0

以下代码的目的是从用户那里获取数据库中 customerID 的输入(来自单独的 HTML 文件),然后显示该 customerID 的订单号、订单日期和发货状态。代码工作正常,我能够做到这一点,但是如果输入了数据库中不存在的 customerID,而不仅仅是一个空表,我还想创建一条错误消息。我是 PHP 新手,对如何做到这一点的任何帮助表示赞赏。(请注意,它必须在 PHP 或 mysql 中)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Prac 2 Task 8</title>
</head>
<body>
<?php
$conn = mysql_connect("localhost", "<username>", "<password>");
mysql_select_db("warehouse<##>", $conn) 
or die ('Database not found ' . mysql_error() );
$input = $_GET["custID"];
$sql = "select orderNumber, orderDate, shipped from orders where customerID = $input 
order by orderDate"; 
$rs = mysql_query($sql, $conn)
or die ('Problem with query' . mysql_error());
?>
<?php 
if (orderNumber != "") { ?> 
<p>the following information was received from the user:</p>
<p><strong>customerID = </strong> <?php echo "$input"; ?><br/><br/>

<table border="1" summary="Order Details">
<tr>
<th>Order Number</th>
<th>Order Date</th>
<th>Shipped</th>
</tr>
<?php
while ($row = mysql_fetch_array($rs)) { ?>
<tr>
<td><?php echo $row["orderNumber"]?></td>
<td><?php echo $row["orderDate"]?></td>
<td><?php echo $row["shipped"]?></td>

</tr>
<?php }}
else {
$txt ="The CustomerID you entered was either invalid or does not exist"; 
echo $txt;?>
<?php }
mysql_close($conn); ?>
</table>
</body></html>
4

2 回答 2

0 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Prac 2 Task 8</title>
</head>
<body>
<?php
$conn = mysql_connect("localhost", "<username>", "<password>");
mysql_select_db("warehouse<##>", $conn) 
or die ('Database not found ' . mysql_error() );
$input = $_GET["custID"];
$sql = "select orderNumber, orderDate, shipped from orders where customerID = $input 
order by orderDate"; 
$rs = mysql_query($sql, $conn)
or die ('Problem with query' . mysql_error());
//validate result set here
if(mysql_num_rows($rs)>0)
{
?>
<?php 
if (orderNumber != "") { ?> 
<p>the following information was received from the user:</p>
<p><strong>customerID = </strong> <?php echo "$input"; ?><br/><br/>

<table border="1" summary="Order Details">
<tr>
<th>Order Number</th>
<th>Order Date</th>
<th>Shipped</th>
</tr>
<?php
while ($row = mysql_fetch_array($rs)) { ?>
<tr>
<td><?php echo $row["orderNumber"]?></td>
<td><?php echo $row["orderDate"]?></td>
<td><?php echo $row["shipped"]?></td>

</tr>
<?php }}
else {
$txt ="The CustomerID you entered was either invalid or does not exist"; 
echo $txt;?>
<?php }

}//endif
else{

//you error message here
}

mysql_close($conn); ?>
</table>
</body></html>
于 2013-05-15T04:05:46.977 回答
0

你有很多方法可以做到这一点,这是众多方法之一:

  1. 将您的代码封装到 try-catch 中,以便管理错误,这比使用“或死”的东西要好得多
  2. 验证 GET 和 POST 变量的有效性,以避免 SQL 注入以确保安全
  3. 您可以在主查询之前使用“select count(*) ...”,或者只计算主查询的结果数量(我放在那里的)

这给出了大约:

<body>
<?php
$conn = mysql_connect("localhost", "<username>", "<password>");
mysql_select_db("warehouse<##>", $conn) 
or die ('Database not found ' . mysql_error() );

try 
{
  $input = $_GET["custID"];
  // Protect yourself from SQL injection
  if (!is_numeric($input))
    throw new Exception('Error: the customer ID is not a number');

  $sql = "select orderNumber, orderDate, shipped from orders where customerID = $input 
  order by orderDate"; 
  $rs = mysql_query($sql, $conn)
    or die ('Problem with query' . mysql_error());
  ?>
  <?php 
  if ( mysql_num_rows($rs) > 0 )
  { ?> 
  <p>the following information was received from the user:</p>
  <p><strong>customerID = </strong> <?php echo "$input"; ?><br/><br/>

  <table border="1" summary="Order Details">
  <tr>
  <th>Order Number</th>
  <th>Order Date</th>
  <th>Shipped</th>
  </tr>
  <?php
  while ($row = mysql_fetch_array($rs)) { ?>
  <tr>
  <td><?php echo $row["orderNumber"]?></td>
  <td><?php echo $row["orderDate"]?></td>
  <td><?php echo $row["shipped"]?></td>

  </tr>
  <?php }
    else
    {
      echo "There is no results for this customer";
    }
  }
  else {
  $txt ="The CustomerID you entered was either invalid or does not exist"; 
  echo $txt;?>
  <?php }
}
catch (Exception $e)
{
  echo "Error: ".$e;
}
mysql_close($conn); ?>
</table>
</body>
于 2013-05-15T05:14:00.280 回答