1

我无法从这个 mysql 查询中获取我想要的结果。我认为问题在于这行代码:

$group="SELECT * from mybb_users where usergroup AND additionalgroups = '$usergroup'";

因为我注意到数据库中的附加组列有多个值,用逗号(,)分隔,而用户组只有一个值。这是一个屏幕截图:

这是一张图片:http: //i.imgur.com/UTbmX.jpg

如果我从代码中删除附加组列并仅检查用户组列,则整个代码将完美运行,但这不是我想要的:(以下是整个代码:

// Connect to server and select databse.
mysql_connect("$db_host", "$db_user", "$db_pass")or die("cannot connect to mysql"); 
mysql_select_db("$db_name")or die("cannot select DB");

$id=$_GET['lid'];     // Get lid from URL
$usergroup =$_GET['game'];       // Get the usergroup/game from the URL

// Check to see if the user is a VIP Member and fetch them.
$group="SELECT * from mybb_users where usergroup AND additionalgroups = '$usergroup'";
$group2=mysql_query($group) or die("Could not get users");
while($raw=mysql_fetch_array($group2))
{
// Fetch all UserIDs of the VIP members and match them with the UfID (in the userfields table)
$userid = $raw['uid'];
$group3="SELECT * from mybb_userfields where ufid = '$userid'";
$group4=mysql_query($group3) or die("Could not match userid");
while($raw=mysql_fetch_array($group4))
{
// assigns a lid from the vip members to the variable $lid
$lid = $raw['fid7'];
// Display the hash of the lid if it matches with the lid from the URL
if($lid == '')
{

}
elseif($lid == $id)
{
echo "[key]{$lid};";
}
else
{
}
}

}
4

2 回答 2

4

检查方法是使用 FIND_IN_SET 函数。

SELECT * from mybb_users where usergroup AND FIND_IN_SET('$usergroup', additionalgroups) != 0
于 2011-08-14T22:36:35.093 回答
1

我不确定where usergroup AND ...- 是usergroup数据库字段吗?无论如何,你可以做到这一点

$group="SELECT * from mybb_users where usergroup AND FIND_IN_SET('$usergroup', additionalgroups) != 0;

但这还不够。AFAICS 你很容易受到 SQL 注入的攻击。请mysql_real_escape()在正确的地方使用,即在您将带有用户输入的变量放入 SQL 查询的任何地方。

于 2011-08-14T22:37:47.330 回答