displaying specific records of a uses
guys please check my codes in displaying record..
<?php
include("db.php");
$username=$_POST['username'];
$email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?
$i = 0;
while ($i < $num) {
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
&l开发者_如何学运维t;?
$i++;
}
echo "</table>"; ?>
is it correct?
:-(
There's nothing fatally wrong with your code but there's a few very basic alterations i would make:
<?php
include "db.php";
$username=$_POST['username'];
$email=$_POST['email'];
// added mysql_real_escape_string to prevent sql injection
$query="SELECT * FROM `members` where `username` = '".mysql_real_escape_string($username)."'";
// added an or die clause to check for SQL errors
$result=mysql_query($query)or die(mysql_error());
// use of mysql_fetch_assoc to put user data into associative array
$user = mysql_fetch_assoc($result);
mysql_close();
?> <br /> <p></p>
Welcome back! Your details below: <br /><br />
<table border="1" cellspacing="2" cellpadding="5">
<tr>
<th>First Name</th>
<th>Last Name</th>
<th>User Name</th>
<th>Email</th>
<th>Age</th>
</tr>
<?php
// removed unnecessary loop as i'd assume the username will only be in the database once
$firstname= $user['firstname'];
$lastname= $user['lastname'];
$username= $user['username'];
$email= $user['email'];
$age= $user['age'];
?>
<tr>
<td><? echo $firstname ?></td>
<td><? echo $lastname ?></td>
<td><? echo $username ?></td>
<td><? echo $email ?></td>
<td><? echo $age ?></td>
</tr>
</table>
Your code is not correct.
phpcs test.php
FILE: /tmp/test.php
--------------------------------------------------------------------------------
FOUND 4 ERROR(S) AND 1 WARNING(S) AFFECTING 4 LINE(S)
--------------------------------------------------------------------------------
2 | ERROR | Missing file doc comment
3 | ERROR | "include" is a statement, not a function; no parentheses are
| | required
3 | ERROR | File is being unconditionally included; use "require" instead
25 | ERROR | Short PHP opening tag used. Found "<?" Expected "<?php".
29 | WARNING | Inline control structures are discouraged
--------------------------------------------------------------------------------
$username=$_POST['username']; $email=$_POST['email'];
$query="SELECT * FROM members where username = '$username'";
Search stackoverflow for "sql injections" and maybe also for "prepared statements".
<td><? echo $firstname ?></td>
The same way your sql statement is prone to sql injections this line might be the cause for injections into your html code. Use <td><?php echo htmlspecialchars($firstname); ?></td>
instead.
$email=$_POST['email'];
Why is that in there? You don't use $email again until $email=mysql_result($result, $i, 'email');
. My guess is your original query tested for both the username and the email address?
$i = 0;
while ($i < $num) {
mysql_result($result, $i,
i++
...
How many members with the same username can there be in your database table? More than one? If not, why do you use the while loop?
$firstname=mysql_result($result, $i, 'firstname');
$lastname=mysql_result($result, $i, 'lastname');
$username=mysql_result($result, $i, 'username');
$email=mysql_result($result, $i, 'email');
$age= mysql_result($result, $i, 'age');
Instead of five calls to mysql_result()
one call to mysql_fetch_array() would suffice. Speed is probably not an issue here but again it adds a tiny bit of complexity that seems unnecessary to me and when you use mysql_fetch_xyz() you only have one variable (an array or an object) to worry about instead of #columns variables
精彩评论