[英]PHP using $_GET at sql query returning no results
我有这个php文件,其中我在这样的网址中发送了一个名为user_email的变量:
http:// * ** * ** * *** /android_connect/get_all_products.php?user_email="m“
通过我的Android应用程序代码。
但是,即使应该返回一些数据,它也会从其他返回“没有找到产品”! 如果我使用test1查询,它将返回正确的数据! 我知道代码对SQL注入很有价值,但是我必须做些什么来解决它? 请帮助我真的需要这个!
<?php
/*
* Following code will list all the products
*/
// array for JSON response
$response = array();
$user_email = $_REQUEST['user_email'];
//echo $user_email;
// include db connect class
require_once __DIR__ . '/db_connect.php';
// connecting to db
$db = new DB_CONNECT();
// get all products from products table
$test = "SELECT *FROM products WHERE user_email= '" . $user_email . "'";
//$test1= "SELECT * FROM products where user_email='m'" ;
//echo $test;
$result = mysql_query($test) or die(mysql_error());
// check for empty result
if (mysql_num_rows($result) > 0) {
// looping through all results
// products node
$response["products"] = array();
while ($row = mysql_fetch_array($result)) {
// temp user array
$product = array();
$product["pid"] = $row["pid"];
$product["firstname"] = $row["firstname"];
$product["lastname"] = $row["lastname"];
$product["email"] = $row["email"];
$product["phone"] = $row["phone"];
$product["address"] = $row["address"];
$product["created_at"] = $row["created_at"];
$product["updated_at"] = $row["updated_at"];
$product["user_email"] = $row["user_email"];
// push single product into final response array
array_push($response["products"], $product);
}
// success
$response["success"] = 1;
// echoing JSON response
echo json_encode($response);
} else {
// no products found
$response["success"] = 0;
$response["message"] = "No products found";
// echo no users JSON
echo json_encode($response);
}
?>
在get请求中,您的电子邮件周围有引号。
http://**********/android_connect/get_all_products.php?user_email="m"
^ ^
因此,mysql将寻找与"m"
匹配的对象,而不仅仅是m
。
您应先从网址中删除引号,或将其删除,然后再将其添加到查询中:
$user_email = trim($user_email, '"');
至少您应该在运行查询之前对其进行转义:
$test = mysql_real_escape_string($test);
$result = mysql_query($test) or die(mysql_error());
http:// * *** /android_connect/get_all_products.php?user_email="m“
回声$ user_email; //它是“ m”
因此,现在的SQL是
SELECT * FROM产品,其中user_email ='“ m”'// //,为空结果
删除网址中的“”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.