用户名可用性使用AJAX和PHP对MSSQL进行检查

时间:2013-06-06 20:23:10

标签: php ajax sql-server-2008

我的数据库已经充满了客户端。我们正试图让他们设置在线访问。他们必须提供会员ID才能设置在线帐户。我已经构建了一个允许输入到memberid的测试表单,并且应该检查我们是否在数据库中找到它们。我把头发拉出来试图让它发挥作用。我也做了CRUD所以我知道我与MSSQL的连接正在发挥作用。

此代码有什么问题?

FORM 

<div class="container">
<div>Member ID: <input type="text" maxlength="10" name="uname" id="uname" /><span id="status"></span></div>
<div>Pass: <input type="password" maxlength="10" name="pwd" id="pwd" /></div>

</div>
<script type="text/javascript">
document.getElementById("uname").onblur = function() {
var xmlhttp;
var uname=document.getElementById("uname");
if (uname.value != "")
    {
        if (window.XMLHttpRequest){
              xmlhttp=new XMLHttpRequest();
            } else {
              xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
            }
        xmlhttp.onreadystatechange=function() {
                if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                document.getElementById("status").innerHTML=xmlhttp.responseText;
                }
        };
    xmlhttp.open("GET","uname_availability.php?uname="+encodeURIComponent(uname.value),true);
    xmlhttp.send();
    }
};
</script>

这是uname_availability.php 

<?php
$uname=$_REQUEST['uname'];

$server = "serveraddress";
$user = "username";
$pwd = "password";
$db = "dbname";

$conn = sqlsrv_connect($server, array("UID"=>$user, "PWD"=>$pwd, "Database"=>$db));

if($conn === false){
    die(print_r(sqlsrv_errors()));
}

$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";
$stmt3 = sqlsrv_query($conn, $sql);
$row_count = sqlsrv_num_rows($stmt3);
if ($row_count === false)
{
print "<span style=\"color:red;\">We Can Not Find You :(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :)  </span>";
}
?>

4 个答案:

答案 0 :(得分:0)

您的查询失败,因为您未能引用$ username参数,导致SQL错误和无效,以及SQL injection attack漏洞:

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
                                                     ^--        ^--

没有引号,您正在WHERE MemberID = fred,我非常怀疑您的会员资格表中有fred字段。

由于您的代码盲目地假设查询工作正常,您将永远不会看到SQL服务器提供的语法错误警告。

答案 1 :(得分:0)

您是否需要在SQL语句中引用参数的值?

$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";
然后

将成为

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";

答案 2 :(得分:0)

我最终得到了它...感谢所有的输入......我真的很感激所有!

$sql = "SELECT MemberID FROM tblMembership WHERE MemberID = '".$memid."'";
$stmt = sqlsrv_query($conn, $sql);
$row = sqlsrv_fetch($stmt);
if (empty($row))
{
print "<span style=\"color:red;\">We Can Not Find You >:-(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :-)  </span>";
}

答案 3 :(得分:0)

为什么不明确使用$_GET

if(isset($_GET['uname']))
{
  $uname=$_GET['uname'];
}

然后查询,

$sql = "SELECT * FROM tblMembership WHERE MemberID ='$uname'";
相关问题
最新问题