$valid = mysqli_query($com,"select username,email from company_profile where username = ".$uname." or email = ".$email." ");
if ($valid=="")
{echo "email n username exists";}
else
{
echo "reg success";
}
这是我的代码,它不起作用是我也确定。想要返回结果天气电子邮件或用户名存在于db中。 这是怎么做的。
答案 0 :(得分:1)
mysqli_query方法返回结果集,而不是标量。
$result = mysqli_query($com, "SELECT ...", MYSQLI_STORE_RESULT);
if ( $result->num_rows() > 0 ) {
echo "query returned at least one row";
}
代码看起来容易受到SQL注入攻击,我们看不到对mysqli_real_escape_string函数的任何引用。
我们更愿意看到带有绑定变量的预准备语句,例如
if ($stmt = mysqli_prepare($com, "SELECT username,email from company_profile"
. " where username = ? OR email = ? "))
{
mysqli_stmt_bind_param($stmt, "ss", $uname, $email);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_array($result))
{
}
mysqli_stmt_close($stmt);
}