0

我有一个已经装满客户的数据库。我们正试图让他们设置在线访问。他们必须提供其会员 ID 才能设置其在线帐户。我已经建立了一个测试表单,允许输入 memberid 并且应该检查我们是否在数据库中找到它们。我已经把头发拉了出来,试图让它发挥作用。我也做了 CRUD,所以我知道我与 MSSQL 的连接是有效的。

这段代码有什么问题?

形式

<div class="container">
<div>Member ID: <input type="text" maxlength="10" name="uname" id="uname" /><span id="status"></span></div>
<div>Pass: <input type="password" maxlength="10" name="pwd" id="pwd" /></div>

</div>
<script type="text/javascript">
document.getElementById("uname").onblur = function() {
var xmlhttp;
var uname=document.getElementById("uname");
if (uname.value != "")
    {
        if (window.XMLHttpRequest){
              xmlhttp=new XMLHttpRequest();
            } else {
              xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
            }
        xmlhttp.onreadystatechange=function() {
                if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                document.getElementById("status").innerHTML=xmlhttp.responseText;
                }
        };
    xmlhttp.open("GET","uname_availability.php?uname="+encodeURIComponent(uname.value),true);
    xmlhttp.send();
    }
};
</script>

这是 uname_availability.php

<?php
$uname=$_REQUEST['uname'];

$server = "serveraddress";
$user = "username";
$pwd = "password";
$db = "dbname";

$conn = sqlsrv_connect($server, array("UID"=>$user, "PWD"=>$pwd, "Database"=>$db));

if($conn === false){
    die(print_r(sqlsrv_errors()));
}

$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";
$stmt3 = sqlsrv_query($conn, $sql);
$row_count = sqlsrv_num_rows($stmt3);
if ($row_count === false)
{
print "<span style=\"color:red;\">We Can Not Find You :(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :)  </span>";
}
?>
4

4 回答 4

0

您不需要在 SQL 语句中引用参数的值吗?

$sql = "SELECT * FROM tblMembership WHERE MemberID = ".$uname."";

然后会变成

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
于 2013-06-06T20:39:14.403 回答
0

你为什么不明确使用$_GET,

if(isset($_GET['uname']))
{
  $uname=$_GET['uname'];
}

然后像这样查询,

$sql = "SELECT * FROM tblMembership WHERE MemberID ='$uname'";
于 2013-06-07T04:53:02.980 回答
0

我最终得到了它......感谢所有的投入......我真的很感激这一切!

$sql = "SELECT MemberID FROM tblMembership WHERE MemberID = '".$memid."'";
$stmt = sqlsrv_query($conn, $sql);
$row = sqlsrv_fetch($stmt);
if (empty($row))
{
print "<span style=\"color:red;\">We Can Not Find You >:-(</span>";
}
else
{
print "<span style=\"color:green;\">We Found You :-)  </span>";
}
于 2013-06-07T03:39:40.687 回答
0

您的查询失败,因为您没有引用 $username 参数,导致 SQL 错误和无效,以及SQL 注入攻击漏洞:

$sql = "SELECT * FROM tblMembership WHERE MemberID = '".$uname."'";
                                                     ^--        ^--

没有引号,你正在做WHERE MemberID = fred,我非常怀疑你fred的会员表中有一个字段。

由于您的代码盲目地假定查询工作正常,因此您永远不会看到 SQL 服务器将提供的语法错误警告

于 2013-06-06T20:37:38.033 回答