当post方法传递电子邮件并插入另一个用户名表时,如何从表中选择用户名?

时间:2014-01-26 07:29:49

标签: php mysql sql

我想从表单中获取电子邮件地址,酒店名称和费率值,并插入评级表。当将数据插入到费率表时,它应该从用户表中插入电子邮件地址的用户名。

这是我试过的PHP代码。

if (!empty($_POST)) {
    $userName = "";
    $sql = "select name from user where email='$_POST[user]'";

    $query1 = mysql_query($sql,$con);

    while ($row = mysql_fetch_array($query1)) 
    {
        $userName = $row;
        echo $userName;
    }

    $rest_name = $_POST['name'];
    $user_name = $_POST['user'];
    $rate = $_POST['Rate'];

    $query = "INSERT INTO rates(rest_name,user,rate) values ('$_POST[name]','".$userName"','$_POST[Rate]')";
    $query2 = mysql_query($query,$con);

    $response["success"] = 1;
    $response["message"] = "Rate Successfully Added!";
    echo json_encode($response);
}

但它不起作用。任何人都可以帮助我吗?

3 个答案:

答案 0 :(得分:1)

您需要连接字符串,因为数组不能自动连接。您需要为两个mysql语句执行此操作。你也应该使用mysqli_query而不是mysql_query,因为不推荐使用mysql_query。

您还必须执行第二个mysql语句。清理用户输入以避免SQL注入攻击也是一个好主意。为此,我已经包含了mysql_real_escape_string函数。

您的查询还需要$ row [“name”],我已添加。

if (!empty($_POST)) {
    $userName = "";
    $sql = "select name from user where email='".mysql_real_escape_string($_POST['email'])."'";

    $query1 = mysql_query($sql,$con);

    while ($row = mysql_fetch_array($query1)) 
    {
        $userName = $row["name"];
        echo $userName;
    }

    $rest_name = $_POST['name'];
    $user_name = $_POST['user'];
    $rate = $_POST['Rate'];

    $query = "INSERT INTO rates (rest_name, user, rate) values ('".mysql_real_escape_string($_POST['name'])."','".mysql_real_escape_string($userName)."','".mysql_real_escape_string($_POST['Rate'])."')";
    $rs = mysql_query($query, $con);

    $response["success"] = 1;
    $response["message"] = "Rate Successfully Added!";
    echo json_encode($response);

}

答案 1 :(得分:1)

此处您没有将数据传递给$ userName。这是你如何做到的:

    while ($row = mysql_fetch_array($query1)) 
                {
                $userName = $row['name'];
                echo $userName;
                 }

在插页中你也有一些语法错误。 它应该是这样的:

$query = "INSERT INTO rates(rest_name,user,rate) values ('".$_POST['name']."','".$userName"','".$_POST['Rate']."')";

你也忘了使用

mysql_query($query);

答案 2 :(得分:0)

我已将您放入查询中的所有POST参数放在mysql_real_escape_string()个函数中。但是,如果可以,您应该切换到mysqli或PDO。在这里阅读为什么这是一个好主意:How can I prevent SQL injection in PHP?

我添加了$query2 = mysql_query($query, $con),以便执行第二个查询。

<?php
if (!empty($_POST)) {
    $userName = "";
    $sql = "SELECT name FROM user WHERE email='".mysql_real_escape_string($_POST[user])."'";

    $query1 = mysql_query($sql, $con);

    while ($row = mysql_fetch_array($query1)) {
        $userName = $row["name"];
        echo $userName;
    }

    $rest_name = $_POST['name'];
    $user_name = $_POST['user'];
    $rate = $_POST['Rate'];

    $query = "INSERT INTO rates(rest_name, user, rate) values ('".mysql_real_escape_string($rest_name)."','".mysql_real_escape_string($userName)"','".mysql_real_escape_string($rate)."')";

    if($query2 = mysql_query($query, $con)) {
        $response["success"] = 1;
        $response["message"] = "Rate Successfully Added!";
        echo json_encode($response);    
    } else {
        $response["success"] = 0;
        $response["message"] = "MySQL Error";
    }
}
相关问题
最新问题