我不能,不管是什么,弄清楚为什么我在我的代码中收到此错误:
mysql_fetch_assoc():提供的参数不是有效的MySQL结果资源
这是我的PHP代码:
<?php
$session_id = $_SESSION['id'];
$getall = mysql_query("SELECT * FROM users WHERE id='' . $dbuser_id . ''");
$row = mysql_fetch_assoc($getall);
$fullnameDB = $row['name'];
$emailDB = $row['email'];
$usernameDB = $row['username'];
$fullname = strip_tags($_POST['fullname']);
$username = strip_tags($_POST['username']);
$email = strip_tags($_POST['email']);
if ($_POST['submit']) {
$namecheck = mysql_query("SELECT username FROM users WHERE username='' . $username . ''");
$count = mysql_num_rows($namecheck);
if ($count !=0) {
echo 'That username is already taken!';
} else {
mysql_query("UPDATE users SET username=' . $username . ' WHERE id='' . $dbuser_id . ''");
echo 'Your UN has been updated';
}
}
?>
答案 0 :(得分:4)
"SELECT username FROM users WHERE username='" . $username . "'"
不
"SELECT username FROM users WHERE username='' . $username . ''"
但考虑使用mysqli或pdo
切换到参数化语句答案 1 :(得分:1)
以下是您的代码的精炼版本:
<?php
$session_id = $_SESSION['id'];
$getall = mysql_query("SELECT * FROM users WHERE id='" . $dbuser_id . "'");
$row = mysql_fetch_assoc($getall);
$fullnameDB = $row['name'];
$emailDB = $row['email'];
$usernameDB = $row['username'];
$fullname = mysql_real_escape_string($_POST['fullname']);
$username = mysql_real_escape_string($_POST['username']);
$email = mysql_real_escape_string($_POST['email']);
if ($_POST['submit']) {
$namecheck = mysql_query("SELECT username FROM users WHERE username='" . $username . "'");
$count = mysql_num_rows($namecheck);
if ($count !=0) {
echo 'That username is already taken!';
} else {
mysql_query("UPDATE users SET username='" . $username . "' WHERE id='" . $dbuser_id . "'");
echo 'Your UN has been updated';
}
}
?>
你做错了是在你的查询中,你用双引号(“)开始它,但你试图在中途结束你的用户名和单引号('),所以它不起作用。我也帮助清理您的输入,使其不易受SQL注入(如果不安全)。
编辑:正如其他用户所提到的,请认真考虑转换为预备语句。
答案 2 :(得分:0)
您的代码中存在错误,并且容易受到SQL Injection attacks的攻击。</ p>
使用此代码:
<?php
try {
$session_id = session_id();
$conn = mysqli_connect('localhost', 'any_user_other_than_root', 'secure_password', 'database');
if(!$conn) throw new Exception('Could not connect to the database.');
$dbuser_id = mysqli_real_escape_string($dbuser_id);
$query = "SELECT * FROM users WHERE id='$dbuser_id'";
$getall = mysqli_query($conn, $query);
if(!$getall) throw new Exception('Database query failed!');
$row = mysqli_fetch_assoc($getall);
$fullname_db = $row['name'];
$email_db = $row['email'];
$username_db = $row['username'];
$fullname = mysqli_real_escape_string($_POST['fullname']);
$username = mysqli_real_escape_string($_POST['username']);
$email = mysqli_real_escape_string($_POST['email']);
if(isset($_POST['submit'])) {
$namecheck = mysqli_query($conn, "SELECT username FROM users WHERE username='$username'");
if(!$namecheck) throw new Exception('Name check failed!');
$count = mysqli_num_rows($namecheck);
if($count > 0) {
echo 'That username is already taken!';
} else {
$result = mysqli_query($conn, "UPDATE users SET username='$username' WHERE id='$dbuser_id'");
if(!$result) throw new Exception('Could not update your UN.');
echo 'Your UN has been updated';
}
}
} catch(Exception $e) {
echo 'Error: ' . $e->getMessage();
}
?>