所以我有这个代码将项目从数据库传递到我的订单表。当我回应会话时。会话变量包含一些东西,所以没有问题。但是当我在numrows下回显这些变量时,它只显示任何内容。有什么不对吗?
<?php
error_reporting(E_ALL ^ E_NOTICE);
session_start();
require("connect.php");
$UserID = $_SESSION['CustNum'];
$UserN = $_SESSION['UserName'];
$ProdGTotal = $_SESSION['ProdGTotal'];
$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN'");
$numrows = mysql_num_rows($queryord);
if(numrows == 1){
$row = mysql_fetch_assoc($queryord)or die ('Unable to run query:'.mysql_error()); // fetch associated: get function from a query for a database
$dbstreet = $row['Street'];
$dhousenum = $row['HouseNum'];
$dbcnum = $row['CelNum'];
$dbarea = $row['Area'];
$dbbuilding = $row['Building'];
$dbcity = $row['City'];
$dbpnum = $row['PhoneNum'];
$dbfname = $row['FName'];
$dblname = $row['LName'];
}
else
die(mysql_error());
$query4=mysql_query("INSERT INTO orderdetails VALUES ('', '$UserID', Now(), '$dbhousenum', '$dbstreet', '$dbarea', '$dbbuilding', '$dbcity', '$dbfname', '$dblname', '$dbcnum', '$dbpnum', '$ProdGTotal')",$connect);
if ($query4){
header("location:index.php");
}
else
die(mysql_error());
?>
答案 0 :(得分:0)
if(numrows == 1) => if($numrows == 1){
答案 1 :(得分:0)
首先输入
if(numrows == 1){
而是变量:
if($numrows == 1){
而不是检查用户,你可以:
$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN'");
$numrows = mysql_num_rows($queryord);
用作:
$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN' LIMIT 1");
$numrows = mysql_num_rows($queryord);
因为你想要获取一个用户,但是因为你没有被转义而失败了:
$UserN = mysql_real_escape_string($UserN);
$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN' LIMIT 1");
$numrows = mysql_num_rows($queryord);
您应该以更好的方式编写代码,并查看有关如何获取数据的stackoverflow的最佳实践示例。查看阻止SQL注入和漏洞的最佳实践。
此网站上显示了示例:How can I prevent SQL injection in PHP?