0

私はPHPに比較的慣れていないので、登録+ログインシステムを作ろうとしています。ユーザーの「ユーザー名」と「パスワード」をデータベースに安全に挿入しようとすると、問題が発生します。

次のエラーが表示されます。

http://puu.sh/2SUOg.png

私はこのガイドに従っています...

PHPでSQLインジェクションを防ぐにはどうすればよいですか?

..そして、私が盲目で、30分間の検索/グーグルが失敗しない限り、私の構文は正しいように見えますか?

何か案は?

エラーは行 107 を指しています。

<?php include('assets/repository/mysql.php') ?>

<?php
  /* 
  * -------------------------------------------------------------------------------------
  * -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
  * -------------------------------------------------------------------------------------
  */

  // variable declaration from previous page (register/login page)
  $EMAIL                 = strtoupper($_POST["email"]);
  $PASSWORD              = $_POST["password"];
  $PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
  * -------------------------------------------------------------------------------------
  * loginerr=0 -> passwords don't match
  * loginerr=1 -> username already exists in DB
  * loginerr=2 -> registration is currently disabled
  * loginerr=3 -> password is too long and/or too short
  * loginerr=4 -> email isn't in proper format
  * loginerr=5 -> email is too long and/or too short
  */

  // ----- Do passwords match? loginerr=0 -----
  // Working 2013/05/13
  if($PASSWORD != $PASSWORD_CONFIRMATION){
    header('Location: http://127.0.0.1/login.php?loginerr=0') ;
    exit();
  }

  // ----- Does username already exist in the DB? loginerr=1 -----
  // Working 2013/05/13
  $findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
  $result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=1');
    exit();
  }

  // ----- Is registration currently allowed in the system? loginerr=2 -----
  // Working 2013/05/13
  $isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
  $result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
  if($result->num_rows > 0){
    header('Location: http://127.0.0.1/login.php?loginerr=2');
    exit();
  }

  // ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
  // Working 2013/05/13
  if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=3');
    exit();
  }

  // ----- Is email in proper format? (regex) loginerr=4 -----
  // Working 2013/05/13
  if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
    header('Location: http://127.0.0.1/login.php?loginerr=4');
    exit();
  }

  // ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
  // Working 2013/05/13
  if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
    header('Location: http://127.0.0.1/login.php?loginerr=5');
    exit();
  }
?>

<?php
  /*
  * -------------------------------------------------------------------------------------
  * ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
  * -------------------------------------------------------------------------------------
  */

  //TODO: Hash password + salt + pepper?

  // Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
  $query = $dbConnection->prepare(
    'INSERT INTO users (
      EMAIL,PASSWORD
    ) VALUES (
      :email,:password
    )'
  );

  // Replacing the ":XXXXX" in the above statement with the actual values we want to insert
  $query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);

  // Perform the actual query; and if it returns false (AKA if there is an error), print the error
  /*if (!mysqli_query($dbConnection,$query)){
    die('Error: ' . mysqli_error($dbConnection));
  }*/

  // Never forget to close the connection, otherwise memory leaks will happen!
  mysqli_close($dbConnection);
?>

<?php include('header.php') ?>
<?php include('footer.php') ?>
4

1 に答える 1

1

mysqli の代わりに PDO 構文を使用しているようです。

Ln から置き換えます。96からLn。107で

// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = 'INSERT INTO users (
            EMAIL, 
            PASSWORD
          ) VALUES (
            ?,
            ?
          )';

$stmt = $mysqli->prepare($query);    
$stmt->bind_param("ss", $EMAIL, $PASSWORD);    
$stmt->execute();
于 2013-05-13T22:46:46.640 に答える