php哪里查询不起作用

时间:2014-09-04 13:06:07

标签: php html mysql

我是PHP的新手,我的要求是检查数据库中的用户电子邮件ID,如果存在,请导航到下一页。但是通过SQL查询不能在PHP中工作,并且在SQL数据库中工作。

我的数据库结构:

enter image description here

我的HTML代码:index.html

<!DOCTYPE html>
<html>
<body>
<form action="checkform.php" method="post">
E-mail: <input type="email" name="email" autocomplete="off"><br>
<input type="submit">
</form>
</body> 
</html>

PHP:checkform.php

<?php
try 
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = $_POST['email']; 
echo $emailid;
$sql = "SELECT Name from table WHERE email=" . $_POST['email'];
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) { 
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end

//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>

我的page2.html

<!DOCTYPE html>
<html>
<body>
<h1> Welcome to Page 2</h1>
</body> 
</html>

但是当运行index.html页面时,面临错误:(最终没有执行mysql查询),但是运行sql查询是成功的

Error: No such email address
SUCCESS

PHP查询(失败)

$sql = "SELECT `Name` FROM `table` WHERE email=\'jxxx@gmail.com\'";

SQL查询(成功)

SELECT `Name` FROM `table` WHERE email='jxxx@gmail.com'

为什么无法运行查询?

3 个答案:

答案 0 :(得分:6)

按照约翰的要求:

使用引号

WHERE email= '".$emailid."'

$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";

$emailid = $_POST['email'];

一起使用

而不是

WHERE email=" . $_POST['email']

这会导致错误,并且在使用该方法时对SQL注入开放。

您目前的代码向SQL injection开放。使用mysqli with prepared statementsPDO with prepared statements他们更安全


<强> 旁注:

如果您的表名确实称为table,请将其包装在反引号中(只是一个洞察力)。

$sql = "SELECT Name from `table`...

将错误报告添加到文件的顶部。

error_reporting(E_ALL);
ini_set('display_errors', 1);

or die(mysql_error())mysql_query()


编辑:重写

<?php
try 
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid); 
echo $emailid;
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) { 
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end

//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>

编辑#2 (帮忙)

<?php

$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);  
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid); 
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);

//  if($result) {
if(mysql_num_rows($result) > 0){
header("Location: page2.php");
exit;
}

else {

echo "<p class='error'>Error: No such email address</p>"; 

} // brace for else

mysql_close($connection);

?>

答案 1 :(得分:2)

你可以尝试一下吗?它可能是连接问题

$sql = "SELECT Name from table WHERE email=" . $_POST['email'];

$sql = "SELECT Name from table WHERE email='". $_POST['email']."'";

由于POST

中的单引号,它也会失败

必须为fred post

等安全创建变量和cal
$email=$_POST['email'];

$sql = "SELECT Name from table WHERE email='". $email."'";

或者我们可以做这样的事情

$sql = "SELECT Name from table WHERE email='".mysql_real_escape_string(stripslashes($_POST['email']))."'";

答案 2 :(得分:0)

您也可以使用:

$emailid = $_POST['email'];
// or beter: $emailid = mysql_real_escape_string($_POST['email']);

$sql = "SELECT `Name` FROM `table` WHERE email='$emailid'";

函数mysql_real_escape_string()用于安全使用$ emailid。