私はPHPに比較的慣れていないので、登録+ログインシステムを作ろうとしています。ユーザーの「ユーザー名」と「パスワード」をデータベースに安全に挿入しようとすると、問題が発生します。
次のエラーが表示されます。
私はこのガイドに従っています...
PHPでSQLインジェクションを防ぐにはどうすればよいですか?
..そして、私が盲目で、30分間の検索/グーグルが失敗しない限り、私の構文は正しいように見えますか?
何か案は?
エラーは行 107 を指しています。
<?php include('assets/repository/mysql.php') ?>
<?php
/*
* -------------------------------------------------------------------------------------
* -------------------- VARIABLE DECLARATION & SQL CONNECTION STUFF --------------------
* -------------------------------------------------------------------------------------
*/
// variable declaration from previous page (register/login page)
$EMAIL = strtoupper($_POST["email"]);
$PASSWORD = $_POST["password"];
$PASSWORD_CONFIRMATION = $_POST["passwordConfirmation"];
?>
<?php
/*
* -------------------------------------------------------------------------------------
* ---------------------------- REGISTRATION FORM VALDIATION ---------------------------
* -------------------------------------------------------------------------------------
* loginerr=0 -> passwords don't match
* loginerr=1 -> username already exists in DB
* loginerr=2 -> registration is currently disabled
* loginerr=3 -> password is too long and/or too short
* loginerr=4 -> email isn't in proper format
* loginerr=5 -> email is too long and/or too short
*/
// ----- Do passwords match? loginerr=0 -----
// Working 2013/05/13
if($PASSWORD != $PASSWORD_CONFIRMATION){
header('Location: http://127.0.0.1/login.php?loginerr=0') ;
exit();
}
// ----- Does username already exist in the DB? loginerr=1 -----
// Working 2013/05/13
$findUserQuery = "SELECT * FROM `users` WHERE Email='".$EMAIL."'";
$result = $dbConnection->query($findUserQuery) or die($dbConnection->error.__LINE__);
if($result->num_rows > 0){
header('Location: http://127.0.0.1/login.php?loginerr=1');
exit();
}
// ----- Is registration currently allowed in the system? loginerr=2 -----
// Working 2013/05/13
$isRegistrationEnabledQuery = "SELECT * FROM `global_settings` WHERE Registration_enabled='0'";
$result = $dbConnection->query($isRegistrationEnabledQuery) or die($dbConnection->error.__LINE__);
if($result->num_rows > 0){
header('Location: http://127.0.0.1/login.php?loginerr=2');
exit();
}
// ----- Is password greater than 4 characters, less than 32 characters? loginerr=3 -----
// Working 2013/05/13
if(strlen($PASSWORD) > 32 || strlen($PASSWORD) < 4){
header('Location: http://127.0.0.1/login.php?loginerr=3');
exit();
}
// ----- Is email in proper format? (regex) loginerr=4 -----
// Working 2013/05/13
if(!filter_var($EMAIL, FILTER_VALIDATE_EMAIL)){
header('Location: http://127.0.0.1/login.php?loginerr=4');
exit();
}
// ----- Is email greater than 4 characters, less than 32 characters? loginerr=5 -----
// Working 2013/05/13
if(strlen($EMAIL) > 32 || strlen($EMAIL) < 4){
header('Location: http://127.0.0.1/login.php?loginerr=5');
exit();
}
?>
<?php
/*
* -------------------------------------------------------------------------------------
* ------------------------- PASSED ALL CHECKS - INSERT INTO DB ------------------------
* -------------------------------------------------------------------------------------
*/
//TODO: Hash password + salt + pepper?
// Preparing our query statement via mysqli which will auto-escape all bad characters to prevent injection
$query = $dbConnection->prepare(
'INSERT INTO users (
EMAIL,PASSWORD
) VALUES (
:email,:password
)'
);
// Replacing the ":XXXXX" in the above statement with the actual values we want to insert
$query->execute(array(':email' => $EMAIL, ':password' => $PASSWORD)) or die($dbConnection->error.__LINE__);
// Perform the actual query; and if it returns false (AKA if there is an error), print the error
/*if (!mysqli_query($dbConnection,$query)){
die('Error: ' . mysqli_error($dbConnection));
}*/
// Never forget to close the connection, otherwise memory leaks will happen!
mysqli_close($dbConnection);
?>
<?php include('header.php') ?>
<?php include('footer.php') ?>