找不到匹配,在使用 PHP 的 MySql 数据库中使用查询

标签: html5 MySQL PHP
发布时间: 2016/12/30 20:15:41
注意事项: 本文中文内容可能为机器翻译,如要查看英文原文请点击上面连接.

我有一个 MySql 数据库的以下列︰

enter image description here

和一个 HTML 表单就像这样︰

                           <form method="post" action="validate.php">
                               <label for="users_email">Email:</label>
                               <input type="text" id="users_email" name="users_email">
                               <label for="users_pass">Password:</label>
                               <input type="password" id="users_pass" name="users_pass">
                               <input type="submit" value="Submit"/>
                           </form>

这里是代码的 validate.php 页中片段︰

$email = $_POST['users_email'];
$pass = $_POST['users_pass'];

$dbhost = '************';
$dbuser = '************';
$dbpass = '************';
$conn = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $conn)
{
    die('Could not connect: '. mysql_error());
}

mysql_select_db("SafeDropbox", $conn);

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

$row = mysql_fetch_array($result);

if($row['Email'] == $email && $row['UserPassword'] == $pass) {
    echo "Valid";   
}

elseif($row.count() == 0) {
    echo "No Match";
}

else {
    echo "Invalid";
 //header("Location: http://www.google.ie");
    //exit();
}

问题是我正在没有匹配,即使 $email 和 $pass 的值肯定是在我的数据库内。我到底做错了?

解决方法 1:

问题是︰

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = $email");

$email 应逃脱和用引号引起来。最安全的办法是使用预准备的语句︰

$result = mysql_query("SELECT Email, UserPassword FROM tblnewusers WHERE Email = ?");
$con=new mysqli($dbhost, $dbuser, $dbpass, $yourDatabase);
$stmt = $mysqli->prepare($result);
$stmt->bind("s",$email);
$result=$stmt->execute();

有关更多详细信息请参见http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

官方微信
官方QQ群
31647020