user registration php

六眼飞鱼酱① 提交于 2019-12-12 05:39:23

问题


<?php
include"include/connection.php";

$checkusername=mysql_query("SELECT * FROM employer WHERE eusername='$username'");
if (mysql_num_rows($checkusername)==1)
{
  echo "username already exist";
}
else
{
  $query = "insert into employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry) values ('".$_POST['first_name']."','".$_POST['last_name']."','".$_POST['gender']."','".$_POST['email']."','".$_POST['username']."','".$_POST['password']."','".$_POST['address']."','".$_POST['phone']."','".$_POST['city']."','".$_POST['country']."')";
  $result = mysql_query($query) or die (mysql_error());
  echo " Thanks for registration";
}
?>

This is my code for inserting registration form data into a database. This code adds the data but also gives a parse error, but does not give the error if the username already exists.

Notice: Undefined variable: username in C:\Program Files\EasyPHP5.3.0\www\register_hirer2.php on line 6
Thanks for registration 

line 6 is:

 $checkusername=mysql_query("SELECT * FROM employer WHERE eusername='$username'");

回答1:


Well, your $username is undefined indeed.

Most probably you want to use $_POST['username'].

And of course this obligatory XKCD comic:




回答2:


If the "data source" is an html form (supposedly using method="post") you have to use $_POST['username'] when register_globals is set to off (which is the default since ...ages). see http://docs.php.net/security.globals
Also have a read of http://php.net/manual/en/security.database.sql-injection.php

<?php
include"include/connection.php";

$query = "SELECT
    *
FROM
    employer
WHERE
    eusername='". mysql_real_escape_string($username). "'
";
$checkusername=mysql_query($query) or die(mysql_error());
if (mysql_num_rows($checkusername)==1)
{
  echo "username already exist";
}
else
{
  $query = "INSERT INTO employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry) values (". same mysql_real_escape_string() thing here for each parameter .")";
  $result = mysql_query($query) or die (mysql_error());
  echo " Thanks for registration";
}
?>

You can also use prepared statements. This way you don't need/can't forget using an escaping function.

edit and btw: you don't need the SELECT before the INSERT in order to make the username unique. Actually it will make things even harder since now you have to deal with race conditions. You'd have to lock the table between those two queries.
If you add an unique index for the username in your table MySQL will not allow the insertion of a doublet but instead return a specific error code which your script can fetch and handle without the need of dealing with race conditions.

define('ER_DUP_ENTRY', 1062);
$mysql = mysql_connect('..', '..', '..');
mysql_select_db('..', $mysql) or die(mysql_error($mysql));

$fields = array(
  'efname'=>'first_name',
  'elname'=>'last_name',
  'egender'=>'gender',
  'eemail'=>'email',
  'eusername'=>'username',
  'epwd'=>'password',
  'eadd'=>'address',
  'ephone'=>'phone',
  'ecity'=>'city',
  'ecountry'=>'country'
);

$sqlparams = array();
foreach($fields as $sql=>$form) {
  if ( !isset($_POST[$form]) ) {
    die('missing post parameter '. $form);
  }
  $sqlparams[$sql] = "'".mysql_real_escape_string($_POST[$form], $mysql)."'";
}  

$query = '
  INSERT INTO
    employer
    '. join(', ', array_keys($sqlparams)) .'
  VALUES
  ('.join(',', $sqlparams).')
';

// table:employer has been defined with "unique key idxName (eusername)"
$result = mysql_query($query, $mysql);
if ( false!==$result ) {
  echo " Thanks for registration";
}
else if ( ER_DUP_ENTRY===mysql_errno($mysql) ) {
  echo 'username already exists';
}
else {
  echo 'an error occurred';
}



回答3:


That is because you do not define $username anywhere. It looks as though you want to use $_POST['username']

mysql_query("SELECT * FROM employer WHERE eusername='{$_POST['username']}'");

Also, your code is vulnerable to a SQL Injection




回答4:


You never define $usernameanywhere, so it gives that error because you are trying to use a variable that it doesn't have a value for.




回答5:


This is most likely because you've not defined the '$username' variable. I presume that you're relying on this being populated from the incoming GET/POST data (most likely via the depreciated register_globals) which is bad practice.

As such, you'll need to either populate $username via $_POST or $_GET.

More importantly, you should update the insert query to escape the incoming 'untrusted' data using mysql_real_escape_string (e.g.: mysql_real_escape_string($_POST['username']), etc.)




回答6:


As @Yacoby said your code is vulnerable to an SQL Injection to prevent it you can use mysqli or PDO , if you would like to use mysqli use the following code:

<?php
include"include/connection.php";

$query = "SELECT
    *
FROM
    employer
WHERE
    eusername='". mysql_real_escape_string($username). "'
";
$checkusername=mysql_query($query) or die(mysql_error());
if (mysql_num_rows($checkusername)==1)
{
  echo "username already exist";
}
else
{
  $query = $conn->prepare("INSERT INTO employer(efname,elname,egender,eemail,eusername,epwd,eadd,ephone,ecity,ecountry)) values ( ? , ? , ? , ? , ? , ? , ? , ? , ? , ?)"; // preparing the insert
$query->bind_param("ssssssssss" , $variable1 , $variable2 , $variable3 , $variable4 , $variable5 , $variable6 , $variable7 , $variable8 , $variable9 , $variable10); // binding parameters
  $query->execute(); // sending the parameter values 
  $query->close(); // closing the query
  $conn->close(); // closing the connection 
  if ($query) { // checking if the query has been executed with no errors
  echo " Thanks for registration";
 }
}
?>

BE SURE TO CHANGE THE $conn AND variables to whatever you want!



来源:https://stackoverflow.com/questions/1963519/user-registration-php

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!