您好我有一个注册系统,它运行良好并保存到数据库,我有一个问题,检查数据库的用户名,如果已经存在。我检查数据库的脚本是错误的。有人可以帮我吗?以下是我的代码
<?php
if(empty($_POST['username'])){
$username_error = "Please Input Username";
}else{
if( 6 > mb_strlen($_POST['username']) || 20 < mb_strlen($_POST['username'])){
$username_error = "username must be at least 6 characters.";
}else{
$sql = "SELECT
members.username
FROM
members
WHERE username = $username";
$res = mysql_query($sql);
if(mysql_num_rows($res)){
$username_exists = "Username is already taken.";
}else{
$username = $_POST['username'];
}
}
}
?>
问题仅出现在else语句
中答案 0 :(得分:1)
更改:
$sql = "SELECT
members.username
FROM
members
WHERE username = $username";
要:
$sql = "SELECT
members.username
FROM
members
WHERE username = '".mysql_real_escape_string($username)."'";
$users =mysql_query($sql);
if(mysql_num_rows($users )){
$username_exists = "Username is already taken.";
}{
$username = $_POST['username'];
}
请记住,您需要转义您的用户名以避免SQL注入!并避免使用 mysql _ 函数!
答案 1 :(得分:0)
if(mysql_num_rows($sql)>0){
$username_exists = "Username is already taken.";
}else{
$username = $_POST['username'];
}
虽然你应该使用PDO或其他东西进行消毒。
<强>校正:
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res)){
$username_exists = "Username is already taken.";
}else{
$username = $_POST['username'];
}
答案 2 :(得分:0)
在您阅读之前;这很容易引入SQL,我很乐意指向PDO。
更改您的SQL语句以将$username视为字符串;
SELECT members.username
FROM members
WHERE username = '$username'
然后删除以下行
mysql_query($sql);
最后将if() { }条件更改为;
if(mysql_num_rows(mysql_query($sql))>0){
答案 3 :(得分:0)
var qc=document.forms["regform"]["email"].value;
if(qc!='') {
alert('in');
$.ajax({
url: 'search.php',
data: "check_qc=" + qc,
async:false,
success: function(response) {
if(response==1)
{
alert('Already Exists');
return false;
}
}
});
}
现在,在search.php文件中
$qc = $_GET['check_qc'];
$sel="select * from register where email='".$qc."'";
$res= mysql_query($sel);
$co= mysql_num_rows($res);
// echo $co;
if(count($co)>0)
echo "1";
else
echo "0";
答案 4 :(得分:0)
我试图帮助您使用此代码。注意评论。我做了更多,然后回答你的问题:逻辑有点改变,添加$ username的消毒...
<?php
// at first let's define this variables (just for any case)
$username_error = null;
$username_exists = null;
// get username
$username = $_POST['username'];
// let's check it
if (empty($username)) {
$username_error = "Please Input Username";
// don't know in what context you use this code
// so here you need to return from function or exit
return;
}
// ... and sanitize
$username = filter_var($username, FILTER_SANITIZE_SPECIAL_CHARS); // just for example
// actually, I use active record, so can't suggest 100%-security way
// check lenght
if (mb_strlen($username) < 6 || mb_strlen($username) > 20) {
$username_error = "username must be at least 6 characters.";
// also let's exit or return
return;
}
// and now let's check it in DB
$sql = "SELECT
members.username
FROM
members
WHERE username = '$username'";
// !!! pay attention!!!
$result = mysql_query($sql); // we need append this mysql result to some variable
if (mysql_num_rows($result) > 0) { // and here we check num_rows of that result, not just tring with query!
$username_exists = "Username is already taken.";
// also let's exit or return
return;
}
// if we are in here we have sanitized $username, that's not in use.
// Enjoy!