我正在尝试验证用户输入的电子邮件和密码到我正在制作的应用中。要验证我正在使用php的电子邮件和密码。目前我收到错误消息:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' ' at line 1"
这是我在json-config.php中的php代码:
<?php
$host = "localhost"; //Your database host server
$db = "dbname"; //Your database name
$user = "user"; //Your database user
$pass = "pass"; //Your password
$connection = mysql_connect($host, $user, $pass);
if(!$connection) {
die("Database server connection failed.");
} else {
//Attempt to select the database
$dbconnect = mysql_select_db($db, $connection);
//echo "connection working";
//Check to see if we could select the database
if(!$dbconnect) {
die("Unable to connect to the specified database!");
}
}
?>
这是我在json.php中的php代码:
<?php
include("json-config.php");
$email = $_POST['email'];
$password = $_POST['password'];
function validate_password($plain, $encrypted) {
if (!empty($plain) && !empty($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
//echo "<pre>";print_r($stack);echo "</pre>";
if (sizeof($stack) != 2)
return false;
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
if ($_POST) {
//gets user's info based off of a username.
$query = "SELECT customer_email, customer_password FROM rt_customer WHERE customer_email = ".$email."";
//echo $query;
//This will be the variable to determine whether or not the user's information is correct.
//we initialize it as false.
$validated_info = false;
$result = mysql_query($query) or die("Error in Selection Query <br> " . $query . "<br>" . mysql_error());
//fetching all the rows from the query
while($row = mysql_fetch_assoc($result)) {
//if we encrypted the password, we would unencrypt it here, but in our case we just
//compare the two passwords
if ($this->validate_password($password, $row['customer_password'])) {
$login_ok = true;
}
}
// If the user logged in successfully, then we send them to the private members-only page
// Otherwise, we display a login failed message and show the login form again
if ($login_ok) {
echo '{"success":1, "message":"Login successful!"}';
} else {
echo '{"success":0, "message":"Username and/or password is invalid."}';
}
}
?>
如果您需要更多信息,请不要犹豫,谢谢。
答案 0 :(得分:1)
您需要在$email
$query = "SELECT customer_email, customer_password FROM rt_customer ".
" WHERE customer_email = '".$email."'";
虽然这可以解决您的问题,但我建议您查看mysqli并让准备好的声明为您做引用。直接从post数组中使用数据的方式使你可以打开sql注入。
如果你真的想要保留旧版的mysql库,请使用:
$email = mysql_real_escape_string( $email);
在将其放入查询之前(但在建立连接之后)。
答案 1 :(得分:0)
1)SELECT customer_email, customer_password FROM rt_customer WHERE customer_email = '$email'"
2)SELECT customer_email, customer_password FROM rt_customer WHERE customer_email = '".$email."'"
是正确的,但遵循标准将帮助您避免意外错误, 永远记得用一个类型为vachar的表字段检查条件我们单引号('字符串值')或双引号(“字符串值”)围绕它
也只是在(database name)或(table name)或(field name)周围使用的回拨号,不对这些名称使用单引号或双引号,
您可以使用我的blog获取更多信息。