错误:解析错误:语法错误,意外T_ENCAPSED_AND_WHITESPACE,在第7行期待T_STRING或T_VARIABLE或T_NUM_STRING
尝试使用PDO建立此连接,并在按下提交后输入字段时,如果存在用户名,则检查用户名。
HTML:
<form action="inc/check_regUsr.php" method="post" id="userLogon">
<div class="field required">
Username: <input type="text" name="regduser" tabindex="1" /><br />
</div>
<div class="field required">
Password: <input type="password" name="regdpass" tabindex="2" /><br />
</div>
<input type="submit" name="submitUser" />
</form>
PHP
<?php
#Login Details
require_once('dbcred.php');
$conn = new PDO("mysql:host=$host;dbname=$db", $user, $pass);
#Check for Existing User
$q = $conn->query("SELECT uname FROM Student WHERE $_POST['regduser'] = uname");
$stmt = $conn->prepare($q);
$r->execute($q);
if($q($r)>= 1){ #if there are 1 or more users with enter username, deny.
echo "Sorry, username already exists";
}
else{
echo "Success";
}
?>
答案 0 :(得分:0)
将复杂变量用{}括在双引号字符串中:
$q = $conn->query("SELECT uname FROM Student WHERE {$_POST['regduser']} = uname");
// -----------------------------------------------^^^^^^^^^^^^^^^^^^^^^
看起来你的SQL WHERE子句是向后的,并且缺少引号。应该是
WHERE uname = '{$_POST['regduser']}'
您还有另一个问题,即首先调用$conn->query()然后尝试创建预准备语句。
对query()的调用是不必要的,实际上很危险。而是使用?占位符创建适当的预处理语句:
$stmt = $conn->prepare("SELECT uname FROM Student WHERE uname = ?");
$stmt->bindParam(1, $_POST['regduser'], PDO::PARAM_STR);
$stmt->execute();
答案 1 :(得分:0)
由于您已经在使用PDO,因此您可以利用参数功能来提供针对SQL注入攻击的强大保护。
$conn = new PDO("mysql:host=$host;dbname=$db", $user, $pass);
$stmt = $conn->prepare("SELECT uname FROM Student WHERE ? = uname");
$params = array($_POST['regduser']);
$stmt->execute($params);
if ($stmt->rowCount() > 0) {
echo "Sorry, username already exists";
}
else{
echo "Success";
}