【发布时间】:2015-07-20 15:58:43
【问题描述】:
所以我有一个网站,我正在尝试测试新的用户注册功能。我的 LogInHelper.php 文件中没有任何回声的输出。目标是能够为新用户输入信息,将其发布到 LogInHelper.php,查看输入的密码是否相等,如果不相等,则将结果 div 更新为错误消息。
这是我的包含 html 的 LogIn.php 文件:
<!DOCTYPE html>
<html>
<head>
<title>Ticket Log In</title>
<script src = "../../jquery.js"></script>
<style>
body{
padding:0;
margin:0;
}
#box {
background:blue;
text-align:center;
padding:10px;
color:white;
width:500px;
height:300px;
margin: 0 auto;
}
#LogIn {
background:blue;
text-align:center;
padding:10px;
color:white;
width:500px;
height:300px;
margin: 0 auto;
}
</style>
<script>
$(document).ready(function(){
$("#sub").click(function(){
var fist_name = $("#firstname").val();
var last_name = $("#lastname").val();
var user_email = $("#email").val();
var department_id = $("#department").val();
var user_pass = $("#pass").val();
var user_pass2 = $("#pass2").val();
$.post("LogInHelper.php",{firstname:first_name,lastname:last_name,email:user_email,department:department_id,pass:user_pass,pass2:user_pass2},function(data){
$("#result").html(data);
});
});
$("#sub2").click(function(){
var loginuser_email = $("#loginemail").val();
var loginuser_pass = $("#loginpass").val();
$.post("LogInHelper.php",{loginemail:loginuser_email,loginpass:loginuser_pass},function(data){
$("#result2").html(data);
});
});
$('#box').hide();
$('.new').click(function() {
$('#box').toggle();
$('#LogIn').toggle();
});
});
</script>
</head>
<body>
<div id="box">
<input type ="submit" class = "new" value = "New User Register">
<h2>New User Register Here:</h2>
<input type ="text" name="firstname" id="firstname" placeholder="Enter Your First Name"/></br>
<input type ="text" name="lastname" id="lastname" placeholder="Enter Your Last Name"/></br>
<input type ="text" name="email" id="email" placeholder="Enter Your email"/></br>
<form action="LogInHelper.php" method="post">
<select id = "department" name = "department">
<?php
$servername = "localhost";
$username = "quantco_Ted";
$password = "Quantum1";
$database = "quantco_Interns";
$con = mysqli_connect($servername,$username,$password,$database);
if($con->connect_error){
die("Connection failed " . $con->connect_error);
}
$sql = "select Department_name,id from Department";
$result = mysqli_query($con,$sql);
while ($row = mysqli_fetch_array($result)) {
$department = $row['Department_name'];
$id = $row['id'];
echo "<option value = '$id'>$department</option>";
}
?></select></form>
<input type ="password" name="pass" id="pass" placeholder="Enter Your Password"/>
<input type ="password" name="pass2" id="pass2" placeholder="Re-Enter Your Password"/>
</br></br>
<input type ="submit" name = "sub" value = "Register" id = "sub"/>
<div id="result"></div>
</div>
<div id="LogIn">
<input type ="submit" class = "new" value = "New User Register">
<h2>Registered User Log In:</h2>
<input type ="text" name="loginemail" id="loginemail" placeholder="Enter Your Email"/></br>
<input type ="password" name="loginpass" id="loginpass" placeholder="Enter Your Password"/>
</br></br>
<input type ="submit" name = "sub2" value = "Submit" id = "sub2"/>
<div id="result2"></div>
</div>
</body>
</body>
</html>
这是接收帖子的 LogInHelper 文件:
<?php
$servername = "localhost";
$username = "user";
$password = "pass";
$database = "db";
$con = mysqli_connect($servername,$username,$password,$database);
if($con->connect_error){
die("Connection failed " . $con->connect_error);
}
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$id = $_POST['department'];
$email = $_POST['email'];
$pass = md5($_POST['pass']);
$pass2 = md5($_POST['pass2']);
echo $firstname;
echo $lastname;
echo $id;
echo $email;
echo $pass;
echo $pass2;
$sel = "select * from Employee where email='$email'";
$run = mysqli_query($con,$sel);
$check_email = mysqli_num_rows($run);
if(!($pass==$pass2)){
echo "<h2>Your emails do not match, please try again!</h2>";
exit();
}
else if($check_email==1){
echo "<h2>This email is already registered, please try another!</h2>";
exit();
}
else{
$insert = "insert into Employee (email, first, last, department_id,pass,) values ('$email','$firstname','$lastname','$id', '$pass')";
$run_insert = mysqli_query($con,$insert);
if($run_insert){
echo "<h2>Registration Successful, Thanks!</h2>";
}
}
mysqli_close($con);
?>
【问题讨论】:
-
var fist_name?除非你是职业拳击手,否则命名你的拳头只是……很奇怪。哦,还有可爱的sql injection attack 漏洞... -
* 职业拳击手....和@lazersquids mcgee,您应该阅读有关面向对象的
mysqli和准备好的语句:php.net/manual/en/mysqli.prepare.php -
@MarcB 哪里有漏洞?