在使用php插入sql之前检查记录

Question

我正在使用 INSERT 语句添加记录。现在我想检查电子邮件是否已经注册或是否已经存在于记录中。如果它已经存在，则给出一个错误，否则插入一条新记录。这就是我的做法...但是选择查询是没有运行...并且仍然在不检查的情况下添加记录。请检查我的代码并提出解决方案。谢谢 :) 这是我的代码

 manage-users.php
<?php include("../includes/config.php"); ?>
<?php
if ($_SESSION["isadmin"])
{
?>
<!DOCTYPE HTML>
<html>
<head>
<?php include("includes/pre-header.php");?>


<title>Admdin Home</title>
</head>
<body>
<div class="container">
<?php include("includes/header.php"); ?>
<?php include("includes/nav.php"); ?>
<div id="maincontent">

<div class="span-24 last">
<div id="breadcrumbs">
    <a href="">Home</a> >
    <a href="">Manage Users</a> >
    Add New
</div>
</div>
<?php include("includes/manage-users-aside.php"); ?>
<div class="span-18 last">
<h2 class="alt">Add New</h2>
<?php
if (isset($_GET["status"]))
{
if($_GET["status"]==1)
{
?>
<div class="success">
<?php
echo("<strong>User Has Been Added Successfully!</strong>");
?>
</div>
<?php
}
 if($_GET["status"]==2)
{
?>
<div class="success">
<?php
 echo("<strong>User Has Been Edited Successfully!</strong>");
?>
</div>
<?php
}
} 
 if($_GET["status"]==3)
{
echo ("<strong>This Account Already Exixts!. Please add a New One!</strong>");
}
?>
<form method="post" id="form" action="manage-users-action.php">
<label for="email">Email/Username:</label><input id="email" type="text" name="email" value="" class="text" /><br /><br />
<label for="password">Password:</label><input id="password" type="password" name="password"  value="" class="text" /><br /><br />
<label for="firstname">First Name:</label><input id="firstname" type="text" name="firstname" value="" class="text" /><br /><br />
<label for="lastname">Last Name:</label><input id="lastname" type="text" name="lastname"    value="" class="text" /><br /><br />
<label>Type:</label><br />
<input type="radio" name="type" value="S" />Student <br /> <br />
<input type="radio" name="type" value="T" />Teacher<br /><br />
<input type="submit" name="submit"  value="Submit" class="button" />
</form>
</div>
</div>

<?php include("includes/footer.php"); ?>
</div>
</body>

</html>
<?php
}
else
{
    header("Location: ".$fullpath."login/unauthorized.php");

 }
?>

这是manage-users-action.php

<?php include("../includes/config.php");?>
<?php
$fname=$_POST['firstname'];
$lname=$_POST['lastname'];
$type=$_POST['type'];
$email=$_POST['email'];
$pwd=$_POST['password'];
$recoverykey=md5(time());
$encpwd=md5($pwd);
$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }
mysql_select_db($dbname, $con);

$result= mysql_query("SELECT FROM accounts WHERE (email='".$email."')");
if(!$result){
$sql=("INSERT INTO accounts VALUES   (NULL,'".$email."','".$encpwd."','".$fname."','".$lname."','".$type."','".$recoverykey."')"    );
}
else
{
 header("Location: manage-uesrs.php?status=3");
}
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
else
    {
        header("Location:manage-users.php?status=1");
    }

mysql_close($con);
?>

Answer 1

代替

if (!$result) {

试试

if ( mysql_num_rows($result) == 0 )

您的查询总是会返回一个结果 - 即使数据库中没有记录 - 这就是为什么您的条件从未奏效。

Answer 2

您实际上在流程中有几个错误。 Zolthan 是对的，但是您仍然会在数据库中得到两个条目，因为您的代码将在“标题”之后继续执行。在“标头位置”调用之后总是exit();。

您还需要验证/确保您的数据安全（否则 $retval 将是错误的，并且如果您完全按照 Zoltan 操作，它会出错。）

解决问题：

// Validate you have an valid email
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
     header("Location: manage-uesrs.php?status=ErrorInSQL");    // Note: location should take a full URL. This works in all browsers I know of, but is not strictly correct.
     exit();  // Critical - otherwise you script will continue to run.
}

// Than sanatize your data. Use PDO or mysql; for for now I'll use your code
$email = mysql_real_escape_string($email);
// Repeat for the other fields

$result= mysql_query("SELECT FROM accounts WHERE (email='".$email."')"); 
if (!$result) { 
     header("Location: manage-uesrs.php?status=ErrorInSQL");    // Note: location should take a full URL. This works in all browsers I know of, but is not strictly correct.
     exit();  // Critical - otherwise you script will continue to run.
} else (mysql_num_rows($result) > 0 )  
     header("Location: manage-uesrs.php?status=NotUniqueURL");
     exit();  // Critical - again.
}

// As we're here, we can now do thq SQL as you have
// Remmber mysql_real_escape_string on all variables (or use PDO / mysqli prepared statements)
$sql=("INSERT INTO accounts VALUES   (NULL,'".$email."','".$encpwd."','".$fname."','".$lname."','".$type."','".$recoverykey."')"    ); 
if (mysql_query($sql,$con)) {
    header("Location:manage-users.php?status=1"); 
    exit();   // ;)
} else {
    header("Location: manage-uesrs.php?status=ErrorInSQL");
    exit();   // ;)
}

但是，正如 xQbert 所建议的，您最好的方法是在一个查询中。

在“电子邮件”字段的数据库中创建一个“唯一”索引。

// Validate you have an valid email
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
     header("Location: manage-uesrs.php?status=ErrorInSQL");    // Note: location should take a full URL. This works in all browsers I know of, but is not strictly correct.
     exit();  // Critical - otherwise you script will continue to run.
}

// Than sanatize your data. Use PDO or mysql; for for now I'll use your code
$email = mysql_real_escape_string($email);
// Repeat for the other fields

// Dive traight into the SQL
// Remmber mysql_real_escape_string on all variables (or use PDO / mysqli prepared statements)
$sql=("INSERT INTO accounts VALUES   (NULL,'".$email."','".$encpwd."','".$fname."','".$lname."','".$type."','".$recoverykey."')"    ); 
if (mysql_query($sql,$con)) {
    header("Location:manage-users.php?status=1"); 
    exit();   // ;)
} else {
    // This could error because it is in use, or you have error in your sql. So debug with mysql_error() initially to get your SQL correct, then when you're sure that is right, assume any error is duplicate e-mail. You could alsocheck with with mysql error codes to be extra safe.  
    header("Location: manage-uesrs.php?status=AlreadyInUse");
    exit();   // ;)
}