我正在尝试查看我的数据库中是否已存在用户名或电子邮件地址。我现在可以连接到我的数据库并从我的注册表单中检索数据。但是,我的SQL语句无法检查我的数据库以查看用户是否存在。感谢任何帮助。谢谢。
<?php
require 'database.php';
$conn = Connect();
if ($conn == true){
echo "Successfully connected to database. <br><br>";}
$username = $_POST['screenname'];
$password = $_POST['password'];
$email = $_POST['email'];
echo "$username<br>"; //just checkin if it can grab data
echo "$password<br>";
echo "$email<br>";
$sql=mysql_query("SELECT * FROM users WHERE screenname = '$username'");
if(mysql_num_rows($sql)>=1)
{
echo "Username already exists";
}
else
{
//insert query goes here
}
$sql2=mysql_query("SELECT * FROM users WHERE email = '$email'");
if(mysql_num_rows($sql2)>=1)
{
echo "Email already exists";
}
else
{
//insert query
}
?>
答案 0 :(得分:0)
修复了逻辑,编程和安全(SQL注入攻击)错误:
<?php
require 'database.php';
$conn = Connect();
if ($conn == true){
echo "Successfully connected to database. <br><br>";
}
$username = $_POST['screenname'];
$password = $_POST['password'];
$email = $_POST['email'];
echo "$username<br>"; //just checkin if it can grab data
echo "$password<br>";
echo "$email<br>";
$sql= sprintf("SELECT * FROM users WHERE screenname='%s' OR email='%s'",
mysql_real_escape_string($username),
mysql_real_escape_string($email)
);
if(mysql_num_rows($sql)>=1)
{
echo "Username or e-mail already exists";
}
else
{
//insert query goes here
}