0 
<?php

include ("account.php") ;

( $dbh = mysql_connect ( $hostname, $username, $password ) )
        or    die ( "Unable to connect to MySQL database" );
print "Connected to MySQL<br>";

mysql_select_db($project);

$number =   NULL ;
$username   =   $_POST["username"];
$priority   =   $_POST["priority"];
$category = $_POST["category"];
$incident_description = $_POST["incident_description"];


$sql  =   "insert into incident values ( NULL,       '$username','$priority','$category','$incident_description',curdate(),curtime() )" ;

mysql_query ( $sql )    or   print ( mysql_error ( ) );

$credentials = "select * from Credentials where ("username" = '$username' ,"password" =  '$password' , "email_address" = 'email_address')" ;

print $credentials;

$result = mysql_query ($credentials) or print (mysql_error ( ) );

$howManyRows = mysql_num_rows ( $result);

//if $howManyRows is positive continue process to update database with sql,if not,die.
?>

另一个文件上的表单有一个 html 代码,因此是 $_POST,但我认为没有必要在这里显示它,因为我需要在这个 php 文件上使用正确的语法。

对于如何将 html 表单中的值与数据库中的表中的值进行比较的部分,$credentials我需要帮助?我需要这样做以授权这些值进行该过程。我得到的语法目前不正确,因为它没有正确执行。我只是不知道如何比较两者。整个过程一直有效。(username,password,email_address)"Credentials"mysql_query ( $sql ) or print ( mysql_error ( ) )

建议会很好。我为这个长问题道歉!

PS:Credentials 表的列username,password,email_address也是如此!

4

4 回答 4

0

我不知道,但你不应该使用以下...

$sql = "INSERT INTO incident (fieldname, fieldname) VALUES ('".mysql_real_escape($_POST['fieldname'])."', '".mysql_real_escape($_POST['fieldname'])."')";

向mysql中插入任何东西?

于 2012-09-20T05:31:07.883 回答
0

尝试

$password = mysql_real_escape($_POST['password']); //避免 SQL 指令
$username = mysql_real_escape($_POST['username']);

$credentials = "select * from Credentials where username= '$username' AND password= '$password' AND email_address= 'email_address'" ;

于 2012-09-20T05:35:25.733 回答
0

问题就在这里

$credentials = "select * from Credentials where ("username" = '$username' ,"password" =  '$password' , "email_address" = 'email_address')" ;

改成

$credentials = "select * from Credentials where `username` = '$username' and `password` =  '$password' and  `email_address` = 'email_address'" ;

问题出在查询中,当您要检查使用ANDinWHERE子句的多个值时。

于 2012-09-20T05:26:43.400 回答
0

您可以使用您的凭据查询,如下所示

$credentials = "select * from Credentials where username = '$username' AND password = '$password' AND email_address = 'email_address'" ;

但是为了获得更好的性能并防止您的代码进行 mysql 注入,您必须执行以下操作

1) 使用 mysqli 代替 mysql 函数。这是 mysqli 作为包装器的好库 https://github.com/nWidart/PHP-MySQLi-Database-Class

2)始终将您的数据库连接字符串保存在单独的文件和安全的地方。然后,将您的连接文件包含到您的要求项目文件中。

3) 在直接用于查询之前,请始终验证变量的值并使用 mysql_real_escape。

于 2012-09-20T05:45:16.793 回答