我正在创建一个预订系统,客户将在其中填写预订表格(位置,教室,时间和日期)。
我的问题是关于在将其插入数据库之前检查键入的记录。这意味着如果LOCATION,CLASSROOM,TIME和DATE已被插入/获取/保留在数据库中,那么系统将提示诸如“位置,日期和时间已被保留”的消息,否则它将被插入数据库中。我运行此代码,但仍然记录了相同的位置,教室,日期,时间。该代码有问题吗?
$res_location = isset($_POST['res_location']) ;
$res_classroom = isset($_POST['res_classroom']) ;
$res_inclusive_date = isset($_POST['res_inclusive_date']);
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ;
// Build the query
$query = sprintf("SELECT Location_Faculty FROM tbl_reservation WHERE Location_Faculty=%s AND Classroom=%s AND Inclusive_Date=%s AND Inclusive_Time=%s ",
GetSQLValueString($res_location, "text"),
GetSQLValueString($res_classroom, "text"),
GetSQLValueString($res_inclusive_date, "date"),
GetSQLValueString($res_inclusive_time_start, "date"));
$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
$num_rows = mysql_num_rows($result);
if( $num_rows >= 1){
// then the record already exists
echo "Duplicate entry";
}
else{
//insert query
}
由于具有“ GetSQLValueString”功能,因此无需使用SQL注入。
在将数据插入数据库中以检查预订之前,您将需要运行查询。
也许是这样
// This function helps you escape the data before you use them in database
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
// prep you data properly. You can use the GetSQLValueString() function to
// escape the inputs, just set it to the required type.
// if some $_POST value is not set, then you can set a default one here
$res_location = isset($_POST['res_location']) ? GetSQLValueString($_POST['res_location'], 'text') : ' set a defaule value here';
$res_classroom = isset($_POST['res_classroom']) ? GetSQLValueString($_POST['res_classroom'], 'text') : ' set a defaule value here';
$res_inclusive_date = isset($_POST['res_inclusive_date']) ? GetSQLValueString($_POST['res_location'], 'date') : ' set a defaule value here';
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ? GetSQLValueString($_POST['res_inclusive_time_start'], 'text') : ' set a defaule value here';
// Build the query
$query = "SELECT * FROM `tbl_reservation` WHERE `Location_Faculty` = '{$res_location}' AND `Classroom` = '{$res_classroom}' AND `Inclusive_Date` = '{$res_inclusive_date}' AND `Inclusive_Time` = '{$res_inclusive_time_start}' ";
$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
if(mysql_num_rows($result) > 0){
// then the record already exists
echo "Duplicate entry";
} else {
// save to database
}
请注意,它对sql注入很重要,因此您必须转义输入,并尝试使用mysqli或pdo代替旧的mysql函数
您可以检查插入的行数:
if(mysql_num_rows($Result1) > 0){
//row is inserted
}
或者您可以在插入之前运行SELECT
查询,并检查是否返回行。