下面的查询没有告诉我用户名已经存在于数据库中,即使确实存在。
我正在尝试学习如何绑定参数等,但是在我认为的某个地方感到困惑。
<?php
// Include config.php
require_once("".$_SERVER['DOCUMENT_ROOT']."/admin/config.php");
// top.inc.php
require_once($top_inc);
?>
<!-- Meta start -->
<title></title>
<meta name="description" content="" />
<meta name="keywords" content="" />
<!-- Meta end -->
<!-- CONTENT START -->
<?php
// sidebar.inc.php
require_once($sidebar_inc);
// main.inc.php
require_once($main_inc);
// check if form has been submitted
if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['submit'])){
// initialize form errors array
$error = array();
// fetch form data
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
// validate form data
if(!preg_match(constant("USERNAME_REGEX"), $username)){
$error[] = "Please enter a username. Use 3 to 15 digits and letters";
}
if(!preg_match(constant('PASSWORD_REGEX'), $password)){
$error[] = "Please enter a password. Minimum of 6 characters required";
}
if(!empty($password) && $password == $username){
$error[] = "Your pasword cannot be you username for security reasons";
}
if(empty($email)){
$error[] = "Please enter your email address";
}
if(!empty($email) && !filter_var($email, FILTER_VALIDATE_EMAIL)){
$error[] = "Your email address is not valid";
}
// connect to database
sql_con();
// Get instance of statement
$stmt = mysqli_stmt_init($connect);
// sql statement
$UserExists = "
SELECT
`user_login`
FROM
`users`
WHERE
`user_login` = ? ";
// prepare sql statement for execution
if (mysqli_stmt_prepare($stmt, $UserExists)) {
// bind parameters [s for string]
mysqli_stmt_bind_param($stmt, "s", $username) or die(mysqli_stmt_error());
// execute statement
mysqli_stmt_execute($stmt) or die(mysqli_stmt_error());
// check if username is found
if(mysqli_stmt_num_rows($stmt) > 0 ){
$error[] = 'The username you have choose has already been taken';
}
}
// If errors found display errors
if(!empty($error)){
foreach($error as $msg){
echo "$msg <br />";
}
} else {
echo 'My Query Worked!';
}
}
// signup.tpl template location
$tpl = 'inc/tpl/signup.tpl';
// load signup form template
PageContentTemplate($tpl);
?>
<!-- CONTENT FINISH -->
<?php
// footer.inc.php
require_once($footer_inc);
?>
[基本上,它只是回显'My Query Worked',尽管它应该说用户名已被使用,我在表单上输入了详细信息,我知道已经使用了用户名并提交了表单,我知道我做一些事情可能真的很愚蠢,但是对于mysqli和绑定参数等却是新手。即使我已经看过一些示例,我也不知道我要去哪里。
老实说,我不确定这是否是采用程序风格的最佳方法,我不知道PDO / OOP,我进行更改的主要原因是为了避免在查询中使用占位符等来进行SQL注入。 。
我现在看到了。您尚未调用mysqli_stmt_store_result()
,在此之前mysqli_stmt_num_rows()
不会报告正确的值。
// prepare sql statement for execution
if (mysqli_stmt_prepare($stmt, $UserExists)) {
// bind parameters [s for string]
mysqli_stmt_bind_param($stmt, "s", $username) or die(mysqli_stmt_error());
// execute statement
mysqli_stmt_execute($stmt) or die(mysqli_stmt_error());
// check if username is found
// FIRST : store the store the result set so num_rows gets the right value
mysqli_stmt_store_result($stmt);
// Now this should be 1 instead of 0
if(mysqli_stmt_num_rows($stmt) > 0 ){
$error[] = 'The username you have choose has already been taken';
}
}
返回结果集中的行数。 mysqli_stmt_num_rows()的使用取决于您是否使用mysqli_stmt_store_result()在语句句柄中缓冲整个结果集。
如果使用mysqli_stmt_store_result(),则可能会立即调用mysqli_stmt_num_rows()。