檢查標準下是否存在行（PDO，準備???）

Question

下面的代碼表示我試圖嘗試並找出行中是否存在符合條件的條件。它默認爲else語句，正確，但如果if語句似乎爲真（沒有電子郵件爲ashfjks@sdhja.com），則不會與'if'語句一起使用，而是代碼繼續。該代碼的後半部分主要是爲了擴展情況。該行只能存在或不存在，所以我不明白爲什麼它不嚴格執行其中一個。我正在轉換爲PDO進行網站安全，這就是爲什麼不是所有的都在PDO中。如果這個問題太侷限了，我很抱歉？

$stmt = $pdo->prepare("SELECT * FROM table WHERE email = ?"); 
$stmt->execute(array("$email")); 
$row3 = $stmt->fetch(PDO::FETCH_ASSOC); 

while($row = $stmt->fetch()) { 

    if (! $row3) { 
    // Row3 doesn't exist -- this means no one in the database has this email, allow the person to join 
    $query = "INSERT INTO table (username, email, password, join_date) VALUES ('$username', '$email', SHA('$password1'), NOW())"; 
    mysqli_query($dbc, $query); 
    $query = "SELECT * FROM table WHERE username = '$username'"; 
    $data2 = mysqli_query($dbc, $query); 
    while ($row = mysqli_fetch_array($data2)) { 

    $recipent = '' . $row['user_id'] . ''; 

    $query = "INSERT INTO messages (recipent, MsgTit, MsgR, MsgA, sender, time, readb, reada, MsgCon) VALUES ('$recipent', '$MsgTit', '$MsgR', '$MsgA', '$sender', NOW(), '$readb', '$reada', '$MsgCon')"; 
    mysqli_query($dbc, $query); 

    // Aftermath. 
    echo '<p>Your new account has been successfully created. You\'re now ready to <a href="game2.php" target="_blank">log in</a>. After this you should implement basic character-details on your users profile to begin the game.</p>'; 

    mysqli_close($dbc); 
    exit(); 
    } } 
    else { 
    // An account already exists for this email, so display an error message 
    echo '<p class="error">An account already exists for this e-mail.</p>'; 
    $email = ""; 
    } 
} 

Answer 1

+1從@Geoff_Montee回答，但這裏有幾個技巧：

• 請務必檢查錯誤每次準備後（）或執行（）。報告錯誤（但不要將您的SQL暴露給用戶），並優雅地失敗。

• 請注意，即使您檢查了是否存在與$ email匹配的行，也可以在檢查後和INSERT之前的短暫時間內創建此行。這是一個race condition。即使您選擇與$ email匹配的行，也應該在數據庫中使用UNIQUE約束，並且在UNIQUE約束因衝突而阻止插入時執行INSERT時捕獲錯誤。

• SELECT email而不是SELECT *。如果您有電子郵件索引，則查詢運行效率更高，因爲它只能檢查給定值的索引，而不必在不需要時讀取表中的所有列。此優化稱爲僅索引查詢。

• 同樣使用SELECT user_id而不是SELECT *。僅當您確實需要獲取所有列時才使用SELECT *。

• Bcrypt is more secure than SHA for hashing passwords.

Answer 2

你if語句將永遠不會被執行。你需要檢查返回的行數。這是你想要的：

注：我原來用的是$stmt->rowCount()，但是OP說沒有爲他工作。但我很確定那個錯誤的原因是來自其他地方。

if (!($stmt = $pdo->prepare("SELECT * FROM table WHERE email = ?"))) { 
    //error 
} 

if (!$stmt->execute(array("$email"))) { 
    //error 
} 
//The $row3 var you had was useless. Deleted that. 

$count = 0; 

while ($row = $stmt->fetch()) { 
    $count++; 
} 

//The query returned 0 rows, so you know the email doesn't exist in the DB 
if ($count== 0) { 

    $query = "INSERT INTO table (username, email, password, join_date) VALUES ('$username', '$email', SHA('$password1'), NOW())"; 

    if (!mysqli_query($dbc, $query)) { 
     //error 
    } 

    $query = "SELECT * FROM table WHERE username = '$username'"; 

    if (!($data2 = mysqli_query($dbc, $query))) { 
     //error 
    } 

    while ($row = mysqli_fetch_array($data2)) { 

     $recipent = '' . $row['user_id'] . ''; 

     $query = "INSERT INTO messages (recipent, MsgTit, MsgR, MsgA, sender, time, readb, reada, MsgCon) VALUES ('$recipent', '$MsgTit', '$MsgR', '$MsgA', '$sender', NOW(), '$readb', '$reada', '$MsgCon')"; 

     if (!mysqli_query($dbc, $query)) { 
      //error 
     } 

     // Aftermath. 
     echo '<p>Your new account has been successfully created. You\'re now ready to <a href="game2.php" target="_blank">log in</a>. After this you should implement basic character-details on your users profile to begin the game.</p>'; 

     mysqli_close($dbc); 
     exit(); 
    } 
} 
//The query did not return 0 rows, so it does exist in the DB 
else { 
    // An account already exists for this email, so display an error message 
    echo '<p class="error">An account already exists for this e-mail.</p>'; 
    $email = ""; 
} 

而且您應完全轉換其餘查詢以使用PDO。