わかりました、私のユーザー登録スクリプトにわずかな問題があります。何らかの理由で、コード内にあるにもかかわらず、フォーム フィールド pass1 と pass2 が同じであることを確認していません。アイデアはありますか? レビューのために、登録コードを以下に完全に記載します。私はPHPにまったく慣れていないので、アドバイスをいただければ幸いです。よろしくお願いします。:-)
登録スクリプト。
<?php
ob_start(); // Start output buffering
function isLoggedIn()
{
if(isset($_SESSION['valid']) && $_SESSION['valid'])
return true;
return false;
}
session_start();
//if the user has not logged in
if(!isLoggedIn())
{
header('Location: ../index.php');
die();
}
?>
<?php require_once('../Connections/PropSuite.php'); ?>
<?php
error_reporting(E_ALL & ~E_NOTICE);
ini_set('display_errors', TRUE);
ini_set('display_startup_errors', TRUE);
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_user = "-1";
if (isset($_SESSION['username'])) {
$colname_user = $_SESSION['username'];
}
mysql_select_db($database_Takeaway, $Takeaway);
$query_user = sprintf("SELECT type FROM admin_users WHERE username = %s", GetSQLValueString($colname_user, "text"));
$user = mysql_query($query_user, $Takeaway) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);
// Username available.
//form begins
$user_type = $row_user['type'];
if ($user_type === 'admin-full')
{
//retrieve our data from POST
$name = $_POST['name'];
$username = $_POST['username'];
$email = $_POST['email'];
$pass1 = $_POST['pass1'];
$pass2 = $_POST['pass2'];
if($pass1 != $pass2)
header('Location: register-admin.php?pw=notmatched');
if(strlen($username) > 30)
header('Location: register-admin.php?username=toolong');
if(strlen($name) > 40)
header('Location: register-admin.php?name=toolong');
$hash = hash('sha256', $pass1);
//creates a 3 character sequence
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
mysql_select_db($database_Takeaway, $Takeaway);
//sanitize username
$username = mysql_real_escape_string($username);
$q = "SELECT id, username FROM admin_users WHERE username = '$username'";
$results = @mysql_query($q);
if(mysql_num_rows($results) > 0)
{
// Username exists.
header('Location: register-admin.php?username-taken');
}
else
{
$query = "INSERT INTO admin_users ( type, email, name, username, password, salt )
VALUES ( 'admin-full', '$email', '$name', '$username' , '$hash' , '$salt' );";
mysql_query($query);
mysql_close();
header('Location: ../main?NewUserAdded');
}
mysql_free_result($user);
}
else {
?>
You are not authorised to do that!
<?php } ?>
アップデート
フォームコードは
<form name="register" action="register-admin1.php" method="post">
<?php if (isset($_REQUEST["username-taken"])) { ?>
<p style="color: #F00">Username already exists! please try again</p>
<?php } ?>
<?php if (isset($_REQUEST["pw=notmatched"])) { ?>
<p style="color: #F00">Username already exists! please try again</p>
<?php } ?>
<p>Register New Admin User<br />
(Note! Admin users are top level and will have access to everything!)
<br />
</p>
<p>Name:
<input name="name" type="text" id="name" maxlength="30" />
</p>
<p>Email:
<input name="email" type="text" id="email" maxlength="30" />
</p>
<p>Username:
<input type="text" name="username" maxlength="30" />
</p>
<p>
Password:
<input type="password" name="pass1" />
</p>
<p>Password Again:
<input type="password" name="pass2" />
</p>
<p>
<input type="submit" value="Register" />
</p>
</form>