php - SQL 和 PHP 需要让查询正常工作

Question

   <?php
// Inialize session
session_start();
// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
}
$online = rand(12,200);
if($_GET['pass'] == "changethis"){
?>
<font color="00c000">
<html>
<head>
<title>Premium Girls ~ Logged in</title>
</head>
<body>

<p align="right">Online Users:<?php echo "$online"; ?></p><br>

<body bgcolor="#004000">
<center><img src="/logo.gif"></img>

<p>Welcome to the Admin Panel, <?php echo $_SESSION['username']; ?>.

<br>
<form method="post" action="newuser.php"><br>
<center>Create a new user:<br></center>
Username:<input type="text" name="username"><br>
Password:<input type="password" name="password"><br>
<input type=submit value="Create new user">
</form>
<br><br>
<div id=footer align=center>Please note we are currently under setup.</div>
</body>
</html></font>

<?php
}else{
?>
<font color="00c000">
<html>
<head>
<title>Premium Girls ~ Payment Processor</title>
</head>
<body>

<p align="right">Online Users:<?php echo "$online"; ?></p><br>

<body bgcolor="#004000">
<center><img src="/logo.gif"></img>

<p>Welcome to the Logged in screen, <?php echo $_SESSION['username']; ?>. Below you will see all the payments linked to your model name.</p>

<?php

$con = mysql_connect("localhost","devacc_yourmum","changeme123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("devacc_models", $con);

$uid = $_SESSION['username'];
$result = mysql_query("SELECT * FROM payments WHERE model = {$_SESSION['username']}");

echo "<table border='1'>
<tr>
<th>Name</th>
<th>Payment ID</th>
<th>Address</th>
<th>Nickname</th>
<th>Email</th>
<th>Skype</th>
<th>CardType</th>
<th>Model Name</th>
<th>Country</th>
</tr>";

while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['Name'] . "</td>";
  echo "<td>" . $row['Payment ID'] . "</td>";
  echo "<td>" . $row['Address'] . "</td>";
  echo "<td>" . $row['Nickname'] . "</td>";
  echo "<td>" . $row['Email'] . "</td>";
  echo "<td>" . $row['Skype'] . "</td>";
  echo "<td>" . $row['cardtype'] . "</td>";
  echo "<td>" . $row['model'] . "</td>";
  echo "<td>" . $row['country'] . "</td>";
  echo "</tr>";
  }
echo "</table>";

mysql_close($con);
?>

<br><br><br><br><br><br>
<div id=footer align=center>Please note we are currently under setup.</div>
</body>
</html></font>


<?php
}
?>

以上是我的代码，不幸的是给了我一个错误。它应该使用模型用户名从数据库中的支付表中提取所有信息，所以如果我使用用户名“Bradandrews4”登录并且有人从我这里购买了一个节目，那SELECT * FROM payments WHERE model = bradandrews4将是 bradandrews4 因为那是我登录时使用的用户名。要输出我的用户名，我可以使用 $uid 或 $_SESSION['username'] 但是我不确定如何将其放入查询中，然后将其放入表中。任何帮助将非常感激 ：）

-布拉德

Answer 1

将您的查询替换为：

mysql_query("SELECT * FROM payments WHERE model = '" . mysql_real_escape_string($_SESSION['username']) . "'");

Answer 2

只需将''周围的输入..？

SELECT * FROM payments WHERE model = '{$_SESSION['username']}'

将值分配给另一个变量会更容易

$un = mysql_real_escape_string($_SESSION['username']); SELECT * FROM payments WHERE model = '$un'

Answer 3

写吧

$result = mysql_query("SELECT * FROM payments WHERE model ='".$uid."'");

Answer 4

您可以只使用此查询，因为它更容易记住。

mysql_query("SELECT * FROM payments WHERE model = '{$_SESSION['user']}'");

Answer 5

在您的价值观周围使用引号，例如在 snaderss 的答案中。

您的会话验证中存在安全漏洞。

if (!isset($_SESSION['username'])) {
    header('Location: index.php');
}

如果某人的浏览器忽略了位置标头，则用户将看到您的优质内容。如果有人通过 curl() 或类似的东西访问您的网站，则相同。

始终使用 exit(); 或者死（）; 重定向后。

固定代码：

if (!isset($_SESSION['username'])) {
    header('Location: index.php');
    exit();
}

现在脚本在重定向失败时停止

Answer 6

    $sql = "SELECT * FROM cards WHERE model = '".$uid."' "; 
$result = mysql_query($sql); 

谢谢大家，上面我发布了我为了让它工作而改变的2行......我相信你们所有的帖子也会解决这个问题，但我最终自己修复了它...... :)

-布拉德