Question

我是PHP的新手，我的要求是检查数据库中的用户电子邮件ID，如果存在，请导航到下一页。但是通过SQL查询不能在PHP中工作，并且在SQL数据库中工作。

我的数据库结构：

enter image description here

我的HTML代码：index.html

<!DOCTYPE html>
<html>
<body>
<form action="checkform.php" method="post">
E-mail: <input type="email" name="email" autocomplete="off"><br>
<input type="submit">
</form>
</body> 
</html>

PHP：checkform.php

<?php
try 
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = $_POST['email']; 
echo $emailid;
$sql = "SELECT Name from table WHERE email=" . $_POST['email'];
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) { 
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end

//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>

我的page2.html

<!DOCTYPE html>
<html>
<body>
<h1> Welcome to Page 2</h1>
</body> 
</html>

但是当运行index.html页面时，面临错误:(最终没有执行mysql查询），但是运行sql查询是成功的

Error: No such email address
SUCCESS

PHP查询（失败）

$sql = "SELECT `Name` FROM `table` WHERE email=\'jxxx@gmail.com\'";

SQL查询（成功）

SELECT `Name` FROM `table` WHERE email='jxxx@gmail.com'

为什么无法运行查询？

Answer 1

按照约翰的要求：

使用引号

WHERE email= '".$emailid."'

$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";

与$emailid = $_POST['email'];

一起使用

而不是

WHERE email=" . $_POST['email']

这会导致错误，并且在使用该方法时对SQL注入开放。

您目前的代码向SQL injection开放。使用mysqli with prepared statements或PDO with prepared statements，他们更安全。

<强> 旁注：

如果您的表名确实称为table，请将其包装在反引号中（只是一个洞察力）。

$sql = "SELECT Name from `table`...

它是reserved keyword

将错误报告添加到文件的顶部。

error_reporting(E_ALL);
ini_set('display_errors', 1);

和or die(mysql_error())到mysql_query()

编辑：重写

<?php
try 
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid); 
echo $emailid;
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) { 
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end

//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>

编辑＃2 （帮忙）

<?php

$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid); 
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);

//  if($result) {
if(mysql_num_rows($result) > 0){
header("Location: page2.php");
exit;
}

else {

echo "<p class='error'>Error: No such email address</p>"; 

} // brace for else

mysql_close($connection);

?>

Answer 2

你可以尝试一下吗？它可能是连接问题

$sql = "SELECT Name from table WHERE email=" . $_POST['email'];

到

$sql = "SELECT Name from table WHERE email='". $_POST['email']."'";

由于POST

中的单引号，它也会失败

必须为fred post

等安全创建变量和cal

$email=$_POST['email'];

$sql = "SELECT Name from table WHERE email='". $email."'";

或者我们可以做这样的事情

$sql = "SELECT Name from table WHERE email='".mysql_real_escape_string(stripslashes($_POST['email']))."'";

Answer 3

您也可以使用：

$emailid = $_POST['email'];
// or beter: $emailid = mysql_real_escape_string($_POST['email']);

$sql = "SELECT `Name` FROM `table` WHERE email='$emailid'";

函数mysql_real_escape_string（）用于安全使用$ emailid。

php哪里查询不起作用

3 个答案: