0
我有点困惑在PHP Prepared Statements
,我已经在YouTube上观看下面的教程:https://www.youtube.com/watch?v=aN5KqxK1slcPHP:一个基于面向对象项目中预处理语句
我已经收到了我的当前下列注意事项后mysqli的源代码:
你是敞开的,以SQL注入和真的应该准备使用 报表而不将您的疑问。特别是因为 你根本没有逃避用户输入!
我的问题:
我将如何准备,因为我创建了语句的语法我寄存器类别内部,并且仅通过语句来我数据库类执行语句它使用execute_query
函数?
我只是准备execute_query
函数中的语句,并检查它的一个语句INSERT
或SELECT
然后准备值?
我很欣赏任何形式的建议和反馈。
我当前的代码如下所示:
注册类:
<?php
class register extends database
{
function __construct($username, $password, $email)
{
$this->username = $username;
$this->password = password_hash($password, PASSWORD_DEFAULT);
$this->email = $email;
$this->activation_id = $this->generateActivationId();
$this->sender_email = '[email protected]';
$this->activation_link = 'http://url.com/folder/activate.php?id=' . $this->activation_id;
$this->database = new database();
}
function generateActivationId()
{
$generator = bin2hex(random_bytes(10));
return $generator;
}
function registerAccount()
{
$this->database->connect();
$user_lookup = $this->database->execute_query("SELECT * FROM users WHERE username = '" . $this->username . "'");
if (mysqli_num_rows($user_lookup) > 0)
{
return false;
}
else
{
$this->database->execute_query("INSERT INTO users (username, password, email, activation_id) VALUES ('" . $this->username . "', '" . $this->password . "', '" . $this->email . "', '" . $this->activation_id . "')");
$user_lookup_comfirm = $this->database->execute_query("SELECT * FROM users WHERE username = '" . $this->username . "'");
if (mysqli_num_rows($user_lookup_comfirm) > 0)
{
$this->sendRegisterEmail();
return true;
}
else
{
return false;
}
}
}
function sendRegisterEmail()
{
$subject = 'Registration - Activate your account';
$message = 'Thank you for registering. Please activate your account by visiting the following site: <a href="' . $this->activation_link . '">Website link</a>';
$headers = 'From: ' . $this->sender_email . "\r\n" .
'Reply-To: ' . $this->sender_email . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($this->email, $subject, $message, $headers);
}
}
?>
数据库类:
<?php
class database
{
function __construct()
{
$this->dBusername = 'xxx';
$this->dBpassword = 'xxx';
$this->dBhost = 'localhost';
$this->dBdatabase = 'xxx';
$this->dBcharset = 'utf8';
}
function connect()
{
$mysqli = new mysqli($this->dBhost, $this->dBusername, $this->dBpassword, $this->dBdatabase);
if ($mysqli->connect_errno)
{
$this->_mysqli = false;
}
else
{
$mysqli->set_charset($this->charset);
$this->_mysqli = $mysqli;
}
}
function execute_query($sql)
{
if($results = $this->_mysqli->query($sql))
{
return $results;
}
else
{
return false;
}
}
}
?>
''''''''''* * * *摆脱它,直接使用mysqli或PDO实例。 – deceze
所以我应该创建一个完整的数据库处理程序类,它创建一个mysqli实例,然后准备那里的语句并从注册类中调用这些函数? – stackvisual
您应该直接使用MySQLi或PDO接口。你不需要包装,它最终会导致比在大多数情况下解决头痛更多的头痛。 – Qirel