这个SQL查询有什么问题?
[英]what's wrong with this sql query?
问题描述
Okay I have two variables in PHP 
好的,我在PHP中有两个变量
$username;
$password;
which are initialized to the data retrieved from $_POST variable :) 它被初始化为从$ _POST变量中检索的数据:)
I have this SQL query 我有这个SQL查询
$sql = "SELECT * FROM users WHERE username = '" . $username . "' AND password = '" . $password . "')";
But this doesn't works and returns me nothing :( 但这不起作用,并没有给我任何回报:(
Can you instruct me into the right direction. 你能指导我走向正确的方向吗? Please? 请?
8 个解决方案
解决方案1
12 已采纳 2009-04-23 16:25:02
查询在结尾处有一个右括号,没有任何理由,它将无法工作。
解决方案2
7 2009-04-23 16:24:34
What's wrong with it? 它出什么问题了?
Everything, unfortunately. 不幸的是,一切。 In particular it's open to SQL injection attacks. 特别是它对SQL注入攻击持开放态度。
If that's a verbatim cut&paste, then the reason it's not actually working is a trailing closing bracket. 如果这是一个逐字剪切和粘贴,那么它实际上不工作的原因是一个尾随的结束括号。 Presumably you're not checking for errors when you call this? 大概你在打电话时没有检查错误?
Using the base MySQL API it should be: 使用基础MySQL API应该是:
$sth = $db->prepare("SELECT COUNT(*) FROM users WHERE username = ? AND password = ?");
$sth->execute($username, $password);
list($count) = $sth->fetchrow();
$authorized = ($count > 0);
or similar (code untested, E&OE, etc...) 或类似的(代码未经测试,E&OE等...)
解决方案3
4 2009-04-23 16:24:29
eeek! eeek! sql injection for one! sql注入一个!
EDIT: What's your favorite "programmer" cartoon? 编辑: 你最喜欢的“程序员”卡通是什么?
解决方案4
2 2009-04-23 16:25:28
Why is there a stray ) at the end of your query? 在查询结束时为什么会有流浪? It shouldn't be there. 它应该不存在。
Oh, and thirded on SQL injection. 哦,并且在SQL注入方面很谨慎。 BAD. 坏。
解决方案5
1 2009-04-23 16:25:29
You seem to have an excess closing parenthesis at the end of your query string. 您的查询字符串末尾似乎有一个多余的右括号。
[Edit] - for those screaming SQL injection attacks: we don't know what the user has done with their variables before using them in the query. [编辑] - 对于那些尖叫的SQL注入攻击:在查询中使用它们之前,我们不知道用户对其变量做了什么。 How about benefit of doubt? 怀疑的好处怎么样? ;-) ;-)
解决方案6
1 2009-04-23 16:26:02
First of all, never, ever do it like this. 首先, 永远不要这样做。 Please read about SQL injection and don't write any SQL until you have understood what it says. 请阅读有关SQL注入的内容 ,除非您理解了它的内容,否则不要编写任何SQL。 Sorry, but this is really essential. 对不起,但这非常重要。
That said, your query contains a closing bracket. 也就是说,您的查询包含一个结束括号。 That looks like a syntax error. 这看起来像语法错误。 Do you get an error executing it? 执行它会出错吗?
解决方案7
1 2009-04-23 16:26:43
There's an extra parenthesis on the right hand side of the query. 查询的右侧有一个额外的括号。
Also, if you do not sanitize your code properly you're going to be vulnerable to SQL injection. 此外,如果您没有正确清理代码,那么您将容易受到SQL注入攻击。 You should really be using parameterized queries, but in lieu of that at least use mysql_real_escape_string() on $username and $password . 你应该使用参数化查询,但至少在$username和$password上使用mysql_real_escape_string()代替。
Also, as a bit of ghost debugging, it's very possible that your passwords are MD5 hashed in the database, since you should never store them in plain text. 此外,作为一些鬼调试,你的密码很可能是数据库中的MD5哈希值,因为你永远不应该以纯文本形式存储它们。
Try: 尝试:
$username = mysql_real_escape_string($_POST["username"]);
$password = md5($_POST["password"]);
$sql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
解决方案8
0 2009-04-23 16:28:00
In addition to all the other problems noted. 除了提到的所有其他问题。 The Password in the Users table is stored encrypted. Users表中的密码以加密方式存储。 Unless you've run the Password through the MySQL password encryptor, you will never see any data from this query as the passwords won't match. 除非您通过MySQL密码加密器运行密码,否则您将永远不会看到此查询中的任何数据,因为密码不匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.