-3
我目前很难理解为什么下面的脚本将成功返回给浏览器,但实际上并没有将数据插入到数据库中。 我知道我使用旧的MySQL指令,但我怀疑这应该是造成这个问题。 由于提前阿利斯泰尔PHP没有插入到MySQL数据库中
<?php
ob_start();
$host="localhost"; // Host name
$username="XXXXXX"; // Mysql username
$password="XXXXXXXXXXXXXXXXXXX"; // Mysql password
$db_name="XXXXXXXX"; // Database name
$tbl_name="XXXXXXXXXX"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define Variables
$myusername=$_POST['username'];
$password1=$_POST['password1'];
$password2=$_POST['password2'];
$emailadd=$_POST['emailadd'];
if($password1==$password2){
//Ecnrypt Password Using SHA512
$password1 = hash("sha512", $password1);
}
else {
//Passwords don't match return user to form with parameter
header("location:adduser.php?pwnomatch");
}
//Check user doesn't already exist
$sqlcheckuser="SELECT * FROM $tbl_name WHERE username='$username'";
$result1=mysql_query($sqlcheckuser);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result1);
//If user exists redirect back to login form
if($count==1){
header("location:adduser.php?userexist");
}
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($myusername);
$password1 = stripslashes($mypassword);
$emailadd = stripslashes($emailladd);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$emailadd = mysql_real_escape_string($emailladd);
$sqlinsertuser="INSERT INTO $tbl_name ('username', 'password', 'emailaddress' VALUES ($username, $password1, $emailadd)";
mysql_query($sqlinsertuser);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result2);
// Register user then redirect to "viewuser.php" with success parameter
header("location:viewuser.php?success");
ob_end_flush();
?>
SQL注入,我来了。 :) – hjpotter92 2013-03-23 11:46:24