只检查第一条记录,而不是全部

时间:2012-11-15 23:38:02

标签: php mysql mysqli

编辑:更新!第一部分工作了。但是,我不确定如何在同一IF()语句中检查其他变量。任何人都可以帮助我吗?单个if语句将拒绝与输入完全相同的类。但是,我还需要拒绝平等的日子和时代。

        <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Register Diver</title>
<link rel="stylesheet" href="php_styles.css" type="text/css" />
<meta http-equiv="content-type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Aqua Don's Scuba School</h1>
<h2>Registration Confirmation</h2>
<?php
$DiverID = $_GET['diverID'];
if (empty($DiverID))
    exit("<p>You must enter a diver ID! Click your browser's Back button to return to the previous page.</p>");
$DBConnect = @mysqli_connect("localhost", "students", "password")
    Or die("<p>Unable to connect to the database server.</p>"
    . "<p>Error code " . mysqli_connect_errno()
    . ": " . mysqli_connect_error()) . "</p>";
$DBName = "scuba_school";
@mysqli_select_db($DBConnect, $DBName)
    Or die("<p>Unable to select the database.</p>"
    . "<p>Error code " . mysqli_errno($DBConnect)
    . ": " . mysqli_error($DBConnect)) . "</p>";

$TableName = "registration";
$SQLstring = "SELECT * FROM $TableName";
$QueryResult = @mysqli_query($DBConnect, $SQLstring);
if (!$QueryResult) {
    $SQLstring = "CREATE TABLE registration (diverID SMALLINT, class VARCHAR(40), days VARCHAR(40), time VARCHAR(40))";
    $QueryResult = @mysqli_query($DBConnect, $SQLstring)
        Or die("<p>Unable to create the registration table.</p>"
        . "<p>Error code " . mysqli_errno($DBConnect)
        . ": " . mysqli_error($DBConnect)) . "</p>";
    echo "<p>Successfully created the registration table.</p>";
}
?>

<?php
$Class = $_GET['class'];
$Days = $_GET['days'];
$Time = $_GET['time'];
$DiverID = $_GET['diverID'];

$DBConnect = mysqli_connect("localhost", "students", "password");
$DBName = "scuba_school";
@mysqli_select_db($DBConnect, $DBName)
    Or die("<p>Unable to select the database.</p>"
    . "<p>Error code " . mysqli_errno($DBConnect)
    . ": " . mysqli_error($DBConnect)) . "</p>";


$sqlString= "SELECT * FROM `registration` WHERE `diverID` = $DiverID AND `class` = '$Class' AND `days` = '$Days' AND `time` = '$Time'";
$QueryResult = mysqli_query($DBConnect, $sqlString) or die("MySQL error: " . mysqli_error($DBConnect) . "<hr>\nQuery: $QueryResult");  
$row = mysqli_fetch_assoc($QueryResult);

if ($row["class"] == $Class)
{

echo "<p>You are already registered for $Class</p>";
    }

    elseif($row["days"] == $Days && $row["time"] == $Time)
    {
        echo "<p>There is a conflict with $Days or $Time</p>";
        }
else
{
 $SQLstring = "INSERT INTO $TableName VALUES('$DiverID', '$Class', '$Days', '$Time')";
    $QueryResult = @mysqli_query($DBConnect, $SQLstring);
    echo "<p>You are registered for $Class on $Days, $Time. Click your browser's Back button to register for another course or review your schedule.</p>";
}


mysqli_close($DBConnect);
?>

</body>
</html>

3 个答案:

答案 0 :(得分:0)

使用“查找包含这些详细信息的所有人”的查询,然后您说“如果发现有人=坏,其他=好。例如:

SELECT ID FROM $TableName WHERE DiverID = '$DiverId', class = '$class', days='$Days' LIMIT 1

然后运行该查询,如果找到任何内容(if(count($results) > 0)...),那么如果找不到任何内容则显示错误(或其他),则添加详细信息是安全的。

<强>加成: 作为旁注,请查看PDO(mysql_*函数在PHP-land中no longer supported),并确保在进入数据库查询之前对输入进行过滤和清理(google for the,)

答案 1 :(得分:0)

查询后的情况不好

//change this
if ($row['class'] == "$Class")
{
    echo "<p>You are already registered for $Class</p>";
}

//to this
if(!empty($row))
{
    if ($row['class'] == "$Class")
        echo "<p>You are already registered for $Class</p>";
}

答案 2 :(得分:0)

你的问题在于:

SELECT * FROM $TableName WHERE `diverID` = $DiverID

您正在查询数据库中与diverID匹配的所有记录,忽略class。这意味着,例如,如果某个潜水员注册到不同的类,则查询可能会或可能不会检索该记录。你想要一些东西:

// this is for simplicity's sake only; please escape your input in your code!!

$sql = "SELECT * FROM $TableName WHERE `diverID` = $DiverID AND `class` = '$Class'"
$query = mysqli_query($sql);

if (mysqli_num_rows($query)) {
    // already registered
} else {
    // not registered, insert
}

有人说......

  1. 不要使用@(错误抑制)。关闭生产中的错误报告,但这(抑制错误)是可怕的。

  2. 不要让您的代码容易受SQL injection攻击。你甚至没有试图逃避任何事情,更糟糕的是,你使用的是$_GET,这也让你容易受到CSRF攻击。

  3. 不要动态创建表格。在脚本执行之前,您应该已经准备好表结构。如果有的话,它们应该由安装脚本创建。