我有一个用户填写的表单,它所访问的操作页面基本上只是将所有post_variables转换为session_variables,它会在数据库中查询可能与用户提交的电子邮件地址相匹配的电子邮件地址。如果找到匹配的行数等于一个或多个,我想将用户引导到一个告诉他们电子邮件已被使用的页面,否则他们将指向另一个php页面,其中所有信息都将被写入数据库。
由于某些原因,它不起作用 - 即使表中的行具有相同的地址,php(或mysql)也找不到任何匹配项。
希望有人可以为我指出这一点。我在LAMP上使用php 5.0。
这是页面上的代码,表单“actions”为:
<?PHP
session_start();
$dbhost = 'somewhere.net';
$dbuser = 'someUser';
$dbpass = 'pass'
$dbname = 'medrecruit';
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die (mysql_error($conn));
mysql_select_db($dbname) or die(mysql_error($conn));
if (isset($_POST['submit'])) {
$_SESSION['name'] = mysql_real_escape_string($_POST['name']);
$_SESSION['smacker'] = mysql_real_escape_string($_POST['smacker']);
$_SESSION['password'] = mysql_real_escape_string($_POST['confpassword']);
$_SESSION['surname'] = mysql_real_escape_string($_POST['surname']);
$_SESSION['gender'] = $_POST['gender'];
$_SESSION['age'] = mysql_real_escape_string($_POST['age']);
$_SESSION['nationality'] = mysql_real_escape_string($_POST['nationality']);
$_SESSION['email'] = mysql_real_escape_string($_POST['email']);
$_SESSION['telnr'] = mysql_real_escape_string($_POST['telnr']);
$_SESSION['special'] = mysql_real_escape_string($_POST['special']);
$_SESSION['qf1'] = mysql_real_escape_string($_POST['qf1']);
$_SESSION['qf2'] = mysql_real_escape_string($_POST['qf2']);
$_SESSION['qf3'] = mysql_real_escape_string($_POST['qf3']);
$_SESSION['qf4'] = mysql_real_escape_string($_POST['qf4']);
$_SESSION['qf5'] = mysql_real_escape_string($_POST['qf5']);
$_SESSION['qf6'] = mysql_real_escape_string($_POST['qf6']);
$_SESSION['qf7'] = mysql_real_escape_string($_POST['qf7']);
$_SESSION['qf8'] = mysql_real_escape_string($_POST['qf8']);
$_SESSION['qf9'] = mysql_real_escape_string($_POST['qf9']);
$_SESSION['qf10'] = mysql_real_escape_string($_POST['qf10']);
$_SESSION['cv'] = mysql_real_escape_string($_POST['cv']);
$_SESSION['activationkey'] = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$newmail = mysql_real_escape_string($_POST['email']);
$query = "SELECT * FROM employee WHERE email = '$newmail'";
$result = mysql_query($query);
if(mysql_num_rows($result) >= 1){
header("Location: noemail.html");
}
header("Location: insert.php");
}
?>
答案 0 :(得分:2)
这里有你错误的报价,一开始就是:
$query = 'SELECT * FROM employee WHERE email = ".$_POST["email"]."';
不插入单引号(')。双引号(')是。此外,您不应该在查询中直接使用$_POST["email"] - 这是一个安全漏洞,可能会被滥用。我假设您知道这一点,因为您已经使用$newemail来保存转义版本。试试这个:
$query = "SELECT * FROM employee WHERE email = '$newmail'";