检查 MySQL 数据库中的重复用户 [重复]

Question

我想在注册用户时检查 MySQL 数据库中的重复项。

如果用户存在，则显示错误，否则请注册。

我知道有一些这样的问题，但我发现很难将其中任何一个粘贴到我的代码中。

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    //two passwords are the same
    if($_POST['password'] == $_POST['confirmedpassword']) {

        $username = $mysqli->real_escape_string($_POST['username']);
        $password = md5($_POST['password']);

        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;

        $sql = "INSERT INTO members(username, password)"
            . "VALUES ('$username','$password')";

            //if query is successful redirect to login.php
            if ($mysqli->query($sql) === true)
                $_SESSION['message'] = 'Success';
            header("location: login.php");
        } else {
            $_SESSION['message'] = "User couldnt be added";
        }
    } else {
        $_SESSION['message'] = "Passwords dont match";
    }
}

Answer 1

我在您的md5 password 中添加了一些salt 以使其看起来更安全，但实际上这个解决方案也不安全。要加密PHP 中的密码，建议使用password_hash() 函数，如下所示：

$pass = password_hash($password, PASSWORD_BCRYPT);

password_hash() 使用强大的单向哈希算法创建一个新的密码哈希。

然后用password_verify()进行测试：

password_verify ( $passToTest , $knownPasswordHash );

更多功能在这里：http://php.net/password-hash，http://php.net/password-verify。

另外，由于您使用的是MySQLi，请考虑使用准备好的语句，或者至少在将输入数据应用到数据库之前正确过滤输入数据。 更多关于准备好的语句：http://php.net/prepared-statements。

在将user 添加到database 之前，我添加了select statement 以检查table 中是否已经存在user。

使用header() 更改页面位置时，如果您想立即退出并且不想执行其他代码，请将exit() 或die() 放在下一行代码中。

这是添加了 select 语句的代码：

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{
    //two passwords are the same
    if($_POST['password'] == $_POST['confirmedpassword']) 
    {
        $username = $mysqli->real_escape_string($_POST['username']);

        // You might consider using salt when storing passwords like this
        $salt = 'aNiceDay';
        $password = md5(md5($_POST['password'].$salt).$salt);

        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;

        $sql = "SELECT `username` FROM members WHERE `username` = '".$username."'";
        $result = $mysqli->query($sql);

        if(mysqli_num_rows($result) > 0)
        {
            echo 'User exists.';
            // Do something.
        }
        else
        {
            $sql = "INSERT INTO members(username, password) VALUES ('".$username."','".$password."')";

            if($mysqli->query($sql) === true)
            {
                $_SESSION['message'] = 'Success';
                header("location: login.php");
                // Important to put exit() after header so other code
                // doesn't get executed.
                exit();
            }
            else
            {
                $_SESSION['message'] = "User couldn't be added";
                echo "User couldn't be added.";
            }
        }
    }
    else
    {
        $_SESSION['message'] = "Passwords dont match";
    }
}
?>

Answer 2

所以你可以检查用户是否存在。

if ($_SERVER['REQUEST_METHOD'] == 'POST'){
        //two passwords are the same
        if($_POST['password'] == $_POST['confirmedpassword']) {

        $username = $mysqli->real_escape_string($_POST['username']);
        $password = md5($_POST['password']);

        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;

        //Check user
        $CheckUserIsExist = mysqli->query("SELECT uid FROM members WHERE username='$username'");
        if(mysqli_num_rows($CheckUserIsExist)==0 ){
        $sql = "INSERT INTO members(username, password)"
            . "VALUES ('$username','$password')";

            //if query is successful redirect to login.php
            if($mysqli->query($sql) === true)
                $_SESSION['message'] = 'Success';
                header("location: login.php");

    }
   } else{
      echo 'This username is already in use. Please use different username';
   }
   else{
        $_SESSION['message'] = "User couldn't be added";
   }
}
else{
    $_SESSION['message'] = "Passwords don't match";
}