PHP 7.1对用户检查的查询给出了一个警告:在E:\XAMPP\htdocs中遇到的非数字值。

时间:2022-04-30 09:58:29

I'm facing a weird problem, I'm trying to implement a simple Usercheck with PHP 7.1.

我遇到了一个奇怪的问题,我正在尝试用PHP 7.1实现一个简单的Usercheck。

$con = getConnection();
        //check connection
        if(!$con){
            die("Connection to database failed".  mysql_connect_error() );
        } else echo ("connection to database successfull");


        //checking if nickname already exists
        $checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
        //sending query to sql database
        $doesExist = mysqli_query($con, $checkUserExistanceSql)
            or die ("Fehler in der Datenbankabfrage");

        if(mysqli_num_rows($doesExist)>=1){

            echo "Nickname not available, use another name";

        }

But I'm getting this warning

但我得到了警告。

Warning: A non-numeric value encountered in E:\XAMPP\htdocs... Line 29 Line 29 is the $checkUserExistanceSql. Any ideas where the problem is?

警告:在E:\XAMPP\htdocs中遇到的非数字值…第29行第29行是$checkUserExistanceSql。有什么问题吗?

2 个解决方案

#1


2  

String concatenation on PHP uses . (dot) as operator, not + (plus).

PHP使用的字符串连接。(点)作为运算符,而不是+ (+)

You actual code uses +:

实际代码使用+:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";

This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.

这就是为什么PHP说$昵称不是一个数字变量。它不能求和字符串,只能连接。

Change your operator to . and it will work:

把你的操作符改成。它会工作:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";

You can also use this syntax, with the same result but cleaner code:

您还可以使用此语法,其结果相同,但代码更简洁:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";

Security Alert

You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.

您的代码是对SQL注入的支持。您应该使用准备好的语句,而不是将变量连接到查询中。

#2


1  

Thanks to the help of Yolo and Elias Soares. The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias.

感谢Yolo和Elias Soares的帮助。脚本现在运行完美,我还使用了准备好的语句来对抗elias的sql注入的风险。

$con = getConnection();
        //check connection
        if(!$con){
            die("Connection to database failed".  mysql_connect_error() );
        } else echo ("connection to database successfull");



        //prepared statement for sql query
        $stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
        $stmt -> bind_param("s", $nickname);
      
        $stmt->execute();

        //checkking result, if nickname is already used
        if($stmt->get_result()){
            echo "0";
        } else {
            //insert user
        }

#1


2  

String concatenation on PHP uses . (dot) as operator, not + (plus).

PHP使用的字符串连接。(点)作为运算符,而不是+ (+)

You actual code uses +:

实际代码使用+:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";

This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.

这就是为什么PHP说$昵称不是一个数字变量。它不能求和字符串,只能连接。

Change your operator to . and it will work:

把你的操作符改成。它会工作:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";

You can also use this syntax, with the same result but cleaner code:

您还可以使用此语法,其结果相同,但代码更简洁:

$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";

Security Alert

You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.

您的代码是对SQL注入的支持。您应该使用准备好的语句,而不是将变量连接到查询中。

#2


1  

Thanks to the help of Yolo and Elias Soares. The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias.

感谢Yolo和Elias Soares的帮助。脚本现在运行完美,我还使用了准备好的语句来对抗elias的sql注入的风险。

$con = getConnection();
        //check connection
        if(!$con){
            die("Connection to database failed".  mysql_connect_error() );
        } else echo ("connection to database successfull");



        //prepared statement for sql query
        $stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
        $stmt -> bind_param("s", $nickname);
      
        $stmt->execute();

        //checkking result, if nickname is already used
        if($stmt->get_result()){
            echo "0";
        } else {
            //insert user
        }