编辑:更新!第一部分工作了。但是,我不确定如何在同一IF()语句中检查其他变量。任何人都可以帮助我吗?单个if语句将拒绝与输入完全相同的类。但是,我还需要拒绝平等的日子和时代。
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Register Diver</title>
<link rel="stylesheet" href="php_styles.css" type="text/css" />
<meta http-equiv="content-type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Aqua Don's Scuba School</h1>
<h2>Registration Confirmation</h2>
<?php
$DiverID = $_GET['diverID'];
if (empty($DiverID))
exit("<p>You must enter a diver ID! Click your browser's Back button to return to the previous page.</p>");
$DBConnect = @mysqli_connect("localhost", "students", "password")
Or die("<p>Unable to connect to the database server.</p>"
. "<p>Error code " . mysqli_connect_errno()
. ": " . mysqli_connect_error()) . "</p>";
$DBName = "scuba_school";
@mysqli_select_db($DBConnect, $DBName)
Or die("<p>Unable to select the database.</p>"
. "<p>Error code " . mysqli_errno($DBConnect)
. ": " . mysqli_error($DBConnect)) . "</p>";
$TableName = "registration";
$SQLstring = "SELECT * FROM $TableName";
$QueryResult = @mysqli_query($DBConnect, $SQLstring);
if (!$QueryResult) {
$SQLstring = "CREATE TABLE registration (diverID SMALLINT, class VARCHAR(40), days VARCHAR(40), time VARCHAR(40))";
$QueryResult = @mysqli_query($DBConnect, $SQLstring)
Or die("<p>Unable to create the registration table.</p>"
. "<p>Error code " . mysqli_errno($DBConnect)
. ": " . mysqli_error($DBConnect)) . "</p>";
echo "<p>Successfully created the registration table.</p>";
}
?>
<?php
$Class = $_GET['class'];
$Days = $_GET['days'];
$Time = $_GET['time'];
$DiverID = $_GET['diverID'];
$DBConnect = mysqli_connect("localhost", "students", "password");
$DBName = "scuba_school";
@mysqli_select_db($DBConnect, $DBName)
Or die("<p>Unable to select the database.</p>"
. "<p>Error code " . mysqli_errno($DBConnect)
. ": " . mysqli_error($DBConnect)) . "</p>";
$sqlString= "SELECT * FROM `registration` WHERE `diverID` = $DiverID AND `class` = '$Class' AND `days` = '$Days' AND `time` = '$Time'";
$QueryResult = mysqli_query($DBConnect, $sqlString) or die("MySQL error: " . mysqli_error($DBConnect) . "<hr>\nQuery: $QueryResult");
$row = mysqli_fetch_assoc($QueryResult);
if ($row["class"] == $Class)
{
echo "<p>You are already registered for $Class</p>";
}
elseif($row["days"] == $Days && $row["time"] == $Time)
{
echo "<p>There is a conflict with $Days or $Time</p>";
}
else
{
$SQLstring = "INSERT INTO $TableName VALUES('$DiverID', '$Class', '$Days', '$Time')";
$QueryResult = @mysqli_query($DBConnect, $SQLstring);
echo "<p>You are registered for $Class on $Days, $Time. Click your browser's Back button to register for another course or review your schedule.</p>";
}
mysqli_close($DBConnect);
?>
</body>
</html>
答案 0 :(得分:0)
使用“查找包含这些详细信息的所有人”的查询,然后您说“如果发现有人=坏,其他=好。例如:
SELECT ID FROM $TableName WHERE DiverID = '$DiverId', class = '$class', days='$Days' LIMIT 1
然后运行该查询,如果找到任何内容(if(count($results) > 0)...
),那么如果找不到任何内容则显示错误(或其他),则添加详细信息是安全的。
<强>加成:强>
作为旁注,请查看PDO(mysql_*
函数在PHP-land中no longer supported),并确保在进入数据库查询之前对输入进行过滤和清理(google for the,)
答案 1 :(得分:0)
查询后的情况不好
//change this
if ($row['class'] == "$Class")
{
echo "<p>You are already registered for $Class</p>";
}
//to this
if(!empty($row))
{
if ($row['class'] == "$Class")
echo "<p>You are already registered for $Class</p>";
}
答案 2 :(得分:0)
你的问题在于:
SELECT * FROM $TableName WHERE `diverID` = $DiverID
您正在查询数据库中与diverID
匹配的所有记录,忽略class
。这意味着,例如,如果某个潜水员注册到不同的类,则查询可能会或可能不会检索该记录。你想要一些东西:
// this is for simplicity's sake only; please escape your input in your code!!
$sql = "SELECT * FROM $TableName WHERE `diverID` = $DiverID AND `class` = '$Class'"
$query = mysqli_query($sql);
if (mysqli_num_rows($query)) {
// already registered
} else {
// not registered, insert
}
有人说......
不要使用@
(错误抑制)。关闭生产中的错误报告,但这(抑制错误)是可怕的。
不要让您的代码容易受SQL injection攻击。你甚至没有试图逃避任何事情,和更糟糕的是,你使用的是$_GET
,这也让你容易受到CSRF攻击。
不要动态创建表格。在脚本执行之前,您应该已经准备好表结构。如果有的话,它们应该由安装脚本创建。