伙计们,请在显示记录时检查我的代码..
<?php
include("db.php");
$username=$_POST['username'];
$email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?
$i = 0;
while ($i < $num) {
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
<?
$i++;
}
echo "</table>"; ?>
是正确的吗?
: - (
答案 0 :(得分:0)
您的代码不正确。
phpcs test.php
FILE: /tmp/test.php
--------------------------------------------------------------------------------
FOUND 4 ERROR(S) AND 1 WARNING(S) AFFECTING 4 LINE(S)
--------------------------------------------------------------------------------
2 | ERROR | Missing file doc comment
3 | ERROR | "include" is a statement, not a function; no parentheses are
| | required
3 | ERROR | File is being unconditionally included; use "require" instead
25 | ERROR | Short PHP opening tag used. Found "<?" Expected "<?php".
29 | WARNING | Inline control structures are discouraged
--------------------------------------------------------------------------------
答案 1 :(得分:0)
您的代码没有任何致命错误,但我会做出一些非常基本的改动:
<?php
include "db.php";
$username=$_POST['username'];
$email=$_POST['email'];
// added mysql_real_escape_string to prevent sql injection
$query="SELECT * FROM `members` where `username` = '".mysql_real_escape_string($username)."'";
// added an or die clause to check for SQL errors
$result=mysql_query($query)or die(mysql_error());
// use of mysql_fetch_assoc to put user data into associative array
$user = mysql_fetch_assoc($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?php
// removed unnecessary loop as i'd assume the username will only be in the database once
$firstname= $user['firstname'];
$lastname= $user['lastname'];
$username= $user['username'];
$email= $user['email'];
$age= $user['age'];
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
</table>
答案 2 :(得分:0)
$username=$_POST['username']; $email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
搜索“sql注入”的stackoverflow,也可以搜索“预备语句”。
<td><? echo $firstname ?></td>
与sql语句容易进行sql注入的方式相同,这一行可能是注入html代码的原因。请改用<td><?php echo htmlspecialchars($firstname); ?></td>。
$email=$_POST['email'];
为什么那里?在$email=mysql_result($result, $i, 'email');之前,您不会再次使用$ email。我的猜测是你的原始查询测试了用户名和电子邮件地址?
$i = 0;
while ($i < $num) {
mysql_result($result, $i,
i++
...
数据库表中可以有多少个具有相同用户名的成员?超过一个?如果没有,为什么要使用while循环?
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
而不是五次拨打mysql_result(),只需拨打mysql_fetch_array()即可。速度可能不是一个问题,但它又增加了一点点复杂性,这对我来说似乎是不必要的,当你使用mysql_fetch_xyz()时,你只需要担心一个变量(一个数组或一个对象)而不是 #columns 变量