谁能帮我弄清楚这个php错误信息的含义?

时间:2011-04-29 04:43:41

标签: php mysql forms

  

可能重复:
  Can anyone help me figure out what is wrong with this code?

这是我的代码

$con = mysql_connect("localhost", "root", '');

if (!$con) {
    die('Cannot make a connection');
}


mysql_select_db('yumbox_table', $con) or die('Cannot make a connection');    
isset($_POST['user_name'], $_POST['password'], $_POST['user_type']);

$data = mysql_query("SELECT * 
                       FROM users 
                      WHERE user_name == ($_POST['user_name']) 
                        AND ($_POST['password']) 
                        AND ($_POST['user_type'])") or die(mysql_error());

$info = mysql_fetch_array($data);
$count = mysql_numrows($data);

if ($count == 1) {
    echo("Success!!");
} else {
    echo("BIG FRIGGIN FAILURE!!");
}

mysql_close($con);

每当我运行此代码时,都会收到以下消息:

3 个答案:

答案 0 :(得分:0)

if(isset($_POST['user_name'], $_POST['password'], $_POST['user_type'])){
    $data = mysql_query("SELECT * from users 
             where user_name = '".mysql_real_escape_string($_POST['user_name'])."' and 
                   password  = '".mysql_real_escape_string($_POST['password'])."' and 
                   user_type = '".mysql_real_escape_string($_POST['user_type'])."' ");

    if(mysql_numrows($data) == 1) {
       $info = mysql_fetch_array($data);
       echo("Success!!");
    } else {
       echo("BIG FRIGGIN FAILURE!!");
    }
}
else{
   echo "Required Data Missing";
}

mysql_close($con);

答案 1 :(得分:0)

您需要发布错误以获取更多详细信息。但我注意到的一些事情是

mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])")

您需要将其更改为

//do escaping here. See note below.
$username = isset($_POST['user_name']) ? mysql_real_escape($_POST['user_name']) : '';
$pass     = isset($_POST['password']) ? mysql_real_escape($_POST['password']) : '';
$type     = isset($_POST['user_type']) ? mysql_real_escape($_POST['user_type']) : '';

mysql_query("SELECT * from users where user_name = '{$username}' AND password = '{$pass}' AND user_type = '{$type}'")

您需要转义值

MySQL比较是=而不是==(感谢你指出@jeremysawesome)

您需要根据POST值检查列

您还有一个SQL injection vulnerability。请至少使用mysql_real_escape。更好的是,切换到PDO

您需要将isset支票分配给变量并进行检查。否则这只是浪费。

答案 2 :(得分:0)

在将其插入查询之前,您需要转义POST值。在数据库查询中使用它们之前,应该转义POST值。

而不是:

$data = mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])"

这样做:

$user_name = mysql_real_escape_string($_POST['user_name']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$data = mysql_query("SELECT * FROM users WHERE user_name == '$user_name' AND password == '$password' AND user_type == '$user_type'");

请注意,我假设您的表中的列是'user_name','password'和'user_type'。

相关问题
最新问题