php哪里查询不起作用
我是PHP的新手,我的要求是检查数据库中的用户电子邮件ID,如果存在,请导航到下一页.但是通过SQL查询不能在PHP中工作,并且在SQL数据库中工作.
我的数据库结构:
我的HTML代码:index.html
<!DOCTYPE html>
<html>
<body>
<form action="checkform.php" method="post">
E-mail: <input type="email" name="email" autocomplete="off"><br>
<input type="submit">
</form>
</body>
</html>
PHP:checkform.php
<?php
try
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = $_POST['email'];
echo $emailid;
$sql = "SELECT Name from table WHERE email=" . $_POST['email'];
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) {
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end
//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>
我的page2.html
<!DOCTYPE html>
<html>
<body>
<h1> Welcome to Page 2</h1>
</body>
</html>
但是当运行index.html页面时,面临错误:(最终没有执行mysql查询),但是运行sql查询是成功的
Error: No such email address
SUCCESS
PHP查询(失败)
$sql = "SELECT `Name` FROM `table` WHERE email=\'jxxx@gmail.com\'";
SQL查询(成功)
SELECT `Name` FROM `table` WHERE email='jxxx@gmail.com'
为什么它无法运行查询?
按照约翰的要求:
使用引号
WHERE email= '".$emailid."'
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
和这个结合 $emailid = $_POST['email'];
代替
WHERE email=" . $_POST['email']
这将导致错误,并在使用该方法时对SQL注入开放.
您现在的代码对SQL注入是开放的.mysqli与准备好的陈述一起使用,或PDO与准备好的陈述一起使用,它们更安全.
边注:
如果确实调用了您的表名table,请将其包装在反引号中(只是一个洞察力).
$sql = "SELECT Name from `table`...
- 这是一个保留的关键字
将错误报告添加到文件的顶部.
error_reporting(E_ALL);
ini_set('display_errors', 1);
并or die(mysql_error())以mysql_query()
编辑:重写
<?php
try
{
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
echo $emailid;
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
echo $result;
if(!$result) { echo "<p class='error'>Error: No such email address</p>"; }
// note that the if is asking if there is no result
else {
while ($row = mysql_fetch_assoc($result)) {
echo "<p class='success'>Welcome " . $row['Name'] . "!!</p>";
}
} // end
//mysql_query(" // suggest here to validate against emails in db");
mysql_close($connection);
echo "SUCCESS";
}
catch(Exception $e)
{
echo $e->getMessage();
// Note: Log the error or something
}
?>
编辑#2(帮忙)
<?php
$connection = mysql_connect("localhost:3306","root","");
mysql_select_db("mobileblog", $connection);
$emailid = stripslashes($_POST['email']);
$emailid = mysql_real_escape_string($emailid);
$sql = "SELECT `Name` from `table` WHERE `email`= '".$emailid."'";
$result = mysql_query($sql);
// if($result) {
if(mysql_num_rows($result) > 0){
header("Location: page2.php");
exit;
}
else {
echo "<p class='error'>Error: No such email address</p>";
} // brace for else
mysql_close($connection);
?>