如果你有任何见解,我有一种我会爱你帮助的困境。简而言之,我目前正在做一个研究门户类型的项目,我希望它完全由数据库驱动,这样当我注册一个模块时,该特定模块出现在用户的个人资料中,因为截至目前,它并没有无论tom,dick还是harry登录,他们都会看到特定课程的三个模块。
因此,在注册时,用户将选择课程,将出现相关模块的列表,然后用户将选择他们的模块。从那时起,他们的主页将由附加到该模块的html和CSS代码填充。
有3个表与此部分交互。 UserDemo,课程和模块。
以下是我目前要注册为用户的代码(必须添加课程和模块):
账户\ signup.php
<?php
include '../inc/db.php';
include '../inc/functions.php';
if (isset($_POST['signup'])) {
$fName = p_s($_POST['fName']);
$lName = p_s($_POST['lName']);
$email = p_s($_POST['email']);
$password = p_s($_POST['password']);
$rpassword = p_s($_POST['rpassword']);
$contentID = p_s($_POST['contentID']);
if (!empty($fName) && !empty($lName) && !empty($email) && !empty($password) && !empty($contentID)) {
if (strlen($password) === strlen($rpassword)) {
$options = [
'cost' => 12,
];
$password = password_hash($password, PASSWORD_BCRYPT, $options);
$created_at = date('Y-m-d G:i:s');
$sql = "INSERT INTO usersDemo (fName, lName, email, password, contentID, status, created_at) VALUES ('$fName','$lName', '$email', '$password', '$contentID', 'approved', '$created_at')";
if (mysqli_query($conn, $sql)) {
header('Location: ../signup.php?suc');exit();
}
}else{
header('Location: ../signup.php?fidpass');exit();
}
}else{
header('Location: ../signup.php?fempt');exit();
}
}
INC \ signup.php
<form action="accounts/signup.php" method="POST">
<div id="fade-box">
<h2>Register</h2>
<div class="form-group">
<input name="fName" type="text" class="form-control" id="fName" placeholder="Enter your first name" required>
</div>
<div class="form-group">
<input name="lName" type="text" class="form-control" id="lName" placeholder="Enter your last name" required>
</div>
<div class="form-group">
<input name="email" type="email" class="form-control" id="email" placeholder="Email" required>
</div>
<div class="form-group">
<input name="password" type="password" class="form-control" id="password" placeholder="Password" required>
</div>
<div class="form-group">
<input name="rpassword" type="password" class="form-control" id="rpassword" placeholder="Repeat Password" required>
</div>
<div class="form-group">
<input name="contentID" type="text" class="form-control" id="contentID" placeholder="Enter your contentID" required>
</div>
<button name="signup" type="submit" class="btn btn-success">Register</button>
</div>
</form>
这是我目前的攻击计划:
攻击计划:
您对此攻击计划的看法是什么,或者有人知道另一种(也许更容易)实现此目的的方式。
在此先感谢您的时间和帮助:)
使用预处理语句,你很容易受到sql注入和准备语句的阻止。
<?php
include '../inc/db.php';
include '../inc/functions.php';
if (isset($_POST['signup'])) {
$fName = p_s($_POST['fName']);
$lName = p_s($_POST['lName']);
$email = p_s($_POST['email']);
$password = p_s($_POST['password']);
$rpassword = p_s($_POST['rpassword']);
$contentID = p_s($_POST['contentID']);
if (!empty($fName) && !empty($lName) && !empty($email) && !empty($password) && !empty($contentID)) {
if (strlen($password) === strlen($rpassword)) {
$options = [
'cost' => 12,
];
$password = password_hash($password, PASSWORD_BCRYPT, $options);
$created_at = date('Y-m-d G:i:s');
$sql = "INSERT INTO usersDemo (fName, lName, email, password, contentID, status, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)";
if($stmt = $conn->prepare($sql)){
$stmt->bind_param('ssssiis',$fName,$lName,$email,$password,$contentID,'approved',$created_at); //s = string i = int
/* execute query */
$stmt->execute();
}
/* free results */
$stmt->free_result();
$stmt->close();
if (mysqli_query($conn, $sql)) {
header('Location: ../signup.php?suc');exit();
}
}else{
header('Location: ../signup.php?fidpass');exit();
}
}else{
header('Location: ../signup.php?fempt');exit();
}
}