我正在创建一个预订系统,客户将在其中填写预订表格(地点、教室、时间和日期)。
我的问题是关于在将记录插入数据库之前检查输入的记录。意思是如果位置、教室、时间和日期已经插入/获取/保留在数据库中,那么系统将提示“位置、日期和时间已保留”之类的消息,否则将插入数据库中。我运行这段代码,但它仍然记录相同的位置、教室、日期、时间。这段代码有问题吗?
$res_location = isset($_POST['res_location']) ;
$res_classroom = isset($_POST['res_classroom']) ;
$res_inclusive_date = isset($_POST['res_inclusive_date']);
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ;
// Build the query
$query = sprintf("SELECT Location_Faculty FROM tbl_reservation WHERE Location_Faculty=%s AND Classroom=%s AND Inclusive_Date=%s AND Inclusive_Time=%s ",
GetSQLValueString($res_location, "text"),
GetSQLValueString($res_classroom, "text"),
GetSQLValueString($res_inclusive_date, "date"),
GetSQLValueString($res_inclusive_time_start, "date"));
$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
$num_rows = mysql_num_rows($result);
if( $num_rows >= 1){
// then the record already exists
echo "Duplicate entry";
}
else{
//insert query
}
由于“GetSQLValueString”函数,它可以免于 SQL 注入(inject)。
最佳答案
在将数据插入数据库以检查预订之前,您需要运行查询。
也许是这样的
// This function helps you escape the data before you use them in database
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
// prep you data properly. You can use the GetSQLValueString() function to
// escape the inputs, just set it to the required type.
// if some $_POST value is not set, then you can set a default one here
$res_location = isset($_POST['res_location']) ? GetSQLValueString($_POST['res_location'], 'text') : ' set a defaule value here';
$res_classroom = isset($_POST['res_classroom']) ? GetSQLValueString($_POST['res_classroom'], 'text') : ' set a defaule value here';
$res_inclusive_date = isset($_POST['res_inclusive_date']) ? GetSQLValueString($_POST['res_location'], 'date') : ' set a defaule value here';
$res_inclusive_time_start = isset($_POST['res_inclusive_time_start']) ? GetSQLValueString($_POST['res_inclusive_time_start'], 'text') : ' set a defaule value here';
// Build the query
$query = "SELECT * FROM `tbl_reservation` WHERE `Location_Faculty` = '{$res_location}' AND `Classroom` = '{$res_classroom}' AND `Inclusive_Date` = '{$res_inclusive_date}' AND `Inclusive_Time` = '{$res_inclusive_time_start}' ";
$result = mysql_query($query) or die(mysql_error() . '<hr />' . $query);
if(mysql_num_rows($result) > 0){
// then the record already exists
echo "Duplicate entry";
} else {
// save to database
}
请注意,它对 sql 注入(inject)很有值(value),因此您必须转义输入,并尝试使用 mysqli 或 pdo 而不是旧的 mysql 函数
关于php - 在插入数据库之前检查MySQL中的记录,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28136701/