Php Mysql_fetch_assoc运行不正常
无论如何,我都无法找出代码中出现此错误的原因: mysql\u fetch\u assoc():提供的参数不是有效的mysql结果资源 以下是我的PHP代码:Php Mysql_fetch_assoc运行不正常,php,mysql,sql,Php,Mysql,Sql,无论如何,我都无法找出代码中出现此错误的原因: mysql\u fetch\u assoc():提供的参数不是有效的mysql结果资源 以下是我的PHP代码: <?php $session_id = $_SESSION['id']; $getall = mysql_query("SELECT * FROM users WHERE id='' . $dbuser_id . ''"); $row = mysql_fetch_assoc($getall); $fullnameDB
<?php
$session_id = $_SESSION['id'];
$getall = mysql_query("SELECT * FROM users WHERE id='' . $dbuser_id . ''");
$row = mysql_fetch_assoc($getall);
$fullnameDB = $row['name'];
$emailDB = $row['email'];
$usernameDB = $row['username'];
$fullname = strip_tags($_POST['fullname']);
$username = strip_tags($_POST['username']);
$email = strip_tags($_POST['email']);
if ($_POST['submit']) {
$namecheck = mysql_query("SELECT username FROM users WHERE username='' . $username . ''");
$count = mysql_num_rows($namecheck);
if ($count !=0) {
echo 'That username is already taken!';
} else {
mysql_query("UPDATE users SET username=' . $username . ' WHERE id='' . $dbuser_id . ''");
echo 'Your UN has been updated';
}
}
?>
不是
但请考虑用MySQL或PDO
< P>切换到参数化语句:这里是您的代码的精化版本:
<?php
$session_id = $_SESSION['id'];
$getall = mysql_query("SELECT * FROM users WHERE id='" . $dbuser_id . "'");
$row = mysql_fetch_assoc($getall);
$fullnameDB = $row['name'];
$emailDB = $row['email'];
$usernameDB = $row['username'];
$fullname = mysql_real_escape_string($_POST['fullname']);
$username = mysql_real_escape_string($_POST['username']);
$email = mysql_real_escape_string($_POST['email']);
if ($_POST['submit']) {
$namecheck = mysql_query("SELECT username FROM users WHERE username='" . $username . "'");
$count = mysql_num_rows($namecheck);
if ($count !=0) {
echo 'That username is already taken!';
} else {
mysql_query("UPDATE users SET username='" . $username . "' WHERE id='" . $dbuser_id . "'");
echo 'Your UN has been updated';
}
}
?>
您的代码中有错误,易受攻击
使用此代码:
<?php
try {
$session_id = session_id();
$conn = mysqli_connect('localhost', 'any_user_other_than_root', 'secure_password', 'database');
if(!$conn) throw new Exception('Could not connect to the database.');
$dbuser_id = mysqli_real_escape_string($dbuser_id);
$query = "SELECT * FROM users WHERE id='$dbuser_id'";
$getall = mysqli_query($conn, $query);
if(!$getall) throw new Exception('Database query failed!');
$row = mysqli_fetch_assoc($getall);
$fullname_db = $row['name'];
$email_db = $row['email'];
$username_db = $row['username'];
$fullname = mysqli_real_escape_string($_POST['fullname']);
$username = mysqli_real_escape_string($_POST['username']);
$email = mysqli_real_escape_string($_POST['email']);
if(isset($_POST['submit'])) {
$namecheck = mysqli_query($conn, "SELECT username FROM users WHERE username='$username'");
if(!$namecheck) throw new Exception('Name check failed!');
$count = mysqli_num_rows($namecheck);
if($count > 0) {
echo 'That username is already taken!';
} else {
$result = mysqli_query($conn, "UPDATE users SET username='$username' WHERE id='$dbuser_id'");
if(!$result) throw new Exception('Could not update your UN.');
echo 'Your UN has been updated';
}
}
} catch(Exception $e) {
echo 'Error: ' . $e->getMessage();
}
?>
警告您的代码可能容易受到sql注入攻击!因为你的报价不匹配?你以双引号开始,似乎试图以两个背道结束。请改进你的标题以匹配你的问题。请在此处发布相关代码。请不要使用mysql.*
函数获取新代码。它们不再得到维护,社区已开始恢复。看到了吗?相反,你应该学习并使用或。如果你不能决定,将帮助你做出选择。如果你想学的话,把答案贴在这里,而不是贴在贴纸上。谢谢你,现在似乎很有效。为什么有人否决了我?我犯了错误吗?@John你在责怪他没有为OP做额外的工作?请注意,这仍然容易受到SQL注入的影响。你应该更具体一点,因为这种错误在ImagineCustom的代码中不止一次发生。@think123-当我回答时,代码中只有一条SQL语句是真的,然后,你应该考虑编辑你的答案以获得更多的选票。注意,在某些情况下,这仍然易受SQL注入攻击的影响,并且你确实应该使用准备好的声明。你应该尽可能地将代码保持在与IMANENECUSTOM原始代码相似的地方。因为它将帮助ImageCustom更好地理解代码,如果您以ImageCustom理解的格式保存它。@think123我尽可能地保存它,同时使其更好@卢西塔尼亚语-我的意思是在不久的将来学习准备好的语句和面向对象编程
<?php
$session_id = $_SESSION['id'];
$getall = mysql_query("SELECT * FROM users WHERE id='" . $dbuser_id . "'");
$row = mysql_fetch_assoc($getall);
$fullnameDB = $row['name'];
$emailDB = $row['email'];
$usernameDB = $row['username'];
$fullname = mysql_real_escape_string($_POST['fullname']);
$username = mysql_real_escape_string($_POST['username']);
$email = mysql_real_escape_string($_POST['email']);
if ($_POST['submit']) {
$namecheck = mysql_query("SELECT username FROM users WHERE username='" . $username . "'");
$count = mysql_num_rows($namecheck);
if ($count !=0) {
echo 'That username is already taken!';
} else {
mysql_query("UPDATE users SET username='" . $username . "' WHERE id='" . $dbuser_id . "'");
echo 'Your UN has been updated';
}
}
?>
<?php
try {
$session_id = session_id();
$conn = mysqli_connect('localhost', 'any_user_other_than_root', 'secure_password', 'database');
if(!$conn) throw new Exception('Could not connect to the database.');
$dbuser_id = mysqli_real_escape_string($dbuser_id);
$query = "SELECT * FROM users WHERE id='$dbuser_id'";
$getall = mysqli_query($conn, $query);
if(!$getall) throw new Exception('Database query failed!');
$row = mysqli_fetch_assoc($getall);
$fullname_db = $row['name'];
$email_db = $row['email'];
$username_db = $row['username'];
$fullname = mysqli_real_escape_string($_POST['fullname']);
$username = mysqli_real_escape_string($_POST['username']);
$email = mysqli_real_escape_string($_POST['email']);
if(isset($_POST['submit'])) {
$namecheck = mysqli_query($conn, "SELECT username FROM users WHERE username='$username'");
if(!$namecheck) throw new Exception('Name check failed!');
$count = mysqli_num_rows($namecheck);
if($count > 0) {
echo 'That username is already taken!';
} else {
$result = mysqli_query($conn, "UPDATE users SET username='$username' WHERE id='$dbuser_id'");
if(!$result) throw new Exception('Could not update your UN.');
echo 'Your UN has been updated';
}
}
} catch(Exception $e) {
echo 'Error: ' . $e->getMessage();
}
?>