1. 首頁
  2. 問答
  3. 得到計數,如果在數據庫中發現數據與PHP代碼

得到計數,如果在數據庫中發現數據與PHP代碼

2016-02-13 21 views
-3

我想獲得計數,如果在數據庫中找到我想呼應該計數。 我需要在下面的代碼中做些什麼改變才能工作。得到計數,如果在數據庫中發現數據與PHP代碼

enter code here 

$servername = "localhost"; 
$username = "root"; 
$password = ""; 
$dbname = "email"; 

$con=mysqli_connect($servername,$username,$password, $dbname); 
// Check connection 
if (mysqli_connect_errno()) 
    { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
    } 

$sql="SELECT 'Trading' FROM 'trading1' WHERE Trading = ('$_POST[kiran]')"; 

if ($result=mysqli_query($con,$sql)) 
    { 
    // Return the number of rows in result set 
    $rowcount=mysqli_num_rows($result); 
    printf("Result set has %d rows.\n",$rowcount); 
    // Free result set 
    mysqli_free_result($result); 
    } 

mysqli_close($con);"

來源

2016-02-13 Kiran Chandekar

+3

你的代碼有什麼問題?它現在輸出什麼?有錯誤嗎? –

+1

另外 - 永遠,永遠,**永遠**,*永遠*,把用戶輸入('$ _POST [kiran]')直接放入一個查詢,不消毒!永遠不要相信用戶輸入 –

+0

由於單引號'''導致語法錯誤,您的查詢可能失敗。或者使用反引號''''''''sql =「SELECT \'Trading \'FROM \'trading1 \'WHERE Trading ='$ _POST [kiran]'」;'而@cale_b提到,全面開放的SQL注入 - 閱讀http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Sean

回答

0

這裏有幾件事情是錯誤的。雖然只有語法錯誤,這裏有一個「在腳本的末尾,有很多潛在的問題。

mysqli_real_escape_string($connectparam, $badstring);

通過使用上面的你是確保查詢字符串是不能被注入。Look here to learn about sql injection

其他問題可能駐留在查詢本身,我把它改成

SELECT * FROM `trading1` WHERE `Trading` = $kiran 


SELECT 'Trading' FROM 'trading1' WHERE Trading = ('$_POST[kiran]')

試試這個。

$servername = "localhost"; 
$username = "root"; 
$password = ""; 
$dbname = "email"; 

$con=mysqli_connect($servername,$username,$password, $dbname); 
// Check connection 
if (mysqli_connect_errno()) 
    { 
    echo "Failed to connect to MySQL: " . mysqli_connect_error(); 
    } 
//To prevent sql injection 
$kiran = mysqli_real_escape_string($con, $_POST[kiran]); 
$sql="SELECT * FROM `trading1` WHERE `Trading` = $kiran"; 

if ($result=mysqli_query($con,$sql)) 
    { 
    // Return the number of rows in result set 
    $rowcount=mysqli_num_rows($result); 
    printf("Result set has %d rows.\n",$rowcount); 
    // Free result set 
    mysqli_free_result($result); 
    } 

mysqli_close($con);

來源

2016-02-13 03:16:03 spencdev

+0

感謝您在添加&運行整個PHP之後獲得的信息下面的代碼>>>> - 使用未定義的常量kiran - 假定'kiran'如何避免此消息 –

+0

$ _POST ['kiran']是否被設置?嘗試添加echo $ _POST ['kiran']; – spencdev

相關問題

 相關問題