SELECT * FROM DB其中X = Y.如果没有什么= Y,我需要一个else语句来做某事

时间:2013-07-16 00:18:16

标签: php sql database select if-statement

问题是,如果$_POST['username']包含数据库中存在的用户名,则脚本运行良好。如果用户名输入错误或除了在数据库中找到的内容之外还输入了任何其他内容,则会锁定。

有没有办法将SELECT结构化为“else”类型语句,当错字发生时它将“执行此操作”......

提前致谢

include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   $postusername = $_POST['username'];
   $result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE 
                            username = '$postusername'");
   while($row = mysqli_fetch_array($result))
   {
      if($_POST['username'] == $row['username'] && 
         $_POST['password'] == $row['password']){

         $logged_username = $row['username'];
         $_SESSION['username']= $logged_username;     
         $_SESSION['active']=1;
         session_write_close;
         //to redirect back to "index.php" after logging out`
         header("location:/index.php"); 
      }
      else {        
         header("Location:login.php?errorMssg=".urlencode("Your Login 
                  Information is incorrect!!"));
      }
   }
}

4 个答案:

答案 0 :(得分:1)

试试这个:请看我做的改变...... 

<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   //check if username and password set
   if(isset($_POST['username']) && isset($_POST['password'])){

     $postusername = mysqli_real_escape_string($_POST['username']);
     $postpassword = mysqli_real_escape_string($_POST['password']);

     $result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername' and password = '$postpassword' ");

        if(mysqli_num_rows($result) > 0){
           $logged_username = $postusername;
           $_SESSION['username']= $postusername;     
           $_SESSION['active']=1;
           session_write_close;
           //to redirect back to "index.php" after logging out`
           header("location:/index.php");
           exit;
        }
        else {        
           header("Location:login.php?errorMssg=".urlencode("Your Login 
                    Information is incorrect!!"));
          exit;
        }

   }else{
           header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
           exit;
   }
}

更新:准备好的声明

<?php
include('includes/config.php');
if($_REQUEST['do'] == 'login') {
   //check if username and password set
   if(isset($_POST['username']) && isset($_POST['password'])){

     $stmt = mysqli_prepare($con,"SELECT * FROM $sqlusers WHERE username = ? and password = ? ");
     mysqli_stmt_bind_param($stmt, 'ss', $_POST['username'], $_POST['password']);
     mysqli_stmt_execute($stmt);
     mysqli_stmt_store_result($stmt);

        if(mysqli_stmt_num_rows($stmt) > 0){
           $logged_username = $postusername;
           $_SESSION['username']= $postusername;     
           $_SESSION['active']=1;
           session_write_close;
           //to redirect back to "index.php" after logging out`
           header("location:/index.php");
           exit;
        }
        else {        
           header("Location:login.php?errorMssg=".urlencode("Your Login 
                    Information is incorrect!!"));
          exit;
        }

   }else{
           header("Location:login.php?errorMssg=".urlencode("Enter Username and Password"));
           exit;
   }
}

答案 1 :(得分:0)

查询如果失败则返回false,因此您可以使用

之类的代码

$result = mysqli_query($conn,$sql);

然后像

if ($result != false)
    do some crap
else
    do some other crap

在代码中查找SQL错误的标准似乎是

$result = mysqli_query($con,"SELECT * FROM $sqlusers WHERE username = '$postusername'") or die (mysqli_error($con));

但我不知道这是不是你要问的。

关于相关的注释

您的脚本容易受到SQL注入攻击。请修理它 http://php.net/manual/en/security.database.sql-injection.php

答案 2 :(得分:0)

  1. 首先,你应该逃避用户发送的数据来防御黑客sql注入攻击
  2. 在将用户存储到数据库之前,应该保留用户密码保存并对其进行哈希处理。阅读本文:http://php.net/manual/en/faq.passwords.php
  3. 如果db结果为空(没有给定登录的用户)
    4. ,您还没有写出要做的部分

    试试这个:

    <?php
include('includes/config.php');
if ($_REQUEST['do'] == 'login')
{
    $postusername = mysqli_real_escape_string($_POST['username']);
    $result = mysqli_query($con, "SELECT * FROM $sqlusers WHERE username = '$postusername'");
    if (!$result)
    {
        // handle error
    }

    $row = mysqli_fetch_array($result);
    if ($row && $_POST['password'] == $row['password'])
    {
        $logged_username = $row['username'];
        $_SESSION['username'] = $logged_username;
        $_SESSION['active'] = 1;
        session_write_close;
        //to redirect back to "index.php" after logging out`
        header("location:/index.php");
    }
    else
    {
        header("Location:login.php?errorMssg=" . urlencode("Your Login Information is incorrect!!"));
    }
}

答案 3 :(得分:0)

您的查询是:

  SELECT * FROM $sqlusers WHERE username = '$postusername'

如您的问题所述,如果“nothing = Y”,即如果表中的用户名与发布的用户名不匹配,则查询将返回空结果集。在简单的PHP术语中,“如果db = username中没有任何内容”,则转换为:

  if(mysqli_num_rows($result) == 0) { // no rows matches the posted username (nothing = Y, in your words)
       //handle your error here
   } else { // ie, X = Y in your words
        // the while loop to check password goes here
    }
相关问题
最新问题