Need to check if both the EMAIL_ADDRESS and ACTIVATION_CODE exist within a MySql Table, if so return "Code is valid",else "Code is NOT valid".
At present it's always returning code not valid, however I've checked the record in the table and the queried code does exist.
$email = $_POST['email'];
$acticode = $_POST['code'];
$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");
if (mysql_fetch_row($result)) {
echo 'Code is valid';
} else {
echo 'Code is NOT valid';
}
解决方案
But this code is not secure:
$email = $_POST['email'];
$acticode = $_POST['code'];
$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");
$data = mysql_fetch_row($result);
if (mysql_num_rows($result) > 0) {
echo 'Code is valid';
} else {
echo 'Code is NOT valid';
}
To secure and prevent SQL Injection:
$email = mysql_real_escape_string($_POST['email']);
$acticode = mysql_real_escape_string($_POST['code']);
Please note:
Warning
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be
used. See also MySQL: choosing an API guide and related FAQ for more
information. Alternatives to this function include:
mysqli_real_escape_string()
PDO::quote()
524
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
