我在php和MySql上运行测试,其中包含一个输入搜索栏和一个简报子目录。它们都可以工作,但不能同时工作:如果我有搜索栏和订阅输入,并且我尝试从搜索中获得结果,我会从子目录中获取php消息(需要电子邮件...)。如果删除子表单,则查询搜索有效...
代码:
<?php
require('MGconfig.php');
if (isset($_GET["game"]) && $_GET["game"]!="") {
$mysearch = htmlspecialchars($_GET["game"]);
$result = $connection->query("select title, genre from games wher title like '%" . $mysearch ."%' or genre like '%" . $mysearch ."%'");
}
?>
<h2>Search game</h2>
<form>
<input name="game" id="game" class="form-control" type="text" />
</form>
<table class="table table-hover">
<thead>
<tr>
<th>Title</th>
<th>Genre</th>
</tr>
</thead>
<?php
//while($row = mysqli_fetch_assoc($result)){
foreach ($result as $row) {
echo "<tr>";
echo "<td>".$row["title"]. "</td><td>".$row["genre"]."</td>";
echo "</tr>";
}
?>
</table>
</div>
<?php
$error="";
$sucessMessage="";
if (($_POST)){
if( $_POST["email"]===""){
$error = "An email is required!";
}
if ($error!=""){
$error = '<div class="error">'.$error.'</div>';
}
else{
require("MGconfig.php");
$email = mysqli_real_escape_string($connection, $_POST["email"]);
// check if user mail is already on DB
$result=mysqli_query($connection, "select email from newsletter where email = '".$email."'");
//if there is a result, inform user that email is already regis
if (mysqli_num_rows($result)>0){
$error = '<div class="error">Email already registred</div>';
}else{
//check id for new registration
$result=mysqli_query($connection, "select max(id) from newsletter");
$row=mysqli_fetch_row($result);
$id = $row[0]+1;
$insert ="insert into newsletter(id, email) values (".$id.",'".$email."')";
//Execute insert on the DB
mysqli_query($connection, $insert);
// Check if there was an error executing the insert
if (!$result){
$error ='<div class="error">Fail to register</div>'.mysqli_error($connection);
}else{
$sucessMessage ='<div class="error">Thank you for registring!</div>';
}
}
}
}
?>
<div class="subscribe">
<form method="post">
<label style="font-size:20px">Subscribe our Newsletter!</label>
<input type="email" id="email" name="email" class="newsletter" placeholder=" enter your email here ">
<div class="error">
<?php echo $error;?>
</div>
<div class="error">
<?php echo $sucessMessage;?>
</div>
</form>
</div>
答案 0 :(得分:0)
首先,您很容易受到sql injection attacks的攻击。 htmlspecialchars()
不是一种防御,与SQL完全无关。
其次,你有一个SQL语法错误,因为你绝对没有错误处理,只是ASSUMING查询永远不会失败,你无法检测到失败:
$result = $connection->query("select title, genre from games wher title [..snip..]
missing E---^