0
首先,我知道我對SQL注入開放,這只是一個原型。但它仍然應該工作。簡單查詢未運行
對於我的生活,我無法弄清楚爲什麼我不能從我的陣列中拉出物品。我可能會做錯什麼?我一直在擺弄這個看起來很簡單的查詢太長時間,我似乎無法讓它取出數據。我覺得這是這麼簡單的東西....
$query = 'SELECT * FROM users WHERE email = "' . $email . '"';
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$ID = $row['ID'];
我沒有得到任何結果爲$ ID ....
這裏是我的全部代碼:
<html>
<head>
<?php
$email = $_GET["email"];
$servername="localhost";
$username="*****";
$password="*****";
$database="*****";
$conn= mysql_connect($servername,$username,$password)or die(mysql_error());
mysql_select_db("$database",$conn);
$query = 'SELECT email FROM users WHERE email = "' . $email . '"';
$result = mysql_query($query) or die(mysql_error());
//Checks if the email address exists in the system already
if (mysql_num_rows($result)) {
die("Duplicate email found!");
}
else {
//use current date/time combination times the number 11 times the ID to get a unique confirmation number.
$query = 'SELECT * FROM users WHERE email = "' . $email . '"';
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$ID = $row['ID'];
echo $row;
$date = date("mydhis");
$date2 = $date * 11 * $ID;
echo $ID . " <-> " . $date . " <-> <p>" . $date2;
$sql="insert into users (first,last,displayname,email,password,verification_email)values('$_GET[first]','$_GET[last]','$_GET[display]','$_GET[email]','$_GET[password]','$date2')";
$result=mysql_query($sql,$conn) or $string = mysql_error();
$confirmlink = "http://www.somewebsite.com/android/confirm.php?" . $date2;
$to = $_GET['email'];
$subject = "Thank you for Registering!";
$message = "Hello " . $_GET['display'] . " and thank you for registering with the Smeet app! To confirm your email address (and let us know you aren't a bot), please click the following link: " . $confirmlink;
$from = "[email protected]";
$headers = "From:" . $from;
mail($to,$subject,$message,$headers) or die('You have successfully registered however mail servers are currently down, you may or may not receive a confirmation email');
print "<h1>You have registered successfully</h1>";
print "You will receive an email shortly with instructions on how to confirm your email address.</a>";
}
?>
</body>
</html>
感謝任何幫助解決這個問題。
使用準備好的語句。不要使用串聯構建您的SQL語句。它讓你打開'SQL INJECTION'。 – christopher
是否可以像'?email = someone @ somewhere.com'一樣簡單,不在URL中?另外,處理這個問題的方式很糟糕。你打開注射攻擊。見克里斯的評論。切換到mysqli或PDO並使用準備好的語句 –
OP在使用POST而不是GET @KaiQing時可能會遇到更少的麻煩,可能會出現問題。 GET方法可能會玩一些令人討厭的技巧。 –