努力查看这里的错误是什么,尝试使用密码盐将一些字段提交到数据库中,也将新用户添加到我的网站(我将提高安全性),但当我得到var_dump
的结果是否正确,请参阅下文,因为我无法发现问题?
表格如下:
<form action="actions/add_emp.php" method="post">
<input type="text" name="user" placeholder="Username" required="required" /><br/>
<input type="text" name="pass" type="password" placeholder="Password"/></label><br/>
<input type="text" name="firstname" id="name" required="required" placeholder="Firstname"/><br />
<input type="text" name="lastname" id="email" required="required" placeholder="Lastname"/><br/>
<input type="email" name="emailAddress" id="city" required="required" placeholder="Email Address"/><br/>
<input type="text" name="extension" id="extension" required="required" placeholder="Extension Number"/><br/>
<select name="title">
<option selected disabled>Please Select a Job Title...</option>
<option disabled></option>
<option disabled>Helpesk:</option>
<option value="Technical Support Advisor">Technical Support Advisor</option>
<option value="Deputy Team Leade">Deputy Team Leader</option>
<option value="Team Leader">Team Leader</option>
<option value="Incident Resolution Advisor">Incident Resolution Advisor</option>
<option disabled></option>
<option disabled>Call Centre:</option>
<option value="Technical Support Advisor">Technical Support Advisor</option>
<option value="">Deputy Team Leader</option>
<option value="">Team Leader</option>
<option disabled></option>
</select>
<br><br>
<input type="submit" value="Add User" name="submit"/><br />
</form>
这是 ActionScript :
<?
error_reporting(E_ALL);
ini_set('display_errors', 1);
if(isset($_POST['submit'])){
include_once'../../config.php';
$dbh = new PDO("mysql:host=$hostname;dbname=dashboardr",$username,$password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_POST['user']) && isset($_POST['pass'])){
$password=$_POST['pass'];
$sql=$dbh->prepare("SELECT COUNT(*) FROM `user_login` WHERE `username`=?");
$sql->execute(array($_POST['user']));
if($sql->fetchColumn()!=0){
die("User Exists");
}else{
function rand_string($length) {
$str="";
$chars = "MY SALT LIVES HERE - NOT THE MOST SECURE I KNOW!";
$size = strlen($chars);
for($i = 0;$i < $length;$i++) {
$str .= $chars[rand(0,$size-1)];
}
return $str;
}
$p_salt = rand_string(20);
$site_salt="MYCUSTOMSALT";
$salted_hash = hash('sha256', $password.$site_salt.$p_salt);
$sql=$dbh->prepare("INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, '".$_POST["firstname"]."','".$_POST["lastname"]."','".$_POST["emailAddress"]."','".$_POST["extension"]."';");
var_dump($sql);
$sql->execute(array($_POST['user'], $salted_hash, $p_salt));
header ('Location: ../list_emp.php');
}
}
}
?>
我对 PDO 还很陌生,所以我仍在学习中。
哦,这是 var_dump 的结果:
object(PDOStatement)#3 (1) { ["queryString"]=> string(203) "INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`) VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234';" }
这是错误:
fatal error :未捕获异常“PDOException”,消息为“SQLSTATE[42000]:语法错误或访问冲突:1064 您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在/Applications/MAMP/htdocs/dashboardr v3.2.3/admin/actions/add_emp.php:72 中的“第 2 行”附近使用的正确语法堆栈跟踪:#0/Applications/MAMP/htdocs/dashboardr v3.2.3/admin/actions/add_emp.php(72): PDOStatement->execute(Array) #1 {main} 抛出/Applications/MAMP/htdocs/dashboardr v3.2.3/admin/actions/add_emp.php 第 72 行
最佳答案
问题是查询中没有右括号。
INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234';
需要
INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, 'firstname','lastname','email@email.com','1234');
但是您的代码有更严重的问题。您使用的准备好的语句是错误的。更多内容敬请关注....
您永远不会将用户输入直接放入查询中。这是准备语句和参数的原因。您可以使用占位符 ?
,然后在执行语句中绑定(bind)参数,如下所示:
$sql=$dbh->prepare("INSERT INTO `user_login` (`id`, `username`, `password`, `psalt`, `firstname`, `lastname`, `emailAddress`, `extension`)
VALUES (NULL, ?, ?, ?, ?, ?, ?, ?)");
$sql->execute(
array($_POST['user'], $salted_hash, $p_salt, $_POST["firstname"], $_POST["lastname"], $_POST["emailAddress"], $_POST["extension"])
);
关于php - PDO Uncaught Error 过帐表单数据,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30547363/