-3

无论如何,我无法弄清楚我的代码中出现此错误的原因:

mysql_fetch_assoc():提供的参数不是有效的 MySQL 结果资源

这是我的PHP代码:

<?php

$session_id = $_SESSION['id'];

$getall = mysql_query("SELECT * FROM users WHERE id='' . $dbuser_id . ''");
$row = mysql_fetch_assoc($getall);

$fullnameDB         = $row['name'];
$emailDB            = $row['email'];
$usernameDB         = $row['username'];

$fullname           = strip_tags($_POST['fullname']);
$username           = strip_tags($_POST['username']);
$email              = strip_tags($_POST['email']);


if ($_POST['submit']) {

    $namecheck = mysql_query("SELECT username FROM users WHERE username='' . $username . ''");

    $count = mysql_num_rows($namecheck);

    if ($count !=0) {

        echo 'That username is already taken!';

    } else {

        mysql_query("UPDATE users SET username=' . $username . ' WHERE id='' . $dbuser_id . ''");

        echo 'Your UN has been updated';

    }

}                        

?>
4

3 回答 3

4 
"SELECT username FROM users WHERE username='" . $username . "'"

不是

"SELECT username FROM users WHERE username='' . $username . ''"

但考虑使用 mysqli 或 pdo 切换到参数化语句

于 2012-08-25T00:26:04.693 回答
1

这是您的代码的改进版本:

<?php

$session_id = $_SESSION['id'];

$getall = mysql_query("SELECT * FROM users WHERE id='" . $dbuser_id . "'");
$row = mysql_fetch_assoc($getall);

$fullnameDB         = $row['name'];
$emailDB            = $row['email'];
$usernameDB         = $row['username'];

$fullname           = mysql_real_escape_string($_POST['fullname']);
$username           = mysql_real_escape_string($_POST['username']);
$email              = mysql_real_escape_string($_POST['email']);


if ($_POST['submit']) {

    $namecheck = mysql_query("SELECT username FROM users WHERE username='" . $username . "'");

    $count = mysql_num_rows($namecheck);

    if ($count !=0) {

        echo 'That username is already taken!';

    } else {

        mysql_query("UPDATE users SET username='" . $username . "' WHERE id='" . $dbuser_id . "'");

        echo 'Your UN has been updated';

    }

}                        

?>

你做错了什么,在你的查询中,你用双引号(“)开始它,但你试图在中途结束它,用单引号(')连接你的用户名,所以它不起作用。我还帮助清理了你的输入,以使其不易受到 SQL 注入的攻击(如果不安全)。

编辑:正如其他用户所提到的,认真考虑切换到准备好的语句。

于 2012-08-25T00:27:09.340 回答
0

您的代码中有错误,并且容易受到SQL 注入攻击

使用此代码:

<?php
try {
    $session_id = session_id();
    $conn = mysqli_connect('localhost', 'any_user_other_than_root', 'secure_password', 'database');
    if(!$conn) throw new Exception('Could not connect to the database.');
    $dbuser_id = mysqli_real_escape_string($dbuser_id);
    $query = "SELECT * FROM users WHERE id='$dbuser_id'";
    $getall = mysqli_query($conn, $query);
    if(!$getall) throw new Exception('Database query failed!');
    $row = mysqli_fetch_assoc($getall);
    $fullname_db = $row['name'];
    $email_db = $row['email'];
    $username_db = $row['username'];
    $fullname = mysqli_real_escape_string($_POST['fullname']);
    $username = mysqli_real_escape_string($_POST['username']);
    $email = mysqli_real_escape_string($_POST['email']);
    if(isset($_POST['submit'])) {
        $namecheck = mysqli_query($conn, "SELECT username FROM users WHERE username='$username'");
        if(!$namecheck) throw new Exception('Name check failed!');
        $count = mysqli_num_rows($namecheck);
        if($count > 0) {
            echo 'That username is already taken!';
        } else {
            $result = mysqli_query($conn, "UPDATE users SET username='$username' WHERE id='$dbuser_id'");
            if(!$result) throw new Exception('Could not update your UN.');
            echo 'Your UN has been updated';
        }
    }
} catch(Exception $e) {
    echo 'Error: ' . $e->getMessage();
}
?>
于 2012-08-25T00:43:45.750 回答