1

我正在尝试将用户名/密码发布到 PHP 文件中,以便我可以使用这些详细信息从用户inner join中获取uid -(用户 id) 。我在命令的子句中用作payid表的标识符。它不工作。有人可以告诉我哪里出错了吗?WHEREINSERT

if(isset($_POST['password']) && isset($_POST['username']) && isset($_POST['rates'])) {              
         $con = mysql_connect("localhost","root","");
         if (!$con) {
            die ("Could not connect: " . mysql_error());
            } else{
            mysql_select_db("council", $con); 
            $result = mysql_query('SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = " $_POST[username]" AND user.password =" $_POST[password] "');
            $pid = $result['pid'];
            if(isset($pid))
                $result = mysql_query("INSERT INTO fees (rates, pid) VALUES ('$rates',  '$pid')");
                if(!$row = mysql_fetch_array($result)) {    
                echo "<div id='t'>Invalid details please try again - use back arrow to return to form. </div>";
                                header ("Location: domRates.html");
                                }   
            if($row = mysql_fetch_array($result)) {
            header ("Location: services.html");
            }
        }
mysql_close($con);
4

3 回答 3

0 
$username = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT `pid` FROM `payid` INNER JOIN `user` ON `user`.`uid` = `payid`.`uid` WHERE `user`.`username` = '".$username."' AND `user`.`password` = '".$pass."'";
    $result = mysql_query($query);

将列名包含在反引号中是个好主意。将 PHP 变量放入查询时,打开单引号,然后用双引号连接。

于 2013-06-07T17:41:08.610 回答
0

I think your query statement is bad written.

try this:

$result =  mysql_query('SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = \'$_POST["username"]\' AND user.password =\'$_POST["password"]\'');

OR this:

$result =  mysql_query("SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = '". $_POST["username"]. "' AND user.password ='" . $_POST["password"]. "'");

Also your second query (INSERT) has to be modified by removing single quotes. Because fields "rates" and "pid" are not varchar or text. They should be number (int or double): 

$result = mysql_query("INSERT INTO fees (rates, pid) VALUES ($rates,  $pid)");

Eventhough those two queries work, they are vulnerable for SQL injection. Also mysql_ is deprecated.

于 2013-06-07T17:36:22.840 回答
0

因为这个问题可能与你有一些相关性,所以事情是如何工作的 - 正如我所说的,其他人发现我的问题主要是因为 _post 信息没有被传输到 $_post 变量,编码没有错误所以我把它改成了 $_REQUEST 和嘿 presto - 工作 - simplze :-)

<?php 
$username = sanitizeMySQL($_REQUEST['username']);
$pass = sanitizeMySQL($_REQUEST['password']);
$rates = sanitizeMySQL($_REQUEST['rates']);

function sanitizeString($var){
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}

function sanitizeMySQL($var) {
    $var =  mysql_real_escape_string($var);
    $var = sanitizeString($var);
    return $var;
}

$con = mysql_connect("localhost","root","");
         if (!$con) {
            die ("Could not connect: " . mysql_error());
            } else{

mysql_select_db("council", $con); 

$query = "SELECT * FROM `payid` INNER JOIN `user` ON `user`.`uid` = `payid`.`uid` WHERE `user`.`username` = '". $username . "' AND `user`.`password` = '" . $pass ."'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result) or die(mysql_error());
$pid =  $row['pid'];
if (isset($result)) {
    $result = mysql_query("INSERT INTO `fees` (rates, pid) VALUES    ($rates,  $pid)");
header ("Location: acc.html");

    }
于 2013-06-11T13:21:02.003 回答