【发布时间】:2017-04-23 03:59:33
【问题描述】:
我正在尝试并尝试使此代码正常工作。我有两个问题 - 第一个:
//loop the fetch and concactenate into string
while ($row = $result->fetch_assoc()) {
$string .= "Team ID: ".$row[teamID]."<br>"."Team Name: ".$row[teamName] ."Class: ".$row[class] ."<br><br>";
“class”是表中正确的列标题,但未获取该列的信息。此表中的每个其他列标题都可以正常工作。
下一个问题。如果我用 $bibNumber 替换一个值,则此代码可以完美运行。为什么在这种情况下我不能使用这个变量? (或者实际上是任何变量)
//grab all rows from the table for bib# and put into array
$string = "";
$sql = "SELECT teamID, teamName, class FROM Teams WHERE bibNumber = ". $bibNumber;
$result = $conn->query($sql);
这是完整的代码块(减去 HTML)
// dont use button to check submit, just check the post var
if(isset($_POST)) {
//enter personal information into Authentication table
$firstName = check_input(@$_POST['firstName']);
$lastName = check_input(@$_POST['lastName']);
$password = trim($_POST['pass']); // do not lead with @, it ignores errors.
$hash = password_hash($password, PASSWORD_DEFAULT);
$isMaster = check_input(@$_POST['ageCheck']);
$region = check_input(@$_POST['region']);
$email = check_email(@$_POST['email']);
$region = $_POST['region'];
$teamCount = $_POST['teamCount'];// not necessary to scrub, its a select box.
$teamSqlStatement = "SELECT * FROM Authentication WHERE email='".$_POST['email']."'";
$teamSql = $conn->query($teamSqlStatement);
$row = $teamSql->fetch_array(MYSQLI_ASSOC);
if($row) {
if($password = $row['password']) {
$messageOne = "Your account has been successfully located.";
}else {
die("You already have an account but you did not enter the correct password.");
}
$bibNumber = $row['bibNumber'];
$isMaster = $row['isMaster'];
}else {
$sql = "INSERT INTO Authentication (firstName, lastName, email, password, isMaster ) VALUES ('$firstName', '$lastName', '$email', '$hash', '$isMaster')";
}
if($teamCount == 1) {
$messageTwo = "You owe $30.00 USD.";
}else {
$messageTwo = "You owe $" . (($teamCount * 25) + 5) . ".00";
}
for($i = 1; $i <= $teamCount; $i++) {
$teamNameVar = 'team' . $i . 'Name';
$teamName = $_POST[$teamNameVar];
$class = $_POST['team' . $i . 'size'];
$sql = "INSERT INTO Teams (bibNumber, teamName, class, isMaster, isLeader, region) VALUES
('$bibNumber', '$teamName', '$class', '$isMaster', '0', '$region');";
$teamSql = $conn->query($sql);
if(!$teamSql) {
echo "An error occured while adding your teams, one of the team names are likely taken.";
}
}
if ($conn->query($sql) === TRUE) {
$messageOne = $firstName . " " . $lastName . ", your personal information has been added successfully"."<br>";
$bibNumber = $conn->insert_id;
$headers = "From: someWebsite.com < p@someWebsite.com >\n";
$headers .= "Cc: testsite < p@someWebsite.com >\n";
$headers .= "X-Sender: someWebsite.com < p@someWebsite.com >\n";
$headers .= 'X-Mailer: PHP/' . phpversion();
$headers .= "X-Priority: 1\n"; // Urgent message!
$headers .= "Return-Path: signup@someWebsite.com\n"; // Return path for errors
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=iso-8859-1\n";
$subject = 'Signup Confirmation';
//grab all rows from the table for bib# and put into array
$string = "";
$sql = "SELECT teamID, teamName, class FROM Teams WHERE bibNumber = ". $bibNumber;
$result = $conn->query($sql);
//loop the fetch and concactenate into string
while ($row = $result->fetch_assoc()) {
$string .= "Team ID: ".$row[teamID]."<br>"."Team Name: ".$row[teamName] ."Class: ".$row[class] ."<br><br>";
}
$message = "We have received your registration information." . "<br>". "Your 2017 Team(s): <br><br>" .
$string . "<br>". "Please save this email for your reference";
mail($email, $subject, $message, $headers);
} else {
die("Error! You can only register once. Please contact us to fix any issues.");
}
}
【问题讨论】:
-
警告:当使用
mysqli时,您应该使用parameterized queries 和bind_param将用户数据添加到您的查询中。 请勿使用字符串插值或连接来完成此操作,因为您创建了严重的SQL injection bug。 切勿将$_POST或$_GET数据直接放入查询中,如果有人试图利用您的错误,这可能会非常有害。 -
警告:编写自己的访问控制层并不容易,而且有很多机会会严重错误。这有很多危险的SQL injection vulnerabilities,因为你没有properly escape values。此代码允许 anyone 从您的站点获取 anything。 不要编写您自己的身份验证系统。任何development framework 像Laravel 都带有一个authentication system 内置。