Failure to Check Input Data
A classic example of a runtime error occurs when you are dealing with user input data and
you forget to apply addslashes() to it.
function register($username, $email, $password) {
// register new person with db
// return true or error message
// connect to db
$conn = db_connect();
// check if username is unique
$result = $conn->query("select * from user where username='".$username."'");
if (!$result) {
throw new Exception('Could not execute query');
}
if ($result->num_rows>0) {
throw new Exception('That username is taken - go back and choose another one.');
}
// if ok, put in db
$result = $conn->query("insert into user values
('".$username."', sha1('".$password."'), '".$email."')");
if (!$result) {
throw new Exception('Could not register you in database - please try again
later.');
}
return true;
}if (isset($_POST['username'], $_POST['password'])){
$stmt = $conn->prepare("SELECT username, email FROM users WHERE username=? OR email=?");
$stmt->bind_param("ss", $_POST['username'], $_POST['email']);
$stmt->execute();
$row = $stmt->get_result()->fetch_assoc();
if (!$row) {
$sql = "INSERT INTO users (username,email,password,role) VALUES (?,?,?,'user')";
$stmt = $conn->prepare($sql);
$stmt->bind_param("sss", $_POST['username'], $_POST['email'], $password);
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$stmt->execute();
header('Location: index.html');
exit;
} elseif ($row['email'] == $_POST['email']) {
$fsmsg = "Email taken";
} elseif ($row['username'] == $_POST['username']) {
$fsmsg = "Username taken";
}
}
Главное не копировать глупость из вопроса в свой ответ