在php中注册表单不起作用

Question

我想在PHP中创建一个注册表单。 我检查字段是否为空。 如果一个字段是空的，我做一个$ var，如果设置了$ var，我显示错误并且不作查询。但是当我测试源时，它运行查询并且不显示错误if该字段为空..

请帮助我，我无法找到问题..

<?php 
    require_once('./lib/recaptchalib.php'); 

    $username = ($_POST["username"]); 
    $real_name = ($_POST["real_name"]); 
    $password = ($_POST["password"]); 
    $password1 = ($_POST["password1"]); 
    $email = ($_POST["email"]); 
    $socialid = ($_POST["socialid"]); 

    function generateRandomString($length = 25) { 
     $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; 
     $randomString = ''; 
     for ($i = 0; $i < $length; $i++) { 
      $randomString .= $characters[rand(0, strlen($characters) - 1)]; 
     } 
     return $randomString; 
    } 
    $random_activate = generateRandomString(); 
    require_once('./lib/config_mail.php'); 

    $scid_check = strlen($socialid); 

    if($scid_check != 7) { 
     $print_error = "Il PIN deve essere composto da 7 caratteri, al momento ne ha $scid_check"; 
     $check_errors = 1; 
    } 

    if($password != $password1) { 
     $print_error = "Le password non corrispondono!"; 
     $check_errors = 1; 
    } 

    if($username != "") { 
     $query = "SELECT * FROM $db_account.account WHERE login = '$username'"; 
     if ($result = $mysqli->query($query)) { 
      $count = $result->num_rows; 
      if($count == 1) { 
       $print_error = "Username gi&agrave presente"; 
       $check_errors = 1; 
      } 
     } 
    } 

    if($email != "") { 
     $query1 = "SELECT * FROM $db_account.account WHERE email = '$email'"; 
     if ($result1 = $mysqli->query($query1)) { 
      $count1 = $result1->num_rows; 
      if($count1 == 1) { 
       $print_error = "Indirizzo E-mail gi&agrave presente"; 
       $check_errors = 1; 
      } 
     } 
    } 

    if(!$resp->is_valid){ 
     $resp_check = 2; 
    } else { 
     $resp_check = 1; 
     $print_error = "Il codice di verifica &egrave errato!"; 
     $check_errors = 1; 
    } 


    if ($username == "" || $real_name == "" || $password == "" || $password1 == "" || $email == "" || $social_id == ""){ 
     $check_errors = 1; 
    } 

    if($check_errors == 1){ 
     $print_empty = "Uno o più campi risultano vuoti!"; 
    } else { 
     $status_account = "INACTIVE"; 
     mysqli_query($mysqli, "INSERT INTO $db_account.account (`login`,`real_name`,`password`,`email`,`social_id`,`create_time`,`gold_expire`,`silver_expire`,`safebox_expire`,`autoloot_expire`,`fish_mind_expire`,`marriage_fast_expire`,`money_drop_rate_expire`,`securitycode`,`status`) 
     VALUES ('$username','$real_name',PASSWORD('$password'),'$email','$socialid','$create_time','$gold_expire','$silver_expire','$safebox_expire','$autoloot_expire','$fish_mind_expire','$marriage_fast_expire','$money_drop_rate_expire','$random_activate','$status_account')") or die(mysqli_error($mysqli)); 
     $print_notice = "Account registrato, ti abbiamo inviato una e-mail di verifica a $email !"; 
     $to  = $email; 
     $subject = $site_name; 
     $headers = 'From: ' . $email_admin . "\r\n" . 
      'Reply-To: ' . $email_admin . "\r\n" . 
      'Content-type: text/html' . "\r\n" . 
      'X-Mailer: PHP/' . phpversion(); 
     mail($to, $subject, $message, $headers);   
    } 


?> 

Answer 1

指定字符串$ print_error或/和$ print_empty是不够的。您必须用“回声”自己输出变量的内容。

但无论如何，您的mysql查询是脆弱和不安全的！请了解“SQL注入”的所有内容。

首先阅读，请和使你的脚本更安全一点： http://php.net/manual/en/security.database.sql-injection.php