我正在尝试从数据库中选择数据,这取决于用户并在html代码中回显它,但由于某种原因它不会捕获数据..请参阅下面的代码:
<?php
$loginuser = $_GET['uid'];
$check = mysql_query("select * from users where username='$loginuser'");
while($row = mysql_fetch_array($check)){
$result = $row['email'];
$result = $row['firstname'];
}
?>
<html>
<head>
<title> SIAA Dashboard </title>
</head>
<body>
<h1> User Dashboard </h1>
<p> You should only see this screen if you are a registered user. </p>
<?php
echo "Your username is: " . $loginuser . "<br><br>";
echo "Your first name is: " . $result=$row['firstname'] . " ";
?>
</body>
</html>
如果有人能告诉我我做错了什么,我将不胜感激!
由于
苏海尔。
答案 0 :(得分:2)
除了你的代码很容易注入SQL,因为在将它插入查询之前你没有清理$ __ GET参数'uid'而你正在使用不推荐使用的mysql扩展,你的问题就是行
echo "Your first name is: " . $result=$row['firstname'] . " ";
应阅读
echo "Your first name is: " . $row['firstname'];
此外,您没有建立与数据库的连接。
答案 1 :(得分:2)
一些注意事项:
mysql_...函数:它们已被弃用。请参阅the documentation isset提供:如果uid中缺少$_GET,则访问者将看到PHP警告。?uid='; drop table users;--请求您的php文件,那么您将遇到问题!while循环echo "foo" . $bar = $baz . "something";这样的结构:目前还不清楚。关于如何构建页面的建议:
<html>
<head>
<title> SIAA Dashboard </title>
</head>
<body>
<?php
$loginuser = isset( $_GET['uid'] ) ? $_GET['uid'] : null;
if ( empty( $loginuser ) )
{
echo "Missing parameter!";
}
else
{
$check = mysql_query("select * from users where username='"
. mysql_real_escape_string( $loginuser ) . "'" );
if ( $row = mysql_fetch_array($check) )
{
?>
<h1> User Dashboard </h1>
<p> You should only see this screen if you are a registered user. </p>
Your username is: <?php echo $loginuser; ?>
<br><br>
Your first name is: <?php echo $row['firstname']; ?>
<?php
}
else
{
echo "Unknown user!";
}
}
?>
</body>
</html>
答案 2 :(得分:0)
首先不要使用mysql_ *函数,需要创建一个mysql连接。这仍然是注射的风险,但应该有效。
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$loginuser = $conn->real_escape_string($_GET['uid']);
$sql = "SELECT * FROM `users` WHERE `username` = '$loginuser'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$data = $result->fetch_assoc();
}
$conn->close();
?>
<html>
<head>
<title> SIAA Dashboard </title>
</head>
<body>
<h1> User Dashboard </h1>
<p> You should only see this screen if you are a registered user. </p>
<?php
echo "Your username is: " . $loginuser . "<br><br>";
echo "Your first name is: " . $data['firstname'] . " ";
?>
</body>
</html>
答案 3 :(得分:0)
/*
* Best to start using PDO for db, If i was you i would rewrite your entire db script and stay away from mysql.
*
*/
$id = $_GET['uid'];
try {
$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $DBusername, $DBpassword);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('SELECT * FROM users where username= :id');
$stmt->execute(array('id' => $id));
$result = $stmt->fetchAll();
if ( count($result) ) {
foreach($result as $row) {
print_r($row); // $row will give you access for your variables.
}
} else {
echo "No rows returned.";
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
?>
<html>
<head>
<title> SIAA Dashboard </title>
</head>
<body>
<h1> User Dashboard </h1>
<p> You should only see this screen if you are a registered user. </p>
<?php
echo "Your username is: " . $loginuser . "<br><br>";
echo "Your first name is: " . $result=$row['firstname'] . " ";
?>
</body>
</html>