我想做一个简单的登录和注册页面,但是每次我尝试登录用户时,它都告诉我它无法执行查询。我使用mariadb服务器。
这是插入
$sql="INSERT INTO userid VALUES ( {$_POST['usname']} , {$_POST['firstname']} , {$_POST['lastname']} , {$_POST['wordpass']} , '' )";
这是登录部分
<form action="thankyou.php" method="post">
<div>
<label for="uname">Choose an Username: </label>
<input type="text" id="uname" name="usname" pattern="[a-z]{3-15}" placeholder="Username">
<div class="tinytext"> Username must be at least 3 characters long and at most 15 characters long, containing only lowercase letters </div>
</div>
<div>
<label for="fname"> Enter First Name: </label>
<input type="text" id="fname" name="firstname" pattern="[a-z]{3-15}" placeholder="First Name">
<div class="tinytext"> First Name must be at least 3 characters long and at most 15 characters long, containing only lowercase letters</div>
</div>
<div>
<label for="lname"> Enter Last Name Name: </label>
<input type="text" id="fname" name="lastname" pattern="[a-z]{3-15}" placeholder="Last Name">
<div class="tinytext"> Last Name must be at least 3 characters long and at most 15 characters long, containing only lowercase letters</div>
</div>
<div>
<label for="pwd"> Enter Password: </label>
<input type="password" id="pwd" name="wordpass" minlenght="8" maxlenght="30" placeholder="Password">
<div class="tinytext"> Password must be at least 8 characters long and at most 30 characters long</div>
</div>
<div>
<button onclick="window.location.href='thankyou.php'">Submit</button>
</div>
</form>
除了您的表单问题之外,您的SQL还将转换为错误的SQL语句。
让我们假设:
usname = myusername
firstname = myfirstname
lastname = mylastname
wordpass = mypass
将转换为:
INSERT INTO userid VALUES (myusername, myfirstname, mylastname, mypass, '')
如果您的所有值都不是字符串,将导致SQL错误!应该:
INSERT INTO userid VALUES ('myusername', 'myfirstname', 'mylastname', 'mypass', '')
这是你的错误
BUUUT,您应该阅读有关SQL-INJECTION的信息,因为如果直接将它发送给DB,那么您将获得什么!
准备语句示例(使用PDO)
<?php
// open new PDO connection
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// prepare your data
$data = [
'username' => $_POST['usname']
'firstname' => $_POST['firstname']
'lastname' => $_POST['lastname']
'password' => $_POST['wordpass']
];
// create prepared statement to prevent SQL-injection
$sql = "INSERT INTO userid (username, firstname, lastname, password) VALUES (:username, :firstname, :lastname, :password)";
$stmt = $conn->prepare($sql);
// execute statement and persist to DB
$stmt->execute($data);
其他示例可以在这里找到:https : //www.w3schools.com/php/php_mysql_prepared_statements.asp
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句