我是PHP的新手,我的要求是检查数据库中的用户电子邮件ID,如果存在,请导航到下一页。但是通过SQL查询不能在PHP中工作,并且在SQL数据库中工作。
我的数据库结构:
我的HTML代码:index.html
<!DOCTYPE html>
<html>
<body>
<form action="checkform.php" method="post">
E-mail: <input type="email" name="email" autocomplete="off"><br>
<input type="submit">
</form>
</body>
</html>
PHP:checkform.php
<?php
try
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = $_POST['email'];
echo $emailid;
$sql = "SELECT Name from table WHERE email=" . $_POST['email'];
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) {
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end
//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>
我的page2.html
<!DOCTYPE html>
<html>
<body>
<h1> Welcome to Page 2</h1>
</body>
</html>
但是当运行index.html页面时,面临错误:(最终没有执行mysql查询),但是运行sql查询是成功的
Error: No such email address
SUCCESS
PHP查询(失败)
$sql = "SELECT `Name` FROM `table` WHERE email=\'jxxx@gmail.com\'";
SQL查询(成功)
SELECT `Name` FROM `table` WHERE email='jxxx@gmail.com'
为什么无法运行查询?
答案 0 :(得分:6)
按照约翰的要求:
使用引号
WHERE email= '".$emailid."'
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
与$emailid = $_POST['email'];
而不是
WHERE email=" . $_POST['email']
这会导致错误,并且在使用该方法时对SQL注入开放。
您目前的代码向SQL injection开放。使用mysqli
with prepared statements或PDO with prepared statements,他们更安全。
<强> 旁注: 强>
如果您的表名确实称为table
,请将其包装在反引号中(只是一个洞察力)。
$sql = "SELECT Name from `table`...
将错误报告添加到文件的顶部。
error_reporting(E_ALL);
ini_set('display_errors', 1);
和or die(mysql_error())
到mysql_query()
编辑:重写
<?php
try
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
echo $emailid;
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) {
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end
//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>
编辑#2 (帮忙)
<?php
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
// if($result) {
if(mysql_num_rows($result) > 0){
header("Location: page2.php");
exit;
}
else {
echo "<p class='error'>Error: No such email address</p>";
} // brace for else
mysql_close($connection);
?>
答案 1 :(得分:2)
$sql = "SELECT Name from table WHERE email=" . $_POST['email'];
到
$sql = "SELECT Name from table WHERE email='". $_POST['email']."'";
由于POST
中的单引号,它也会失败必须为fred post
等安全创建变量和cal$email=$_POST['email'];
$sql = "SELECT Name from table WHERE email='". $email."'";
或者我们可以做这样的事情
$sql = "SELECT Name from table WHERE email='".mysql_real_escape_string(stripslashes($_POST['email']))."'";
答案 2 :(得分:0)
您也可以使用:
$emailid = $_POST['email'];
// or beter: $emailid = mysql_real_escape_string($_POST['email']);
$sql = "SELECT `Name` FROM `table` WHERE email='$emailid'";
函数mysql_real_escape_string()用于安全使用$ emailid。