在插入数据库之前检查MySQL中的记录

时间:2015-01-25 13:04:04

标签: php mysql dreamweaver

我正在创建一个预订系统,客户将填写预订表格(位置,课堂,时间和日期)。

我的问题是在将数据插入数据库之前检查输入的记录。如果LOCATION,CLASSROOM,TIME和DATE已经在数据库中插入/获取/保留,则系统将提示“已经保留位置,日期和时间”这样的消息,否则它将被插入到数据库中。我运行此代码,但它仍记录相同的位置,教室,日期,时间。这段代码有问题吗?

$res_location = isset($_POST['res_location']) ;
$res_classroom = isset($_POST['res_classroom']) ;
$res_inclusive_date = isset($_POST['res_inclusive_date']);
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ;

// Build the query
$query = sprintf("SELECT Location_Faculty FROM tbl_reservation WHERE Location_Faculty=%s AND Classroom=%s AND Inclusive_Date=%s AND Inclusive_Time=%s ",
 GetSQLValueString($res_location, "text"),
 GetSQLValueString($res_classroom, "text"),
 GetSQLValueString($res_inclusive_date, "date"),
 GetSQLValueString($res_inclusive_time_start, "date"));

$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
$num_rows = mysql_num_rows($result);
if( $num_rows >= 1){
   // then the record already exists
echo "Duplicate entry";
} 
else{
//insert query
}

由于“GetSQLValueString”功能,它是免费的SQL注入。 干杯和Godbless!

2 个答案:

答案 0 :(得分:1)

您可以检查插入的行数:

if(mysql_num_rows($Result1) > 0){
   //row is inserted
}

或者您可以在插入之前运行SELECT查询,并检查是否返回了一行。

另一种选择是update the record if it is already inserted

答案 1 :(得分:1)

在将数据插入数据库以检查预订之前,您需要运行查询。

这样的事可能

// This function helps you escape the data before you use them in database
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

// prep you data properly. You can use the GetSQLValueString() function to
// escape the inputs, just set it to the required type.
// if some $_POST value is not set, then you can set a default one here
$res_location = isset($_POST['res_location']) ? GetSQLValueString($_POST['res_location'], 'text') : ' set a defaule value here';
$res_classroom = isset($_POST['res_classroom']) ? GetSQLValueString($_POST['res_classroom'], 'text') : ' set a defaule value here';
$res_inclusive_date = isset($_POST['res_inclusive_date']) ? GetSQLValueString($_POST['res_location'], 'date') : ' set a defaule value here';
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ? GetSQLValueString($_POST['res_inclusive_time_start'], 'text') : ' set a defaule value here';

// Build the query
$query = "SELECT * FROM `tbl_reservation` WHERE `Location_Faculty` = '{$res_location}' AND `Classroom` = '{$res_classroom}' AND `Inclusive_Date` = '{$res_inclusive_date}' AND `Inclusive_Time` = '{$res_inclusive_time_start}' ";

$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
if(mysql_num_rows($result) > 0){
   // then the record already exists
echo "Duplicate entry";
} else {
   // save to database
}

请注意它的sql注入的valnuerable,所以你必须逃避你的输入,并尝试使用mysqli或pdo而不是旧的mysql函数

相关问题
最新问题