javascript - 在网站 PHP 上注册时不显示错误

Question

我有一个数据库设置，我正在制作一个网站，用户必须在其中注册他们的用户名、电子邮件和密码。但是，由于某种原因，每当我在没有输入任何信息的情况下单击注册时，它仍然会在不显示错误的情况下注册到数据库中。这是代码。

<?php

// First we execute our common code to connection to the database and start the session
require("common.php");

// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
    // Ensure that the user has entered a non-empty username
    if(empty($_POST['username']))
    {
        // Note that die() is generally a terrible way of handling user errors
        // like this.  It is much better to display the error with the form
        // and allow the user to correct their mistake.  However, that is an
        // exercise for you to implement yourself.
        $username_error = "Please enter a username";
    }

    // Ensure that the user has entered a non-empty password
    if(empty($_POST['password']))
    {
        $password_error = "Please enter a password";
    }

    // Make sure the user entered a valid E-Mail address
    // filter_var is a useful PHP function for validating form input, see:
    // http://us.php.net/manual/en/function.filter-var.php
    // http://us.php.net/manual/en/filter.filters.php
    if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
    {
       $invalid_email = "Invalid email";
    }

    // We will use this SQL query to see whether the username entered by the
    // user is already in use.  A SELECT query is used to retrieve data from the database.
    // :username is a special token, we will substitute a real value in its place when
    // we execute the query.
    $query = "
        SELECT
            1
        FROM users
        WHERE
            username = :username
    ";

    // This contains the definitions for any special tokens that we place in
    // our SQL query.  In this case, we are defining a value for the token
    // :username.  It is possible to insert $_POST['username'] directly into
    // your $query string; however doing so is very insecure and opens your
    // code up to SQL injection exploits.  Using tokens prevents this.
    // For more information on SQL injections, see Wikipedia:
    // http://en.wikipedia.org/wiki/SQL_Injection
    $query_params = array(
        ':username' => $_POST['username']
    );

    try
    {
        // These two statements run the query against your database table.
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
        // Note: On a production website, you should not output $ex->getMessage().
        // It may provide an attacker with helpful information about your code. 
        die("Failed to run query: " . $ex->getMessage());
    }

    // The fetch() method returns an array representing the "next" row from
    // the selected results, or false if there are no more rows to fetch.
    $row = $stmt->fetch();

    // If a row was returned, then we know a matching username was found in
    // the database already and we should not allow the user to continue.
    if($row)
    {
        $username_exist = "This username already exists!";
    }

    // Now we perform the same type of check for the email address, in order
    // to ensure that it is unique.
    $query = "
        SELECT
            1
        FROM users
        WHERE
            email = :email
    ";

    $query_params = array(
        ':email' => $_POST['email']
    );

    try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
        die("Failed to run query: " . $ex->getMessage());
    }

    $row = $stmt->fetch();

    if($row)
    {
        $email_registered = "This email is already registered!";
    }

    // An INSERT query is used to add new rows to a database table.
    // Again, we are using special tokens (technically called parameters) to
    // protect against SQL injection attacks.
    $query = "
        INSERT INTO users (
            username,
            password,
            salt,
            email
        ) VALUES (
            :username,
            :password,
            :salt,
            :email
        )
    ";

    // A salt is randomly generated here to protect again brute force attacks
    // and rainbow table attacks.  The following statement generates a hex
    // representation of an 8 byte salt.  Representing this in hex provides
    // no additional security, but makes it easier for humans to read.
    // For more information:
    // http://en.wikipedia.org/wiki/Salt_%28cryptography%29
    // http://en.wikipedia.org/wiki/Brute-force_attack
    // http://en.wikipedia.org/wiki/Rainbow_table
    $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));

    // This hashes the password with the salt so that it can be stored securely
    // in your database.  The output of this next statement is a 64 byte hex
    // string representing the 32 byte sha256 hash of the password.  The original
    // password cannot be recovered from the hash.  For more information:
    // http://en.wikipedia.org/wiki/Cryptographic_hash_function
    $password = hash('sha256', $_POST['password'] . $salt);

    // Next we hash the hash value 65536 more times.  The purpose of this is to
    // protect against brute force attacks.  Now an attacker must compute the hash 65537
    // times for each guess they make against a password, whereas if the password
    // were hashed only once the attacker would have been able to make 65537 different 
    // guesses in the same amount of time instead of only one.
    for($round = 0; $round < 65536; $round++)
    {
        $password = hash('sha256', $password . $salt);
    }

    // Here we prepare our tokens for insertion into the SQL query.  We do not
    // store the original password; only the hashed version of it.  We do store
    // the salt (in its plaintext form; this is not a security risk).
    $query_params = array(
        ':username' => $_POST['username'],
        ':password' => $password,
        ':salt' => $salt,
        ':email' => $_POST['email']
    );

    try
    {
        // Execute the query to create the user
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
        // Note: On a production website, you should not output $ex->getMessage().
        // It may provide an attacker with helpful information about your code. 
        die("Failed to run query: " . $ex->getMessage());
    }

    // This redirects the user back to the login page after they register
    header("Location: login.php");

    // Calling die or exit after performing a redirect using the header function
    // is critical.  The rest of your PHP script will continue to execute and
    // will be sent to the user if you do not die or exit.
    die("Redirecting to login.php");
}
?>

那是我的 PHP 代码。下面是我的 HTML 代码。请告诉我我的错误，以便我可以确保更改它。

现在由于 Stackoverflow 不支持所有 HTMl 标签，我已将其发布到 pastebin 中。

http://pastebin.com/rB8zQAdP

Answer 1

问题是当错误发生时你没有退出程序，所以它继续运行并执行查询。

您可以尝试添加一个额外的变量来确定是否有错误，您只需跳过 mysql 查询。

$isError = false;
if(empty($username))
{
   $isError = true;
}

if($isError)
{
    // Handle error
}else{
    // Execute query
}

或者将你所有的 if 语句放入一个 php 函数中，并在发生错误时抛出异常，并使用 try{} catch() 语句进行处理。

function TestSomething($username)
{
  if(empty($username))
    throw new Exception("No username");
}

try
{
  TestSomething("");
  // Execute query
}catch(Exception $ex)
{
  // Handle error
  echo $ex->getMessage(); // Prints no username
}

但是你可以在你的 try 语句中放入一个“throw new Exception("Message")”，它会停止执行程序并跳转到 catch 语句。