dsux90368 2016-06-17 12:11
浏览 58
已采纳

当只有字母输入到输入文本字段[duplicate]时,Mysql_num_rows要求参数1为mysqli_result

Whenever I type only letters into the html username text input field on my login form, it comes up with the error:

mysqli_num_rows() expects parameter 1 to be mysqli_result...

Even if the username exists in the database.

However, it works fine when I type only numbers into the input field.

Here is my PHP file:

<?php

//start a session
//unset session variables, expire session cookie, destroy session
//start a new session
session_start();
$_SESSION = array();
setcookie('PHPSESSID', '', time() + 1);
session_destroy();
session_start();

//require template_functions.php file
//call function that renders layout with content file: home.php
require $_SERVER['DOCUMENT_ROOT'] . 
'/practice2/resources/library/template_functions.php';
layout('/practice2/public_html/php/home.php');

//if 'login' btn clicked
if (isset($_POST['login'])) {

    //assign variable to user's typed username
    $name = mysqli_real_escape_string($link, $_POST['name']);

    //assign variable to user's typed pw
    $pw = mysqli_real_escape_string($link, $_POST['pw']);

    //if user typed name
    if ($name){

        //number of matches to user's name
        $result = mysqli_num_rows( 
        mysqli_query($link, 'SELECT * FROM user WHERE name = ' .$name));
        echo $result;

            //if name doesn't match 
            if ($result == 0) {

                echo 'The username that you\'ve entered doesn\'t match any account.';

                //if name matches
                } else if ($result == 1) {

                    //if user typed pw
                    if ($pw) {

                    //number of matches to user's pw
                    $result = mysqli_num_rows(
                    mysqli_query($link, 'SELECT * FROM user WHERE pw =' .$pw));

                        //if pw doesn't match 
                        if ($result == 0) {

                        echo 'The password that you\'ve entered is     incorrect. Forgetten password?';

                        //if pw match 
                        } else 

                        //assign session variables 
                        //$_SESSION['loggedin'] = true;
                        //$_SESSION['name'] = $name;
                        echo 'signed in';

                    } else echo '<br> Log in as ' .$name. '. Not you?';
                }

        } 


} 

?>

Here is my HTML file that submits to the PHP file:

<html>

<body>
 <form action = '/practice2/public_html/php/index.php' method = 'POST'>
   <input type = 'text' placeholder = 'Username' name = 'name'>
   <input type = 'password' placeholder = 'Password' name = 'pw'>
   <input type = 'submit' value = 'Log In' name = 'login'>
 </form>
</body>

</html>

</div>
  • 写回答

2条回答 默认 最新

  • douchun6221 2016-06-17 12:18
    关注

    SQL will let you search numbers without quotes around them, but not text.

    SELECT * FROM user WHERE name = 1234 is fine.

    SELECT * FROM user WHERE name = fred is not.

    If you surround your searched parameters with quotes, you should be better off.

    i.e. mysqli_query($link, 'SELECT * FROM user WHERE name = "' . $name . '"'));

    Please be aware that whilst you are escaping your parameters to prevent SQL injection using mysqli_real_escape_string(), I recommend also taking a look at a tutorial on Prepared Statements in PHP

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 机器学习能否像多层线性模型一样处理嵌套数据
  • ¥20 西门子S7-Graph,S7-300,梯形图
  • ¥50 用易语言http 访问不了网页
  • ¥50 safari浏览器fetch提交数据后数据丢失问题
  • ¥15 matlab不知道怎么改,求解答!!
  • ¥15 永磁直线电机的电流环pi调不出来
  • ¥15 用stata实现聚类的代码
  • ¥15 请问paddlehub能支持移动端开发吗?在Android studio上该如何部署?
  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效