stackoom
  简体   繁体   中英

Insert data PHP/PDO for user registration

 原文  2013-01-19 18:42:36       php/ mysql/ pdo

Question

Im trying to create a user registration page using PDO, I've never worked with this before so im having trouble understanding how the values are inserted into my table.

Can anybody see whats going wrong with my code? 

<?php

include_once ('/_includes/classes/connection.class.php');

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$password = $_POST['password'];
$accounttype = $_POST['accounttype'];

$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES ($firstname,$lastname,$email,$password,$accounttype)";
echo $query;
$count = $dbh->exec($query);
$dbh = null;

?>

<?php

$dsn = 'mysql:host=localhost;dbname=site.co.uk';
$username = 'access@site.co.uk';
$password = 'password';
$options = array(
    PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
); 
$dbh = new PDO($dsn, $username, $password, $options);

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$userpassword = $_POST['password'];
$accounttype = $_POST['accounttype'];

$query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $userpassword);
$stmt->bindParam(':accounttype', $accounttype);
$stmt->execute();

?>

4 answers

solution1
 2  2013-01-19 18:44:24

Never do it the way you didt, cause of SQL Injections

Use prepared statements.

http://php.net/manual/de/pdo.prepared-statements.php 

<?php

require_once ('_includes/classes/connection.class.php');

$stmt = $dbh->prepare('INSERT INTO users (firstname,lastname,email,password,accounttype) VALUES (:firstname,:lastname,:email,:password,:accounttype)');
$stmt->execute(array($_POST));

What is going wrong is, that you forget the quotes for your values. But in case of prepared statements you dont need quotes.

http://www.w3schools.com/sql/sql_insert.asp

And please dont save plain text passwords into the database, use hashes

Secure hash and salt for PHP passwords

Better use "require" or "require_once" if you realy need the includet file.

http://php.net/manual/en/function.require.php

solution2
 2  2013-01-19 18:48:24

  1. include_once ('/_includes/classes/connection.class.php'); will never include anything. There are no _includes directory in the root of the local filesystem
  2. As you didn't mention any errors - so, you don't have proper error reporting set.

Can anybody see whats going wrong with my code?

There can be other errors but watching code is not the way to go. One have to run the code, to debug it, and watch the errors occurred.

the only thing I have to add as a side note - your code is as WET as a flood. Look at it: you're writing every field name SIX times!

  • $firstname = $_POST['firstname']; - 2x
  • (firstname) VALUES (:firstname)` - 2x
  • bindParam(':firstname', $firstname); - 2x

with total of 6 repetitions

solution3
 1  2013-01-19 18:47:44

You need to bind the values rather than use string concatenation. 

  $dsn = 'mysql:host=localhost;dbname=mydb';
  $username = 'myun';
  $password = 'mypw';
  $options = array(
      PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8',
  ); 
  $dbh = new PDO($dsn, $username, $password, $options);
  $query = "INSERT INTO users(firstname,lastname,email,password,accounttype) VALUES
        (:firstname,:lastname,:email,:password,:accounttype)";
  $stmt = $dbh->prepare($query);
  $stmt->bindParam(':firstname', $firstname);
  $stmt->bindParam(':lastname', $lastname);
  //etc
  $stmt->execute();

solution4
 0  2013-01-19 19:08:20

You should really use prepared statements. You should do something more like this, assuming:

  • $dbh is a PDO object
  • You've checked the $_POST array to ensure it contains all the fields you think it should
  • You fix your include statement
  • You choose to save hashed passwords in your database instead of storing them plaintext

Your code would be more like this. 

<?php

error_reporting(E_ALL);

include_once ('_includes/classes/connection.class.php');

$_POST['password'] = hash('md5', $_POST['password']);

$statement = $dbh->prepare("INSERT INTO 
    users(firstname,lastname,email,password,accounttype) 
    VALUES (:firstname, :lastname, :email, :password, :accounttype)");
if ($statement->execute($_POST) !== true) {
    // there was some kind of error
    // perhaps $statement->errorInfo() will tell you something
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Insert data to array php pdo PHP Registration Script - Insert Data PHP PDO registration not working? unable to insert the data values using pdo in PHP PHP:PDO: Why wont my data insert? PHP Unable to insert data into database using PDO Insert data into Database using php PDO php mysql pdo bindparam data not insert Data won't insert into Database [php][pdo] PHP pdo and security for taking data (insert)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM