我在php表单中有以下内容,而无论我输入数据库中已有的电子邮件地址,还是新的电子邮件地址,响应似乎都不是我想要的。任何帮助都很感激。
$eMailAddress = $_POST['eMailAddress'];
$sql = sprintf("SELECT eMailAddress FROM Membership WHERE eMailAddress='$eMailAddress' LIMIT 1");
$result = mysqli_query($conn, $sql);
if ($result) {
echo "Sorry your email is already in the system";
} else {
// proceed with inserting record into database
}
$row = mysql_fetch_row($result);
答案 0 :(得分:3)
如果您不介意尝试此代码并告诉我。我使用mysqli_准备好的语句对此进行了编码,使其具有SQL注入证明。您应该查看使用预准备语句。
使用mysqli预先准备好的陈述
$sql = $conn -> prepare("SELECT eMailAddress FROM Membership WHERE eMailAddress=?");
$sql -> bind_param("s", $_POST['eMailAddress']);
$sql -> execute();
$rowCounts = $sql -> num_rows();
if ($rowCounts > 0){
echo "Sorry your email is already in the system";
}else{
// proceed with inserting record into database
}
$row = $sql -> fetch_assoc();
使用PDO预先准备好的陈述
$sql = $conn -> prepared("SELECT eMailAddress FROM Membership WHERE eMailAddress=:email");
$sql -> bindParam(':email', $_POST['eMailAddress'], PDO:: PARAM_STR);
$sql -> execute();
$rowCounts = $sql -> rowCount();
if ($rowCounts > 0){
echo "Sorry your email is already in the system";
}else{
// proceed with inserting record into database
}
$row = $sql -> fetch(PDO::FETCH_ASSOC);
答案 1 :(得分:0)
我把它改写成如下,现在正在运作。
$sql="SELECT eMailAddress FROM Membership WHERE eMailAddress='$eMailAddress'";
if ($result=mysqli_query($conn,$sql))
{
// Return the number of rows in result set
$rowcount=mysqli_num_rows($result);
if ($rowcount > 0) {
echo "Your email address is already in our database. Please try again.";
} else {
// proceed with inserting new row
}
}
mysqli_free_result($result);