禁止系统不工作
Ban System not working
我正在为我的网站开发一个禁止系统,所有值都是正确的,我在页面上没有发现任何错误,但数据没有进入 table。这是数据库连接的代码。
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="PyroStudio"; // Database name
$tbl_name="banned"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
这是实际的禁止系统本身
if ($_POST['post'])
{
//get data
$bannuser = $_POST['bannuser'];
$TypeBan = $_POST['TypeBan'];
$Reviewed = $_POST['Reviewed'];
$ModNote = $_POST['ModNote'];
$Reason = $_POST['Reason'];
$OffenItem = $_POST['OffenItem'];
$BanLengthMssg = $_POST['BanLengthMssg'];
$ReleaseMssg = $_POST['ReleaseMssg'];
$AppealMssg = $_POST['AppealMssg'];
//Connect To The Database
$connect = mysql_connect("localhost","root","");
mysql_select_db("PyroStudio");
$namecheck = mysql_query("SELECT bannuser FROM $tbl_name WHERE bannuser='$bannuser'");
$count = mysql_num_rows($namecheck);
if($count!=0)
{
die("This User Is Already Banned! <a href='home.php'>[Home]</a>");
}
//check for existance
if ($bannuser)
{
if(strlen($bannuser)>25||strlen($bannuser)<6)
{
echo "<b>Length Of Username Is Must Be Between 6 and 25 Characters Long!</b>";
}
else
{
$queryreg = mysql_query("
INSERT INTO $tbl_name VALUES ('$bannuser','$TypeBan','$Reviewed','$ModNote','$Reason','$OffenItem','$BanLengthMssg','$ReleaseMssg','$AppealMssg')
");
die ("<b>The Moderation Report Has Been Submitted! The User Is Now Banned!</b> <b><a href='home.php'>[Home]</a></b>");
}
}
}
?>
我以前用过这个系统,现在我不知道为什么它不想工作。如果你能帮忙,那就太好了。
mysql_query("SELECT bannuser FROM $tbl_name WHERE bannuser='$bannuser'");
只是不要。这是一个巨大的安全漏洞。此外,您的代码可能会因为未转义的 $_POST 数据进入 SQL 语句并破坏它而失败。或者因为您错过了 INSERT 查询的某些内容,因为您甚至没有指定列列表。如果您对问题所在感兴趣,请检查 MySQL 服务器日志或 mysql_error() 函数的结果。
无论如何,请考虑以下方法:
$db = new PDO("mysql:host=localhost;dbname=PyroStudio", "root", "");
$bannuser = $_POST["bannuser"];
if (strlen($bannuser) > 25 || strlen($bannuser) < 6) {
die("Invalid username.");
}
$count = $db->prepare("SELECT COUNT(*) FROM bannuser WHERE bannuser = ?")
->execute(array($bannuser))
->fetchColumn();
if ($count > 0) {
die("Already banned.");
}
$stmt = $db->prepare("INSERT INTO bannuser (bannuser, typeban, …) VALUES (:bannuser, :typeban, …)");
$stmt->bindParam("bannuser", $bannuser);
$stmt->bindParam("typeban", $_POST["typeban"]);
…
$stmt->execute();
这不是一个完整的代码(特别是,我懒得输入每个插入的参数)而只是我凭记忆做的粗略草图,以帮助您入门。
我正在为我的网站开发一个禁止系统,所有值都是正确的,我在页面上没有发现任何错误,但数据没有进入 table。这是数据库连接的代码。
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="PyroStudio"; // Database name
$tbl_name="banned"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
这是实际的禁止系统本身
if ($_POST['post'])
{
//get data
$bannuser = $_POST['bannuser'];
$TypeBan = $_POST['TypeBan'];
$Reviewed = $_POST['Reviewed'];
$ModNote = $_POST['ModNote'];
$Reason = $_POST['Reason'];
$OffenItem = $_POST['OffenItem'];
$BanLengthMssg = $_POST['BanLengthMssg'];
$ReleaseMssg = $_POST['ReleaseMssg'];
$AppealMssg = $_POST['AppealMssg'];
//Connect To The Database
$connect = mysql_connect("localhost","root","");
mysql_select_db("PyroStudio");
$namecheck = mysql_query("SELECT bannuser FROM $tbl_name WHERE bannuser='$bannuser'");
$count = mysql_num_rows($namecheck);
if($count!=0)
{
die("This User Is Already Banned! <a href='home.php'>[Home]</a>");
}
//check for existance
if ($bannuser)
{
if(strlen($bannuser)>25||strlen($bannuser)<6)
{
echo "<b>Length Of Username Is Must Be Between 6 and 25 Characters Long!</b>";
}
else
{
$queryreg = mysql_query("
INSERT INTO $tbl_name VALUES ('$bannuser','$TypeBan','$Reviewed','$ModNote','$Reason','$OffenItem','$BanLengthMssg','$ReleaseMssg','$AppealMssg')
");
die ("<b>The Moderation Report Has Been Submitted! The User Is Now Banned!</b> <b><a href='home.php'>[Home]</a></b>");
}
}
}
?>
我以前用过这个系统,现在我不知道为什么它不想工作。如果你能帮忙,那就太好了。
mysql_query("SELECT bannuser FROM $tbl_name WHERE bannuser='$bannuser'");
只是不要。这是一个巨大的安全漏洞。此外,您的代码可能会因为未转义的 $_POST 数据进入 SQL 语句并破坏它而失败。或者因为您错过了 INSERT 查询的某些内容,因为您甚至没有指定列列表。如果您对问题所在感兴趣,请检查 MySQL 服务器日志或 mysql_error() 函数的结果。
无论如何,请考虑以下方法:
$db = new PDO("mysql:host=localhost;dbname=PyroStudio", "root", "");
$bannuser = $_POST["bannuser"];
if (strlen($bannuser) > 25 || strlen($bannuser) < 6) {
die("Invalid username.");
}
$count = $db->prepare("SELECT COUNT(*) FROM bannuser WHERE bannuser = ?")
->execute(array($bannuser))
->fetchColumn();
if ($count > 0) {
die("Already banned.");
}
$stmt = $db->prepare("INSERT INTO bannuser (bannuser, typeban, …) VALUES (:bannuser, :typeban, …)");
$stmt->bindParam("bannuser", $bannuser);
$stmt->bindParam("typeban", $_POST["typeban"]);
…
$stmt->execute();
这不是一个完整的代码(特别是,我懒得输入每个插入的参数)而只是我凭记忆做的粗略草图,以帮助您入门。