如何验证来自数据库的输入
How to validate input from database
我开发了验证码,要求用户回答随机显示的问题。我的数据库由 id、question、answer 组成。问题是虽然我输入了正确的答案,但它仍然将我重定向到 error.php 而不是 success.php。
<?php
$database_db="test2";
$user_db="root";
$password_db="";
$host_db="localhost";
$link = mysqli_connect($host_db, $user_db, $password_db, $database_db);
/* check connection */
if (mysqli_connect_errno())
{
die ("couldnot connect: ".mysqli_connect_error());
exit();
}
if (array_key_exists("answer", $_POST) AND array_key_exists("question", $_POST))
{
$id = intval($_POST['question']);
$sql="SELECT question, answer FROM captcha WHERE question='$id' AND answer='".mysqli_real_escape_string($link, $_POST['answer'])."'";
$result = mysqli_query($link, $sql) or exit('$sql failed: '.mysqli_error($link));
$num_rows = mysqli_num_rows($result);
if($num_rows > 0)
{
header("Location: success.php");
}
else
{
header("Location: error.php");
}
exit;
}
else
{
$query = "SELECT id, question FROM `captcha` ORDER BY RAND() LIMIT 1";
if ($result = mysqli_query($link, $query))
{
if ($row = mysqli_fetch_assoc($result))
{
$id = $row["id"];
$question = $row["question"];
}
}
}
?>
<html>
<body>
<form method="post">
<?php echo $question; ?><br />
<input type="hidden" name="question" id="question" value="<?php echo $id; ?>" />
<input type="text" name="answer" id="answer" /><br />
<input type="submit" name="submit" value="submit" /><br />
</form>
</body>
</html>
您似乎查询了错误的列以匹配 $id
:
"SELECT question, answer FROM captcha WHERE question='$id' AND ... "
我认为应该是:
"SELECT question, answer FROM captcha WHERE id='$id' AND ... "
我开发了验证码,要求用户回答随机显示的问题。我的数据库由 id、question、answer 组成。问题是虽然我输入了正确的答案,但它仍然将我重定向到 error.php 而不是 success.php。
<?php
$database_db="test2";
$user_db="root";
$password_db="";
$host_db="localhost";
$link = mysqli_connect($host_db, $user_db, $password_db, $database_db);
/* check connection */
if (mysqli_connect_errno())
{
die ("couldnot connect: ".mysqli_connect_error());
exit();
}
if (array_key_exists("answer", $_POST) AND array_key_exists("question", $_POST))
{
$id = intval($_POST['question']);
$sql="SELECT question, answer FROM captcha WHERE question='$id' AND answer='".mysqli_real_escape_string($link, $_POST['answer'])."'";
$result = mysqli_query($link, $sql) or exit('$sql failed: '.mysqli_error($link));
$num_rows = mysqli_num_rows($result);
if($num_rows > 0)
{
header("Location: success.php");
}
else
{
header("Location: error.php");
}
exit;
}
else
{
$query = "SELECT id, question FROM `captcha` ORDER BY RAND() LIMIT 1";
if ($result = mysqli_query($link, $query))
{
if ($row = mysqli_fetch_assoc($result))
{
$id = $row["id"];
$question = $row["question"];
}
}
}
?>
<html>
<body>
<form method="post">
<?php echo $question; ?><br />
<input type="hidden" name="question" id="question" value="<?php echo $id; ?>" />
<input type="text" name="answer" id="answer" /><br />
<input type="submit" name="submit" value="submit" /><br />
</form>
</body>
</html>
您似乎查询了错误的列以匹配 $id
:
"SELECT question, answer FROM captcha WHERE question='$id' AND ... "
我认为应该是:
"SELECT question, answer FROM captcha WHERE id='$id' AND ... "