PDO查詢是否有重複的用戶名在提交

Question

錯誤：解析錯誤：語法錯誤，意想不到的T_ENCAPSED_AND_WHITESPACE，期待T_STRING或T_VARIABLE或T_NUM_STRING線路7

嘗試使用PDO，使這個連接，形成查詢如果按下提交後輸入字段，則檢查用戶名是否存在。

HTML：

<form action="inc/check_regUsr.php" method="post" id="userLogon"> 
    <div class="field required"> 
     Username: <input type="text" name="regduser" tabindex="1" /><br /> 
     </div> 
     <div class="field required"> 
     Password: <input type="password" name="regdpass" tabindex="2" /><br /> 
     </div> 
     <input type="submit" name="submitUser" /> 
</form> 

PHP

<?php 
#Login Details 
require_once('dbcred.php'); 
$conn = new PDO("mysql:host=$host;dbname=$db", $user, $pass); 

#Check for Existing User 
$q = $conn->query("SELECT uname FROM Student WHERE $_POST['regduser'] = uname"); 
$stmt = $conn->prepare($q); 
$r->execute($q); 
if($q($r)>= 1){ #if there are 1 or more users with enter username, deny. 
echo "Sorry, username already exists"; 
} 
else{ 
echo "Success"; 
} 

?> 

Answer 1

附上您的複雜變量{}雙引號字符串中：

$q = $conn->query("SELECT uname FROM Student WHERE {$_POST['regduser']} = uname"); 
// -----------------------------------------------^^^^^^^^^^^^^^^^^^^^^ 

它看起來像你的SQ L WHERE子句雖然落後，但缺少引號。應該

WHERE uname = '{$_POST['regduser']}' 

你有另外一個問題，你在哪裏先調用$conn->query()，然後試圖創建一個準備好的聲明。

致電query()是不必要的，實際上是危險的。相反，創建一個適當的準備語句?佔位符：

$stmt = $conn->prepare("SELECT uname FROM Student WHERE uname = ?"); 
$stmt->bindParam(1, $_POST['regduser'], PDO::PARAM_STR);  
$stmt->execute(); 

Answer 2

既然你已經使用PDO，你還不如趁參數功能，它提供了對SQL注入攻擊極大的保障。

$conn = new PDO("mysql:host=$host;dbname=$db", $user, $pass); 

$stmt = $conn->prepare("SELECT uname FROM Student WHERE ? = uname"); 
$params = array($_POST['regduser']); 
$stmt->execute($params); 
if ($stmt->rowCount() > 0) { 

echo "Sorry, username already exists"; 
} 
else{ 
echo "Success"; 
}