash the password with bcrypt which is a good choice, but you are not doing anything with the hash. Instead the plain password is stored in the database, making it insecure.
$password = $_POST['password']; $confpassword = $_POST['confirm_password']; if ($_POST["password"] === $_POST["confirm_password"]) { echo 'Password Matched'; }Since both values are submitted via POST an attacker can easily bypass your authentication by passing both values in the request.
Since the code will continue both when the if or the else-condition are met, the part where you insert the data is saved as well. This is why every time you call the script a user is inserted (or you get a database error because of duplicate unique fields).
A full solution for your problem is hard to do in this space. But I would start by splitting up the signup process (creating a user) and the login (checking whether the user exists and if their password matches). Just check my profile, you can easily get some of my social accounts. Feel free to reach out to me and I will try to arrange a slack chat or hangout session where I can help out more.
更多推荐
发布评论