作为学校项目,我必须设计一个网站(具有所有功能(html& php))。我几乎完成了它,除了我有点头疼。我正在尝试保护我的网站以防止msql注入。我已经使用了语句mysql_real_escape_string(),它在其他页面上工作正常,除了这个。当我在变量mysql_real_escape_string和$email上使用$firstname时,页面返回时没有结果。但是我删除了mysql_real_escape_string(),代码完美无缺。此代码的作用是获取用户忘记的密码。我在这里做错了,当我保护它们时变量停止工作?
(顺便说一句,我为php中的菜鸟道歉。很高兴欢迎任何帮助)
<?php
error_reporting(0);
if($_POST['submit']=='Send')
{
$db_host="localhost";
$db_uname="";
$db_pass="";
$db_name="";
mysql_connect($db_host,$db_uname,$db_pass) or die(mysql_error);
mysql_select_db($db_name);
$email=mysql_real_escape_string($_POST['emailadress']);
$firstname=mysql_real_escape_string($_POST['First_name']);
$query="SELECT customer.email_client, customer.first_name FROM customer WHERE email_client='$email' AND first_name='$firstname'";
$result=mysql_query($query) or die(error);
if(mysql_num_rows($result)){
$code= md5(uniqid(rand(), true));
$message="Please use the following link with the given activation code from below to begin the validation process."."\n".
"This is the link--> http://regina.roelgonzalez.tk/pages_directory /confirmationforum.php".
"\n". "The activation code is: ".$code;
if (isset($_REQUEST['emailadress'])){
$_sender='www.postmasterSPapiesOnlineShopping.com';
mail($email, "Activation code", $message ,"From:" . $_sender);
$insertinto="UPDATE customer SET activation_code = '$code' WHERE first_name = '$firstname' AND email_client='$email'";
mysql_query($insertinto) or die(error);
?>
<script type="text/javascript">
alert("Please check your email for the confirmation code");
window.location = "confirmationforum.php";
</script>
<?php
}
}
else{
?>
<script type="text/javascript"> alert
("Either given informaion is wrong, or data does not appear in our database");
</script>
<script type="text/javascript">
window.location = "forgottenforum.php";
</script>
<?php
}
mysql_close($con);
}
?>