PHP 和 MySQL，表单 token 问题

Question

我是 PHP 的新手，正在尝试实现一种可以将用户添加到数据库的方法，我正在学习教程，在我开始工作之前，它工作正常，但现在，它停在了这里声明:

//Check the form token is valid
else if($_POST['formToken'] != $_SESSION['formToken'])
{
    $message = 'Invalid form submission';
}

有什么我想念的吗？完整代码:

添加用户.php

<?php

//Begin our session
session_start();

//set a form token
$formToken = md5( uniqid('auth', true) );

//set the session form token
$_SESSION['formToken'] = $formToken;
?>

<html>
    <head>
        <title>Login</title>
    </head>

    <body>
        <h2>Add User</h2>
        <form action="addUserSubmit.php" method="post">
            <fieldset>
                <p>
                    <label for="Username">Username</label>
                    <input tupe="text" id="Username" name="Username" value="" maxlength="20" />
                </p>

                <p>
                    <label for="Password">Password</label>
                    <input tupe="text" id="Password" name="Password" value="" maxlength="20" />
                </p>
                <p>
                    <input type="hidden" name="formToken" vale="<?php echo $formToken; ?>" />
                    <input type="submit" value="$rarr; Login" />
                </p>
            </fieldset>
        </form>
    </body>
</html>

addUserSubmit.php

<?php

//begin our session
session_start();

//Check if username, password and form token have been sent
if(!isset($_POST['Username'], $_POST['Password'], $_POST['formToken']))
{
    $message = 'Please enter a valid username and password';
}

//Check the form token is valid
else if($_POST['formToken'] != $_SESSION['formToken'])
{
    $message = 'Invalid form submission';
}

//Check the username is the correct length
else if (strlen($_POST['Username']) > 20 || strlen($_POST['Usernamw']) < 4)
{
    $message = 'Incorrect Username lenght, please try again';
}

//Check the username only has alpha numeric characters
else if (ctype_alnum($_POST['Username']) != true)
{
    $message = "Username must be alpha numeric";
}

else if (ctype_alnum($_POST['Password']) != true)
{
    $message = "Password must be alpha numeric";
}
else
{
    //Enter the data into the database
    $username = filter_var($_POST['Username'], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST['Password'], FILTER_SANITIZE_STRING);

    //Encrypt the password
    $password = shal($password);

    //Connect to the database
    $SQLusername = "name";
    $SQLpassword = "password";
    $SQLhostname = "localhost"; 
    $databaseName = "jfitness";

    try
    {
        //connection to the database
        $dbhandle = mysql_connect($SQLusername, $SQLpassword, $SQLhostname) 
          or die("Unable to connect to MySQL");
        echo "Connected to MySQL<br>";

        //select a database to work with
        $selected = mysql_select_db($databaseName, $dbhandle)
                or die("Could not select database");

        $sql = "INSERT INTO 
                customers (Username, Password)
                VALUES
                ('$_POST[$username]','$_POST[$password]')";
        if(!mysql_query($sql, $dbhandle))
        {
          die('Error: ' . mysql_error());
        }
        echo "1 record added";

        //close the connection
        mysql_close($dbhandle);

    } 
    catch (Exception $ex) 
    {

    }
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<p><?php echo $message; ?>
</body>
</html>

Answer 1

我认为有一个错字..尝试更改，

<input type="hidden" name="formToken" vale="<?php echo $formToken; ?>" />

到:

<input type="hidden" name="formToken" value="<?php echo $formToken; ?>" />