Question

如果我使用查询

运行它

"SELECT * FROM users";

它返回我的结果。但是一旦我运行这个

$username = $_POST['username'];
$password = $_POST['password'];

$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";

它没有。

如果我在没有变量的情况下在Mysql工作台中运行它。如果我运行echo $ _POST值，它们会正确通过。我很难过，我做错了请P !!帮我。我还通过https://phpcodechecker.com/运行了我的代码，它无法在我的代码中看到任何错误。这是完整的功能。

function login($username,$password){
global $db_conn;
$conn = new mysqli($db_conn['servername'], $db_conn['username'], $db_conn['password'], $db_conn['dbname']);
$username = $_POST['username'];
$password = $_POST['password'];

$login = "SELECT * FROM users WHERE name= ".$username." AND password= ".$password."";
    $login_result = $conn->query($login);

    if ($login_result->num_rows > 0) {

        $output = array();
        while($row = $login_result->fetch_assoc()) {
            $output[] = $row;
            echo "".$row['name']."-".$row['password']."<br>";
        }
        } else {
            echo "Invaild Login Details!"."<br>" ;
            $conn->close();
            return false;
        }
}

每次出现＆＃34;无效的登录详情！＆＃34;但我知道他们的结果会被归还。

我做错了什么？

Answer 1

像这样更改查询

$login = "SELECT * FROM users WHERE name= '$username' AND password= '$password'";

注意：这种方法很容易受到sql注入攻击。尝试准备好的陈述以避免它

Answer 2

尝试使用''(single quote)进行比较name and password

"SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

Answer 3

$login = "SELECT * FROM users WHERE name = '{$username}' AND password = 
'{$password}' ";

Answer 4

你可以简单地指定变量，不需要去字符串追加来构造php中的查询

例如：

Query = "SELECT * FROM `users` where username = '$username' AND  password = '$password' " ;

Answer 5

尝试以下代码

$login = "SELECT * FROM users WHERE name= '".$username."' AND password= '".$password."'";

Mysql Query没有返回我的结果

5 个答案: