显示的特定记录使用
问题描述:
人请我的代码在显示记录..显示的特定记录使用
<?php
include("db.php");
$username=$_POST['username'];
$email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?
$i = 0;
while ($i < $num) {
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
<?
$i++;
}
echo "</table>"; ?>
是正确的吗?
:-(
答
没有什么致命的错误与您的代码,但有一些非常基本的改变,我会做:
<?php
include "db.php";
$username=$_POST['username'];
$email=$_POST['email'];
// added mysql_real_escape_string to prevent sql injection
$query="SELECT * FROM `members` where `username` = '".mysql_real_escape_string($username)."'";
// added an or die clause to check for SQL errors
$result=mysql_query($query)or die(mysql_error());
// use of mysql_fetch_assoc to put user data into associative array
$user = mysql_fetch_assoc($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?php
// removed unnecessary loop as i'd assume the username will only be in the database once
$firstname= $user['firstname'];
$lastname= $user['lastname'];
$username= $user['username'];
$email= $user['email'];
$age= $user['age'];
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
</table>
答
您的代码是不正确的
phpcs test.php
FILE: /tmp/test.php
--------------------------------------------------------------------------------
FOUND 4 ERROR(S) AND 1 WARNING(S) AFFECTING 4 LINE(S)
--------------------------------------------------------------------------------
2 | ERROR | Missing file doc comment
3 | ERROR | "include" is a statement, not a function; no parentheses are
| | required
3 | ERROR | File is being unconditionally included; use "require" instead
25 | ERROR | Short PHP opening tag used. Found "<?" Expected "<?php".
29 | WARNING | Inline control structures are discouraged
--------------------------------------------------------------------------------
答
$username=$_POST['username']; $email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
搜索“sql注入”的计算器,也可能是“准备好的语句”。
<td><? echo $firstname ?></td>
同样的方式你的sql语句很容易sql注入这行可能是注入你的html代码的原因。改为使用<td><?php echo htmlspecialchars($firstname); ?></td>。
$email=$_POST['email'];
为什么是在那里?直到$email=mysql_result($result, $i, 'email');,您才再次使用$ email。我的猜测是您的原始查询针对用户名和电子邮件地址进行了测试?
$i = 0;
while ($i < $num) {
mysql_result($result, $i,
i++
...
数据库表中有多少个具有相同用户名的成员?超过一个?如果没有,为什么你使用while循环?
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
,而不是5个呼叫mysql_result()一个呼叫mysql_fetch_array()就足够了。速度在这里可能不是问题,但它又增加了一点似乎对我来说不必要的复杂性,当您使用mysql_fetch_xyz()时,只有一个变量(数组或对象)担心而不是#列变量
+0
嗯..好吧。我懂了。我的错。我忘了编辑它。哈哈。不管怎样,谢谢!这是一个很大的帮助。 ;) – mayumi 2010-07-13 09:35:18
...我们应该寻找什么?你没有提供任何错误或问题。 – 2010-07-13 08:20:39
确保在将其插入到SQL语句中之前清理并转义$ username – 2010-07-13 08:30:26
http://catb.org/esr/faqs/smart-questions.html – 2010-07-13 08:47:09