使用SELECT中的结果填充INSERT

时间:2013-06-07 17:22:49

标签: php mysql

我正在尝试将用户名/密码发布到PHP文件,因此我可以使用inner join使用这些详细信息从用户获取 uid - (用户ID) 表。我在WHERE命令的INSERT子句中用作 payid 表的标识符。它不起作用。有人可以告诉我哪里出错吗?

if(isset($_POST['password']) && isset($_POST['username']) && isset($_POST['rates'])) {              
         $con = mysql_connect("localhost","root","");
         if (!$con) {
            die ("Could not connect: " . mysql_error());
            } else{
            mysql_select_db("council", $con); 
            $result = mysql_query('SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = " $_POST[username]" AND user.password =" $_POST[password] "');
            $pid = $result['pid'];
            if(isset($pid))
                $result = mysql_query("INSERT INTO fees (rates, pid) VALUES ('$rates',  '$pid')");
                if(!$row = mysql_fetch_array($result)) {    
                echo "<div id='t'>Invalid details please try again - use back arrow to return to form. </div>";
                                header ("Location: domRates.html");
                                }   
            if($row = mysql_fetch_array($result)) {
            header ("Location: services.html");
            }
        }
mysql_close($con);

3 个答案:

答案 0 :(得分:0)

我认为您的查询语句写得不好。

试试这个:

$result =  mysql_query('SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = \'$_POST["username"]\' AND user.password =\'$_POST["password"]\'');

或者这个:

$result =  mysql_query("SELECT pid FROM payid INNER JOIN user ON user.uid = payid.uid WHERE user.username = '". $_POST["username"]. "' AND user.password ='" . $_POST["password"]. "'");

还必须通过删除单引号来修改第二个查询(INSERT)。因为字段“rate”和“pid”不是varchar或text。它们应该是数字(int或double):

$result = mysql_query("INSERT INTO fees (rates, pid) VALUES ($rates,  $pid)");

尽管这两个查询有效,但它们很容易被SQL注入。同样不推荐使用mysql_。

答案 1 :(得分:0)

$username = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT `pid` FROM `payid` INNER JOIN `user` ON `user`.`uid` = `payid`.`uid` WHERE `user`.`username` = '".$username."' AND `user`.`password` = '".$pass."'";
    $result = mysql_query($query);

最好在反引号中包装列名。将PHP变量放入查询时,打开单引号,然后用双引号连接。

答案 2 :(得分:0)

由于这个问题可能与你有一些关联,因为这件事情是如何运作的 - 正如我所说的那样,我的问题主要是因为_post信息没有被传递到$ _post变量no编码错误,所以我把它改成了$ _REQUEST,嘿presto - 工作 - 简化: - )

<?php 
$username = sanitizeMySQL($_REQUEST['username']);
$pass = sanitizeMySQL($_REQUEST['password']);
$rates = sanitizeMySQL($_REQUEST['rates']);

function sanitizeString($var){
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}

function sanitizeMySQL($var) {
    $var =  mysql_real_escape_string($var);
    $var = sanitizeString($var);
    return $var;
}

$con = mysql_connect("localhost","root","");
         if (!$con) {
            die ("Could not connect: " . mysql_error());
            } else{

mysql_select_db("council", $con); 

$query = "SELECT * FROM `payid` INNER JOIN `user` ON `user`.`uid` = `payid`.`uid` WHERE `user`.`username` = '". $username . "' AND `user`.`password` = '" . $pass ."'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result) or die(mysql_error());
$pid =  $row['pid'];
if (isset($result)) {
    $result = mysql_query("INSERT INTO `fees` (rates, pid) VALUES    ($rates,  $pid)");
header ("Location: acc.html");

    }
相关问题
最新问题