PHP:搜索栏并插入电子邮件

时间:2016-07-28 15:45:33

标签: php mysql

我在php和MySql上运行测试,其中包含一个输入搜索栏和一个简报子目录。它们都可以工作,但不能同时工作:如果我有搜索栏和订阅输入,并且我尝试从搜索中获得结果,我会从子目录中获取php消息(需要电子邮件...)。如果删除子表单,则查询搜索有效...

代码:         

    <?php

        require('MGconfig.php');

        if (isset($_GET["game"]) && $_GET["game"]!="") {

          $mysearch = htmlspecialchars($_GET["game"]);
        $result = $connection->query("select title, genre from games wher    title like '%" . $mysearch ."%' or genre like '%" . $mysearch ."%'");



         }
    ?>
<h2>Search game</h2>

            <form>
                <input name="game" id="game" class="form-control" type="text" />
            </form>

            <table class="table table-hover">
                <thead>
                    <tr>
                        <th>Title</th>
                        <th>Genre</th>
                    </tr>
                </thead>
                <?php
      //while($row = mysqli_fetch_assoc($result)){
      foreach ($result as $row) {
        echo "<tr>";
        echo "<td>".$row["title"]. "</td><td>".$row["genre"]."</td>";
        echo "</tr>";
      }

    ?>
            </table>


    </div>

<?php

$error="";
$sucessMessage="";
if (($_POST)){

    if( $_POST["email"]===""){
        $error = "An email is required!";
    }


    if ($error!=""){
        $error = '<div class="error">'.$error.'</div>';

    }
    else{

        require("MGconfig.php");


        $email = mysqli_real_escape_string($connection, $_POST["email"]);


        // check if user mail is already on DB
        $result=mysqli_query($connection, "select email from newsletter where email = '".$email."'");

        //if there is a result, inform user that email is already regis

        if (mysqli_num_rows($result)>0){
            $error = '<div class="error">Email already registred</div>';
        }else{

        //check id for new registration
        $result=mysqli_query($connection, "select max(id) from newsletter");
        $row=mysqli_fetch_row($result);
        $id = $row[0]+1;

$insert ="insert into newsletter(id, email) values (".$id.",'".$email."')";

        //Execute insert on the DB

    mysqli_query($connection, $insert);

             // Check if there was an error executing the insert
        if (!$result){
            $error ='<div class="error">Fail to register</div>'.mysqli_error($connection);

        }else{
            $sucessMessage ='<div class="error">Thank you for registring!</div>';

        }
      }  
    }
}


?>
<div class="subscribe">

                <form method="post">
                    <label style="font-size:20px">Subscribe our Newsletter!</label>
                    <input type="email" id="email" name="email" class="newsletter" placeholder="       enter your email here                 ">
                    <div class="error">
                        <?php echo $error;?>
                    </div>
                    <div class="error">
                        <?php echo $sucessMessage;?>
                    </div>
                </form>
            </div>

1 个答案:

答案 0 :(得分:0)

首先,您很容易受到sql injection attacks的攻击。 htmlspecialchars() 是一种防御,与SQL完全无关。

其次,你有一个SQL语法错误,因为你绝对没有错误处理,只是ASSUMING查询永远不会失败,你无法检测到失败:

$result = $connection->query("select title, genre from games wher    title [..snip..]
                                                     missing E---^