無法從sql數據庫中得到結果

Question

我對PHP很陌生，我正嘗試創建一個登錄系統。這裏是我的代碼

<?php 

    $con=mysqli_connect("XXXXXXX","XXXXXXXX","XXXXXXXXX","XXXXXXXXXX"); 

    if (!$con) 
     { 
     echo "failed to connect"; 
     } 

    $username = $_POST['username']; 
    $password = $_POST['password']; 

    $sql = "SELECT userID FROM users WHERE username = $username and password =   $password;"; 

    if (!$sql) { 
     echo 'query invalid'.mysql_error(); 
     } 

    $result = mysql_query($sql); 

    echo "$result"; 

    $row = mysqli_fetch_array($sql, MYSQLI_ASSOC); 

    $active = $row['active']; 

    $count = mysqli_num_rows($result); 

    mysql_close($con); 

?> 

我確信連接沒有問題。但是我的結果沒有顯示出來，並且沒有錯誤信息。以前我有一個IF語句，如果結果回來，它會執行進一步的操作。由於我試圖弄清楚發生了什麼，我只是刪除了這部分。有人請幫忙。非常感謝

Answer 1

你錯過了周圍的變量單引號，也是你使用MySQL與mysqli的混合，這是行不通的。

$sql = "SELECT userID FROM users WHERE username = '$username' and password = '$password';"; 
$result = mysqli_query($con, $sql); 

$row = mysqli_fetch_assoc($sql); // same as fetch_array with MYSQLI_ASSOC 

$active = $row['active']; 

$count = mysqli_num_rows($result); 

你沒有在最後需要mysql_close，但如果你想使用它，它是mysqli_close($con); 請記住，這是不安全的。

使用此功能來過濾用戶輸入：

$username = mysqli_real_escape_string($con, $_POST['username']); 
$password = mysqli_real_escape_string($con, $_POST['password']); 

Read this，以確保您的代碼都遵循安全標準。

Answer 2

我推薦這個。

$sql = "SELECT userID FROM users 
WHERE username = " ._sql($username) ." and password = " ._sql($password); 

// generate sql safe string function 

function _sql($txt) { 
    if ($txt === null || $txt === "") 
     return "NULL"; 
    if (substr($txt, 0, 2) == "##") 
     return substr($txt, 2); 
    //$txt = str_replace("'", "''", $txt); 
    $txt = mysql_real_escape_string($txt); 
    return "'" . $txt . "'"; 
}