Your isUsernameAvailable function will return NULL (equals to FALSE) when the query fails. This will trigger the The username is already taken! message.
Looks like your SQL query always fails, which I think is no wonder because you blindly apply quotes onto it.
After running a SQL query, you must more properly deal with the case that the query failed, e.g. display that an internal SQL error occured and log it, so you can look into the log and locate the cause of the error.
Additionally, you should use the PDO more properly, specifically when you want to prevent SQL injection (which you must care about). See Best way to stop SQL Injection in PHP.
$sql = "SELECT COUNT(*) FROM users WHERE username = '$username'";
$sql = $this->db->quote($sql);
您正在引用整个查询,这没有任何意义,并且从安全角度来看是完全危险的 - 并且可能会导致无效的查询。
这是更正确的代码:
// return TRUE if user is available
public function isUsernameAvailable($username) {
$sql = "SELECT id FROM users WHERE username = :username";
$stmt = $this->db->prepare($sql);
$stmt->execute(array(':username' => $username));
return $stmt->fetch() === FALSE;
}
if (!$user->isUsernameAvailable($_POST['username'])) {
echo 'The username is already taken!';
$error = 1;
}
$sql = "SELECT COUNT(*) FROM users WHERE username = '$username'";
$sql = $this->db->quote($sql);
You are quoting the whole query, this does not make any sense and is outright dangerous from a security standpoint – and probably results in an invalid query anyway.
Here's a more proper code:
// return TRUE if user is available
public function isUsernameAvailable($username) {
$sql = "SELECT id FROM users WHERE username = :username";
$stmt = $this->db->prepare($sql);
$stmt->execute(array(':username' => $username));
return $stmt->fetch() === FALSE;
}
if (!$user->isUsernameAvailable($_POST['username'])) {
echo 'The username is already taken!';
$error = 1;
}
发布评论
评论(6)
select count(*)...将始终返回一条记录,即使没有任何匹配,因此,您可以尝试以下操作:
Between,检查任何记录返回的正确方法应该使用 rowCount
如其余部分所示:-
select count(*)...will ALWAYS return a record, even nothing is matchedso, you can try this :
between, a proper method to check any record return should be using rowCount
as indicate by the rest :-
当查询失败时,您的
isUsernameAvailable函数将返回NULL(等于FALSE)。这将触发用户名已被占用!消息。看起来你的 SQL 查询总是失败,我认为这并不奇怪,因为你盲目地在它上面应用引号。
运行SQL查询后,您必须更妥善地处理查询失败的情况,例如显示发生了内部SQL错误并记录下来,以便您可以查看日志并定位错误原因。
此外,您应该更正确地使用 PDO,特别是当您想要防止 SQL 注入时(您必须关心这一点)。请参阅在 PHP 中停止 SQL 注入的最佳方法。
Your
isUsernameAvailablefunction will returnNULL(equals toFALSE) when the query fails. This will trigger theThe username is already taken!message.Looks like your SQL query always fails, which I think is no wonder because you blindly apply quotes onto it.
After running a SQL query, you must more properly deal with the case that the query failed, e.g. display that an internal SQL error occured and log it, so you can look into the log and locate the cause of the error.
Additionally, you should use the PDO more properly, specifically when you want to prevent SQL injection (which you must care about). See Best way to stop SQL Injection in PHP.
使用 rowCount() 而不是 fetchColumn()
Use rowCount() instead of fetchColumn()
如果没有列,则 fetchColumn 返回 false,另请参阅 ajreal 答案。
fetchColumn returns false if there is no column and also see ajreal answer.
您可以尝试使用以下代码吗?
Can you try using the following code?
您正在引用整个查询,这没有任何意义,并且从安全角度来看是完全危险的 - 并且可能会导致无效的查询。
这是更正确的代码:
You are quoting the whole query, this does not make any sense and is outright dangerous from a security standpoint – and probably results in an invalid query anyway.
Here's a more proper code: