我需要一个帮助来做一个mysql查询

时间:2013-06-19 12:09:13

标签: php mysql

我在DB

中有以下三个表

表格 

`accounts` (
      `id` int(11) NOT NULL AUTO_INCREMENT,
      `name` varchar(32) NOT NULL DEFAULT '',
      `password` varchar(255) NOT NULL,
      `salt` varchar(40) NOT NULL DEFAULT '',
      `premdays` int(11) NOT NULL DEFAULT '0',
      `lastday` int(10) unsigned NOT NULL DEFAULT '0',
      `email` varchar(255) NOT NULL DEFAULT '',
      `key` varchar(32) NOT NULL DEFAULT '0',
      `blocked` tinyint(1) NOT NULL DEFAULT '0' COMMENT 'internal usage',
      `warnings` int(11) NOT NULL DEFAULT '0',
      `group_id` int(11) NOT NULL DEFAULT '1',
      `page_access` int(11) DEFAULT NULL,
      `page_lastday` int(11) DEFAULT NULL,
      `email_new` varchar(255) DEFAULT NULL,
      `email_new_time` int(15) DEFAULT NULL,
      `rlname` varchar(255) DEFAULT NULL,
      `location` varchar(255) DEFAULT NULL,
      `created` int(16) DEFAULT NULL,
      `email_code` varchar(255) DEFAULT NULL,
      `next_email` int(11) DEFAULT NULL,
      `premium_points` int(11) DEFAULT NULL,
      `nickname` char(48) DEFAULT NULL,
      `avatar` char(48) DEFAULT NULL,
      `about_me` text,
      `vip_time` int(15) NOT NULL,
      `event_points` int(11) NOT NULL DEFAULT '0',
      PRIMARY KEY (`id`),
      UNIQUE KEY `name` (`name`)
    ) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

`players` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(255) NOT NULL,
  `group_id` int(11) NOT NULL DEFAULT '1',
  `account_id` int(11) NOT NULL DEFAULT '0',
  `online` tinyint(1) NOT NULL DEFAULT '0',
  `deleted` int(11) NOT NULL DEFAULT '0',
  PRIMARY KEY (`id`),
  UNIQUE KEY `name` (`name`,`deleted`),
  KEY `account_id` (`account_id`),
  KEY `group_id` (`group_id`),
  KEY `online` (`online`),
  KEY `deleted` (`deleted`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;

`gamecodes` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `gamecode` varchar(50) NOT NULL,
  `accountname` varchar(50) NOT NULL,
  `premium_points` int(11) NOT NULL,
  `alreadyused` varchar(1) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ;

这是我的.PHP,它将FORM的信息插入TABLE GAME CODES 

<?php
        function anti_injection($sql)
        {
            $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
            $sql = trim($sql);
            $sql = strip_tags($sql);
            $sql = addslashes($sql);
            return $sql;
        }

        $accountorname = anti_injection($_POST['accountorname']);
        $gamecode = $_POST['gamecode'];
        $category = $_POST['category'];
        $premiumpoints = anti_injection($_POST['premiumpoints']);

        switch ($category) {
            case 'accountname':
                $insertquery = "INSERT INTO gamecodes (gamecode, accountname, premium_points, alreadyused) VALUES ('$gamecode','$accountorname',$premiumpoints,'N')";
                break;
            case 'charactername':
                $insertquery = "INSERT INTO gamecodes (gamecode, accountname, premium_points, alreadyused) 
                        SELECT '$gamecode',accounts.name,$premiumpoints,'N' 
                        FROM accounts 
                        JOIN players
                        ON accounts.id = players.account_id 
                        WHERE players.name = '$accountorname'";
                break;
        }

        $result = mysql_query($insertquery);
    ?>

问题是:

  1. 案例'accountname':中,在INSERT之前,它必须检查知情帐户是否在表ACCOUNTS中有效。
  2. case'charactername':中,在INSERT之前必须检查表PLAYERS中是否有通知的字符名称有效

    3. 我做不到,有人能帮帮我吗?

3 个答案:

答案 0 :(得分:1)

$selectquery = "SELECT * from accounts where accountname='$accountname'";
$selectresult = mysql_query($selectquery);
if (mysql_num_rows($selectresult)) {
    // account exists, now you can do the INSERT
}

<强>注意

从PHP 5.5.0开始,不推荐使用mysql扩展,将来会删除它。相反,应该使用MySQLi或PDO_MySQL扩展。

答案 1 :(得分:1)

你可以像这样使用一个函数:

function Validate($table, $name)
{
    if ($res = mysql_query("SELECT Count(*) as isvalid FROM $table WHERE name = '$name'"))
    {
        $isvalid = 0;
        @extract(mysql_fetch_assoc($res));
        if ($isvalid == 0) return false;
        else return true;
    }
}

所以你这样称呼:

case 'accountname':
    if (Validate("accounts", $accountorname)) { 
        // Do things
    }
case 'charactername':
    if (Validate("players", $accountorname)) { 
        // Do things
    }

我没有测试过,我承认这不是最好的方法,但它应该做你想要的。

顺便说一句,你的SQL注入函数有一些漏洞。您必须过滤所有您的输入,因为用户可以在浏览器中更改任何控件的输入数据。考虑回顾一下。

答案 2 :(得分:0)

在执行此操作之前,您始终可以执行另一个查询以进行检查。有了这个,你仍然有可能会有人在查询之间删除帐户。如果这是您的问题,您应该查看transactions

    $shouldinsert = false;
    switch ($category) {
        case 'accountname':
            $result = mysql_query("SELECT count(*) as account_count FROM accounts WHERE name = '$accountorname'");
            $shouldinsert = mysql_num_rows($result) > 0;
            $insertquery = "INSERT INTO gamecodes (gamecode, accountname, premium_points, alreadyused) VALUES ('$gamecode','$accountorname',$premiumpoints,'N')";
            break;
        case 'charactername':
            //I'm not quite sure how to check if a charactername is 'valid' but this should get you started
            $result = mysql_query("SELECT count(*) as account_count FROM players WHERE name = '$charactername'");
            $shouldinsert = mysql_num_rows($result) > 0;
            $insertquery = "INSERT INTO gamecodes (gamecode, accountname, premium_points, alreadyused) 
                    SELECT '$gamecode',accounts.name,$premiumpoints,'N' 
                    FROM accounts 
                    JOIN players
                    ON accounts.id = players.account_id 
                    WHERE players.name = '$accountorname'";
            break;
    }
    if($shouldinsert) {
        mysql_query($insertquery);
    }
相关问题
最新问题