dsdvr06648 2016-08-31 10:14
浏览 107

用php中的电子邮件地址进行SQL查询

I have a little query, which is displaying a text if the server query_string exits in the database. It works with all sorts of text an figures in mysql, instead of email adresses. For example if the url looks like "example.com/query.php?test" it works. If there is an email like "example.com/query.php?test@gmail.com" it doesn't work. My DB table type is varchar(100).

Any idea?

    <?php

    $subscriber_email = ($_SERVER['QUERY_STRING']);

    mysql_connect("server", "user", "pswd") or die (mysql_error ());

    mysql_select_db("newsletter") or die(mysql_error());

    $sql = "SELECT * FROM `newsletter submit` WHERE ID='test@gmail.com'";
    $query = mysql_query($sql);

    echo mysql_error();

    echo (mysql_num_rows($query) == 0) ? 'NO' : 'YES';

    ?>
  • 写回答

2条回答 默认 最新

  • douyannuo7733 2016-08-31 10:22
    关注

    You should escape your inputs : 

    $subscriber_email = mysql_escape_string($_SERVER['QUERY_STRING']);

    Using a non escaped string causes an error that prevents your query to be executed.

    Additionally, you should consider using mysqli, mysql functions being deprecated.

    UPDATE : I was a bit too fast and forgot to mention, you should put quotes on each side of your parameter : 

    $sql = "SELECT * FROM `newsletter submit` WHERE ID='$subscriber_email'";
    评论

报告相同问题?

悬赏问题

  • ¥15 孟德尔随机化结果不一致
  • ¥20 求用stm32f103c6t6在lcd1206上显示Door is open和password:
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题
  • ¥15 (标签-Python|关键词-socket)
  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法