Can anyone help me figure out the meaning of this php error message? [duplicate]_问答_开发者

Can anyone help me figure out the meaning of this php error message? [duplicate]

开发者 https://www.devze.com 2023-03-01 06:02 出处：网络

This question already has answers here: Closed 11 years ago. Possible Duplicate: Can anyone help me figure out what is wrong with this code?

相关专题：forms php

This question already has answers here: Closed 11 years ago.

Possible Duplicate:
Can anyone help me figure out what is wrong with this code?

Here is my code

$con = mysql_connect("localhost", "root", '');

if (!$con) {
    die('Cannot make a connection');
}


mysql_select_db('yumbox_table', $con) or die('Cannot make a connection');    
isset($_POST['user_name'], $_PO开发者_如何学GoST['password'], $_POST['user_type']);

$data = mysql_query("SELECT * 
                       FROM users 
                      WHERE user_name == ($_POST['user_name']) 
                        AND ($_POST['password']) 
                        AND ($_POST['user_type'])") or die(mysql_error());

$info = mysql_fetch_array($data);
$count = mysql_numrows($data);

if ($count == 1) {
    echo("Success!!");
} else {
    echo("BIG FRIGGIN FAILURE!!");
}

mysql_close($con);

Whenever I run this code, I receive the following message:

You need to escape your POST values before you insert put them into your query. You should escape your POST values before you use them in a database query.

Instead of this:

$data = mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])"

Do this:

$user_name = mysql_real_escape_string($_POST['user_name']);
$password = mysql_real_escape_string($_POST['password']);
$user_type = mysql_real_escape_string($_POST['user_type']);
$data = mysql_query("SELECT * FROM users WHERE user_name == '$user_name' AND password == '$password' AND user_type == '$user_type'");

Note that I am assuming your columns in the table are 'user_name', 'password', and 'user_type'.

if(isset($_POST['user_name'], $_POST['password'], $_POST['user_type'])){
    $data = mysql_query("SELECT * from users 
             where user_name = '".mysql_real_escape_string($_POST['user_name'])."' and 
                   password  = '".mysql_real_escape_string($_POST['password'])."' and 
                   user_type = '".mysql_real_escape_string($_POST['user_type'])."' ");

    if(mysql_numrows($data) == 1) {
       $info = mysql_fetch_array($data);
       echo("Success!!");
    } else {
       echo("BIG FRIGGIN FAILURE!!");
    }
}
else{
   echo "Required Data Missing";
}

mysql_close($con);

You need to post the error for more details. But a few things I noticed was

mysql_query("SELECT * from users where user_name == ($_POST['user_name']) and ($_POST['password']) and ($_POST['user_type'])")

You need to change this to

//do escaping here. See note below.
$username = isset($_POST['user_name']) ? mysql_real_escape($_POST['user_name']) : '';
$pass     = isset($_POST['password']) ? mysql_real_escape($_POST['password']) : '';
$type     = isset($_POST['user_type']) ? mysql_real_escape($_POST['user_type']) : '';

mysql_query("SELECT * from users where user_name = '{$username}' AND password = '{$pass}' AND user_type = '{$type}'")

You need to escape values

MySQL comparisons are = and not == (thanks for pointing that out @jeremysawesome)

You need to check the column against your POST value

You also have an SQL injection vulnerability. Please at least use mysql_real_escape. Better yet, switch to PDO

You need to assign your isset check to a variable and check it. Otherwise it's just a waste.