0

我有以下问题。当我尝试通过 HTML 表单更新用户名值时。这是我的 HTML 表单:

<form action="namechanging.php" method="post">

<br>
  <fieldset>
    <span class="ico user-ico"></span>
     <input name="ingamename" type="text" class="field" value="Example: John_Doe" title="Example: John_Doe" />
   </fieldset>
   <center><input name="submit" type="submit" class="submit btn blue-btn" value="Change Name" /></center>
</form>

这是我的名称更改.php 文件:

<?php 
  session_start();
  $_SESSION['ingamename'] = $_POST['ingamename']; 
  $newingamename = $_SESSION['ingamename'];
  $nc = $_SESSION['nc'];
  if($nc < 1){
    $updateresult = '<strong>Error:</strong> You do not have any name changes left. Donate for more...'; 
    header("Location: ucp-home-error.php");
  }
  else {
    $con=mysqli_connect("localhost","USERNAME","PASS","DB-NAME");
    if (mysqli_connect_errno())
    {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }
    $newnc = $nc - 1;

    mysqli_query($con,"UPDATE users SET Username=$newingamename WHERE Username='$_SESSION[user]' ");
    mysqli_query($con,"UPDATE users SET NameChanges=$newnc
         WHERE Username='$_SESSION[user]'");
    $updateresult = 'Your In-Game Name was changed successfully. Please re-log!';
    header("Location: ucp-home-success.php");
  }
  mysqli_close($con);
  $_SESSION['updateresult'] = $updateresult;?>

它可以从 $nc 中删除 -1,但不会更改用户名。您还应该知道用户名保存在会话中,这就是我登录身份验证页面时使用的用户名。这是我的 auth.php 文件:

<?php
include("sql.php");
session_start();

function Destroy() {
  unset($_SESSION['UID']);
  unset($_SESSION['USERNAME']);
  unset($_SESSION['FULL NAME']);
  header("location: account-log-in-restricted.php");
}

if(isset($_SESSION['UID']) && isset($_SESSION['USERNAME'])) {
  $UID = $_SESSION['UID'];
  $username = $_SESSION['USERNAME'];
  $qry = mysql_query("SELECT * FROM `users` WHERE `UID` = '$UID' AND `Username` = '$username'");
  if(mysql_num_rows($qry) != 1) { Destroy(); }
} else { Destroy(); }
?>
4

1 回答 1

1

这可能令人窒息:

mysqli_query($con,"UPDATE users WHERE Username='$_SESSION[user]' SET Username=$newingamename");
                                                1 ^^^^^^^^^^^^^               2 ^^^^^^^^^^^^

在 (1) 中,这相当于说$_SESSION[user]你想要什么$_SESSION['user'](用引号括起来user)。

在 (2) 中,您需要在 $newingamename 周围加上单引号。

注意:其余部分是根据原始答案编辑的,以 (a) 整合 PHP 和 MySQL 修复,以及 (b) 使用mysqli参数绑定进行重铸以确保代码安全。

此外,MySQL 查询是错误的:SETWHERE.

把这一切放在一起,并使用mysqli代码(和职业)安全性的绑定参数,你会得到:

$stmt = mysqli_prepare($con, 'UPDATE users SET username=? WHERE username = ?');
mysqli_stmt_bind_param($stmt, 'ss', $newingamename, $_SESSION['user']);
mysqli_stmt_execute($stmt);

对另一个进行类似的更改UPDATE

于 2013-04-30T17:47:52.917 回答