在网站PHP上注册时不显示错误
Does not show error when registering on website PHP
我有一个数据库设置,我正在创建一个用户必须使用用户名、电子邮件和密码注册的网站。然而,由于某种原因,每当我在没有输入任何信息的情况下点击register时,它仍然会注册到数据库中,而不会显示错误。这是代码。
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty username
if(empty($_POST['username']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
$username_error = "Please enter a username";
}
// Ensure that the user has entered a non-empty password
if(empty($_POST['password']))
{
$password_error = "Please enter a password";
}
// Make sure the user entered a valid E-Mail address
// filter_var is a useful PHP function for validating form input, see:
// http://us.php.net/manual/en/function.filter-var.php
// http://us.php.net/manual/en/filter.filters.php
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
$invalid_email = "Invalid email";
}
// We will use this SQL query to see whether the username entered by the
// user is already in use. A SELECT query is used to retrieve data from the database.
// :username is a special token, we will substitute a real value in its place when
// we execute the query.
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
// This contains the definitions for any special tokens that we place in
// our SQL query. In this case, we are defining a value for the token
// :username. It is possible to insert $_POST['username'] directly into
// your $query string; however doing so is very insecure and opens your
// code up to SQL injection exploits. Using tokens prevents this.
// For more information on SQL injections, see Wikipedia:
// http://en.wikipedia.org/wiki/SQL_Injection
$query_params = array(
':username' => $_POST['username']
);
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// The fetch() method returns an array representing the "next" row from
// the selected results, or false if there are no more rows to fetch.
$row = $stmt->fetch();
// If a row was returned, then we know a matching username was found in
// the database already and we should not allow the user to continue.
if($row)
{
$username_exist = "This username already exists!";
}
// Now we perform the same type of check for the email address, in order
// to ensure that it is unique.
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
$email_registered = "This email is already registered!";
}
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
username,
password,
salt,
email
) VALUES (
:username,
:password,
:salt,
:email
)
";
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash('sha256', $_POST['password'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':username' => $_POST['username'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This redirects the user back to the login page after they register
header("Location: login.php");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to login.php");
}
?>
这是我的PHP代码。下面是我的HTML代码。请告诉我我的错误,这样我就可以确保更改它。
现在,由于Stackoverflow中不支持所有的HTM1标签,所以我将其发布在了pastebin中。
http://pastebin.com/rB8zQAdP
问题是,当发生错误时,您不会退出程序,因此它会继续运行并执行查询。
您可以尝试添加一个额外的变量来确定是否存在错误,然后跳过mysql查询。
$isError = false;
if(empty($username))
{
$isError = true;
}
if($isError)
{
// Handle error
}else{
// Execute query
}
或者将所有if语句放入php函数中,并在发生错误时抛出异常,然后用try{}catch()语句进行处理。
function TestSomething($username)
{
if(empty($username))
throw new Exception("No username");
}
try
{
TestSomething("");
// Execute query
}catch(Exception $ex)
{
// Handle error
echo $ex->getMessage(); // Prints no username
}
但是,您可以在try语句中放入一个"throw-new Exception("Message")",它将停止执行程序并跳到catch语句。
它仍然在注册您的信息,因为如果遇到错误,您永远不会停止执行。根据您是否只想向用户显示一条错误消息或所有错误消息,您的操作方式可能会有所不同,但一个可能的简单解决方案可能如下:
$error = false;
if(empty($_POST['username'])) {
$error = "Please enter a username";
}
if(empty($_POST['password'])) {
$error = "Please enter a password";
}
// .. further validation ..
if(!$error) {
// Insert new user
} else {
// Redirect back to form with error message(s) set
}
相关文章:
- ng消息仅在触摸时显示错误,并在错误的初始显示上转换
- ui网格日期单元格过滤器,过滤日期格式导致显示错误的日期
- java脚本的数学方程显示错误的答案
- 如果用户输入的长度小于最小长度,则显示错误消息
- Push方法显示错误
- Javascript设置日期不起作用,显示错误的时间
- 显示错误的Ajax调用无法调试
- 显示错误结果的Javascript
- 分页逻辑显示错误的页码
- 如何显示错误消息
- 表单提交没有'如果为空,则不会显示错误消息
- 使用RecordRTC录制的WebRTC视频在IE和Safari中显示错误
- 如何仅在存在最小值和最大值时才显示错误消息
- AngularJS错误处理:根据错误数组显示错误
- PHP 显示错误的名称值
- 在 api 调用$resource显示错误和成功消息
- 为什么 Angularjs 总是显示错误消息
- 在单选按钮验证中同时显示错误消息
- jQuery'摇动'功能显示错误
- Jquery添加更多和删除冲突并显示错误值
