首先要做的事情:切换到Prepared Statements。
它们是访问数据库的更安全和更先进的方式。
<?php
// Get values from form
$name = $_POST['name'];
$email = $_POST['email'];
$user_name = "user";
$password = "password";
$database = "dbname";
$server = "ahostsomewhere";
//Connect to your database using PDO (this only needs to be done once). $dbh is our connection
try {
$dbh = new PDO("mysql:host=$server;dbname=$database", $user_name, $password);
}
//Make sure there are no errors
catch(PDOException $e){
echo($e->getMessage());
}
//Query to check if the email already exists
//This prepares the statements and uses placeholders (designated with a ':' colon)
$stmt = $dbh->prepare("SELECT * FROM `contestant_drawing` WHERE `email`=:email")
//This then binds a string to the placeholder (note the string '$stmt' is constant here)
$stmt->bindParam(':email',$email);
//Finally we execute the query
$stmt->execute();
//Count the rows in the returned array to see if there are already matching values in the database
if($stmt->rowCount()!=0){
//Email already registered. Exit with a message
exit('Email already exists');
}
//Email OK, continue with your queries
//You can use the same string '$stmt' because we don't need the query from before anymore. If you had multiple queries running alongside one another then you could use different strings for $stmt ($stmt1, $stmt2, $foo, $bar etc) but we can keep it the same to keep things simple
$stmt = $dbh->prepare("INSERT INTO `contestant_drawing`
(`name`, `email`)
VALUES (:name, :email)");
$stmt->bindParam(':name',$name);
$stmt->bindParam(':email',$email);
$stmt->execute();
echo "To finalize your entry like our FaceBook Page, Good Luck!";
//Disconnect from the database ($dbh)
$dbh = NULL;
?>
我所做的是执行一个单独的查询,首先使用用户的电子邮件地址搜索表中已经存在的任何条目。只要没有找到任何东西,脚本就会继续。
希望这也让您深入了解如何执行准备好的语句。这些确保您的数据库不会被使用注入篡改,这对您来说很不利,并确保您可以专注于编写高效的脚本而不是清理用户输入。