Mysql_fetch_assoc 无法正常运行[关闭]

Question

无论如何，我都无法弄清楚我的代码中出现此错误的原因：

mysql_fetch_assoc(): 提供的参数不是有效的 MySQL 结果资源

这是我的 PHP 代码：

<?php

$session_id = $_SESSION['id'];

$getall = mysql_query("SELECT * FROM users WHERE id='' . $dbuser_id . ''");
$row = mysql_fetch_assoc($getall);

$fullnameDB         = $row['name'];
$emailDB            = $row['email'];
$usernameDB         = $row['username'];

$fullname           = strip_tags($_POST['fullname']);
$username           = strip_tags($_POST['username']);
$email              = strip_tags($_POST['email']);


if ($_POST['submit']) {

    $namecheck = mysql_query("SELECT username FROM users WHERE username='' . $username . ''");

    $count = mysql_num_rows($namecheck);

    if ($count !=0) {

        echo 'That username is already taken!';

    } else {

        mysql_query("UPDATE users SET username=' . $username . ' WHERE id='' . $dbuser_id . ''");

        echo 'Your UN has been updated';

    }

}                        

?>

Answer 1

"SELECT username FROM users WHERE username='" . $username . "'"

不是

"SELECT username FROM users WHERE username='' . $username . ''"

但请考虑使用 mysqli 或 pdo 切换到参数化语句

Answer 2

这是您的代码的改进版本：

<?php

$session_id = $_SESSION['id'];

$getall = mysql_query("SELECT * FROM users WHERE id='" . $dbuser_id . "'");
$row = mysql_fetch_assoc($getall);

$fullnameDB         = $row['name'];
$emailDB            = $row['email'];
$usernameDB         = $row['username'];

$fullname           = mysql_real_escape_string($_POST['fullname']);
$username           = mysql_real_escape_string($_POST['username']);
$email              = mysql_real_escape_string($_POST['email']);


if ($_POST['submit']) {

    $namecheck = mysql_query("SELECT username FROM users WHERE username='" . $username . "'");

    $count = mysql_num_rows($namecheck);

    if ($count !=0) {

        echo 'That username is already taken!';

    } else {

        mysql_query("UPDATE users SET username='" . $username . "' WHERE id='" . $dbuser_id . "'");

        echo 'Your UN has been updated';

    }

}                        

?>

你做错了，在你的查询中，你用双引号（“）开始它，但你试图在中途结束它，用单引号（'）连接你的用户名，所以它不起作用。我也帮助清理您的输入，使其不易受到 SQL 注入的影响（如果不安全）。

编辑：正如其他用户所提到的，认真考虑切换到准备好的语句。

Answer 3

您的代码中有错误，它容易受到SQL Injection attacks 的攻击。

使用此代码：

<?php
try {
    $session_id = session_id();
    $conn = mysqli_connect('localhost', 'any_user_other_than_root', 'secure_password', 'database');
    if(!$conn) throw new Exception('Could not connect to the database.');
    $dbuser_id = mysqli_real_escape_string($dbuser_id);
    $query = "SELECT * FROM users WHERE id='$dbuser_id'";
    $getall = mysqli_query($conn, $query);
    if(!$getall) throw new Exception('Database query failed!');
    $row = mysqli_fetch_assoc($getall);
    $fullname_db = $row['name'];
    $email_db = $row['email'];
    $username_db = $row['username'];
    $fullname = mysqli_real_escape_string($_POST['fullname']);
    $username = mysqli_real_escape_string($_POST['username']);
    $email = mysqli_real_escape_string($_POST['email']);
    if(isset($_POST['submit'])) {
        $namecheck = mysqli_query($conn, "SELECT username FROM users WHERE username='$username'");
        if(!$namecheck) throw new Exception('Name check failed!');
        $count = mysqli_num_rows($namecheck);
        if($count > 0) {
            echo 'That username is already taken!';
        } else {
            $result = mysqli_query($conn, "UPDATE users SET username='$username' WHERE id='$dbuser_id'");
            if(!$result) throw new Exception('Could not update your UN.');
            echo 'Your UN has been updated';
        }
    }
} catch(Exception $e) {
    echo 'Error: ' . $e->getMessage();
}
?>