1. 首頁
  2. 問答
  3. PHP:搜索欄和插入電子郵件

PHP:搜索欄和插入電子郵件

2016-07-28 18 views
-2

我正在php和MySql上運行單個頁面的測試,它包含一個輸入搜索欄和一個通訊子視圖。他們都工作,但不是在同一時間:如果我有搜索欄和訂閱輸入,我試圖從搜索結果,我從subscrition(電子郵件需要...)的PHP消息。如果消除subscrition形式,查詢搜索的工作......PHP:搜索欄和插入電子郵件

代碼: 

<?php 

     require('MGconfig.php'); 

     if (isset($_GET["game"]) && $_GET["game"]!="") { 

      $mysearch = htmlspecialchars($_GET["game"]); 
     $result = $connection->query("select title, genre from games wher title like '%" . $mysearch ."%' or genre like '%" . $mysearch ."%'"); 



     } 
    ?> 
<h2>Search game</h2> 

      <form> 
       <input name="game" id="game" class="form-control" type="text" /> 
      </form> 

      <table class="table table-hover"> 
       <thead> 
        <tr> 
         <th>Title</th> 
         <th>Genre</th> 
        </tr> 
       </thead> 
       <?php 
     //while($row = mysqli_fetch_assoc($result)){ 
     foreach ($result as $row) { 
     echo "<tr>"; 
     echo "<td>".$row["title"]. "</td><td>".$row["genre"]."</td>"; 
     echo "</tr>"; 
     } 

    ?> 
      </table> 


    </div> 

<?php 

$error=""; 
$sucessMessage=""; 
if (($_POST)){ 

    if($_POST["email"]===""){ 
     $error = "An email is required!"; 
    } 


    if ($error!=""){ 
     $error = '<div class="error">'.$error.'</div>'; 

    } 
    else{ 

     require("MGconfig.php"); 


     $email = mysqli_real_escape_string($connection, $_POST["email"]); 


     // check if user mail is already on DB 
     $result=mysqli_query($connection, "select email from newsletter where email = '".$email."'"); 

     //if there is a result, inform user that email is already regis 

     if (mysqli_num_rows($result)>0){ 
      $error = '<div class="error">Email already registred</div>'; 
     }else{ 

     //check id for new registration 
     $result=mysqli_query($connection, "select max(id) from newsletter"); 
     $row=mysqli_fetch_row($result); 
     $id = $row[0]+1; 

$insert ="insert into newsletter(id, email) values (".$id.",'".$email."')"; 

     //Execute insert on the DB 

    mysqli_query($connection, $insert); 

      // Check if there was an error executing the insert 
     if (!$result){ 
      $error ='<div class="error">Fail to register</div>'.mysqli_error($connection); 

     }else{ 
      $sucessMessage ='<div class="error">Thank you for registring!</div>'; 

     } 
     } 
    } 
} 


?> 
<div class="subscribe"> 

       <form method="post"> 
        <label style="font-size:20px">Subscribe our Newsletter!</label> 
        <input type="email" id="email" name="email" class="newsletter" placeholder="  enter your email here     "> 
        <div class="error"> 
         <?php echo $error;?> 
        </div> 
        <div class="error"> 
         <?php echo $sucessMessage;?> 
        </div> 
       </form> 
      </div>

來源

2016-07-28 icenine

+0

*「如果消除subscrition形式,查詢搜索的作品「* - 哪一個?你有不止一個。 –

+0

'$ mysearch = htmlspecialchars($ _ GET [「game」]);'???不應該是'mysqli_real_escape_string'? – Alex

+0

再次置若罔聞;我出去了。 –

回答

0

首先,你很容易受到sql injection attackshtmlspecialchars()不是一個防守,並且與SQL完全無關。

其次,你有一個SQL語法錯誤,因爲你絕對沒有錯誤處理,並簡單地基於假設查詢可能永遠不會失敗,你無法檢測到故障:

$result = $connection->query("select title, genre from games wher title [..snip..] 
                missing E---^

來源

2016-07-28 15:50:57

+0

OP狀態:*「如果刪除subscrition表單,查詢搜索的作品」* - 所以我猜這可能只是一個壞的粘貼。那麼,再次,「搜索」?大聲笑 –

+0

也許這個帖子還不夠清晰;無論如何,問題解決了,謝謝 – icenine

相關問題

 相關問題