有2个表
student_info(用户名,名字,姓氏,密码,电子邮件,联系年龄)
和
student_course_info(用户名{FK},主题,初学者)。
我想显示登录用户的所有信息。
<?php
$con=mysqli_connect("localhost","root","","elearning");
// Check connection
if (mysqli_connect_errno())
echo "Failed to connect to MySQL: " . mysqli_connect_error();
if (isset($_SESSION["username"]))
{
$_POST["username"]=$_SESSION["username"];
$user=$_POST["username"];
}
$result = mysqli_query($con,""SELECT * FROM student_info , student_course_info
WHERE student_info.username=student_course_info.username
AND student_info.username=$user AND student_course_info.username=$user
"
");
if($_SESSION["username"]) {
echo "<table border='1'>";
while($row = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>username</td>";
echo "<td>" . $row['username'] . "</td>";
echo "<tr>";
echo "<tr>";
echo "<td>First Name</td>";
echo "<td>" . $row['firstname'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Last Name Name</td>";
echo "<td>" . $row['lastname'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Email</td>";
echo "<td>" . $row['email'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>contact</td>";
echo "<td>" . $row['contact'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Age</td>";
echo "<td>" . $row['age'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Subject</td>";
echo "<td>" . $row['subject'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Beginner</td>";
echo "<td>" . $row['beginner'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Level</td>";
echo "<td>" . $row['level'] . "</td>";
echo "</tr>";
}
echo "</table>";
}
mysqli_close($con);
?>
它在$user
处出错。我认为sql查询错误或登录用户名未存储在$user
中。
答案 0 :(得分:0)
$result = mysqli_query($con, "SELECT * FROM student_info, student_course_info
WHERE
student_info.username = '{$user}'
AND
student_info.username = student_course_info.username
");
当然,您应该使用预备语句,而不是仅仅自己构建它。这就是 MySQLi 的重点。
请注意,我在查询的开头和结尾只使用了一个"
而不是""
。
当您明确表示它必须与student_couse_info.username = '{$user}'
相同时,检查student_course.username
是没有意义的。
答案 1 :(得分:0)
我建议你
$strSQL = 'SELECT * FROM student_info , student_course_info
WHERE student_info.username=student_course_info.username
AND student_info.username='.$user.' AND student_course_info.username='.$user.';';
$result = mysqli_query($con,$strSQL);
if(mysqli_errno($con)){ echo 'Query:'.$strSQL.' -- Error description:'. mysqli_error($con);}
我建议您保存查询,如果出现错误,可以打印它并查看错误的位置或在数据库中执行它。
答案 2 :(得分:0)
你的方法有一些问题。
通过会话选择语句
会话数据可以更改或被盗,这意味着我无需密码即可访问用户数据。
SQL注入
当我的用户名为OR 1 = 1时 - 我将收到以下查询。
SELECT
*
FROM
student_info,
student_course_info
WHERE
student_info.username = student_course_info.username
AND
student_info.username=
OR
1=1--
这意味着我将获得我想拥有的所有信息。你应该使用msqli类具有的绑定选项。例如:
$stmt = $mysqli->prepare("SELECT foo FROM foobar WHERE user = ? AND password = ?");
$stmt->bind_param(ss, $username, $password);
// ss says the input is a string.
请参阅选项文档
您的错误
在你的脚本中它可能是""
。在打开字符串后直接关闭它,这样就不会解析你的查询(甚至应该给出PHP错误)。
答案 3 :(得分:-1)
Try it, select Database name
<?php
$con=mysqli_connect("localhost","root","");
// Check connection
if (mysqli_connect_errno())
echo "Failed to connect to MySQL: " . mysqli_connect_error();
mysql_select_db("elearning") or die(" error database");
if (isset($_SESSION['username']))
{
$user= $_SESSION['username'];
$result = mysqli_query($con,"SELECT * FROM student_info , student_course_info WHERE student_info.username=student_course_info.username AND student_info.username='$user' AND student_course_info.username='$user'");
echo "<table border='1'>";
while($row = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>username</td>";
echo "<td>" . $row['username'] . "</td>";
echo "<tr>";
echo "<tr>";
echo "<td>First Name</td>";
echo "<td>" . $row['firstname'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Last Name Name</td>";
echo "<td>" . $row['lastname'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Email</td>";
echo "<td>" . $row['email'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>contact</td>";
echo "<td>" . $row['contact'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Age</td>";
echo "<td>" . $row['age'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Subject</td>";
echo "<td>" . $row['subject'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Beginner</td>";
echo "<td>" . $row['beginner'] . "</td>";
echo "</tr>";
echo "<tr>";
echo "<td>Level</td>";
echo "<td>" . $row['level'] . "</td>";
echo "</tr>";
}
echo "</table>";
}
mysqli_close($con);
?>