它會更容易,如果你只是做了一個快速的真/在SQL中檢查錯誤並檢查返回的標誌。
$sql = "SELECT "
. "(SELECT 1 FROM `users` WHERE `username` = '" . mysql_real_escape_string($username) . "'), "
. "(SELECT 1 FROM `users` WHERE `email` = '" . mysql_real_escape_string($email) . "')";
$query = mysql_query($sql);
if (mysql_num_rows($query) > 0) {
$foundFlags = mysql_fetch_assoc($query);
if ($foundFlags['username']) {
$error[] = "username is existing";
}
if ($foundFlags['email']) {
$error[] = "email is existing";
}
} else {
// General error as the query should always return
}
當它沒有找到一個條目,它會在標誌,它的值爲false返回NULL,所以if
狀況良好。
需要注意的是,你可以概括它像這樣的字段列表:
$fieldMatch = array('username' => $username, 'email' => $email);
$sqlParts = array();
foreach ($fieldMatch as $cFieldName => $cFieldValue) {
$sqlParts[] = "(SELECT 1 FROM `users` WHERE `" . $cFieldName . "` = '" . mysql_real_escape_string($cFieldValue) . "')";
}
$sql = "SELECT " . implode(", ", $sqlParts);
$query = mysql_query($sql);
if (mysql_num_rows($query) > 0) {
$foundFlags = mysql_fetch_assoc($query);
foreach ($foundFlags as $cFieldName => $cFlag) {
if ($foundFlags[$cFieldName]) {
$error[] = $cFieldName . " is existing";
}
}
} else {
// General error as the query should always return
}
NB。請注意,假設所有字段都是字符串或其他字符串轉義類型(例如日期/時間)。
我聞到「SQL注入」 – 2010-11-30 18:34:47
根本沒有,因爲我有:$ username = mysql_real_escape_string($ _ POST ['username']);和電子郵件相同 – Jake 2010-11-30 18:38:46