I'm facing a weird problem, I'm trying to implement a simple Usercheck with PHP 7.1.
我遇到了一个奇怪的问题,我正在尝试用PHP 7.1实现一个简单的Usercheck。
$con = getConnection();
//check connection
if(!$con){
die("Connection to database failed". mysql_connect_error() );
} else echo ("connection to database successfull");
//checking if nickname already exists
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
//sending query to sql database
$doesExist = mysqli_query($con, $checkUserExistanceSql)
or die ("Fehler in der Datenbankabfrage");
if(mysqli_num_rows($doesExist)>=1){
echo "Nickname not available, use another name";
}But I'm getting this warning
但我得到了警告。
Warning: A non-numeric value encountered in E:\XAMPP\htdocs... Line 29 Line 29 is the $checkUserExistanceSql. Any ideas where the problem is?
警告:在E:\XAMPP\htdocs中遇到的非数字值…第29行第29行是$checkUserExistanceSql。有什么问题吗?
2 个解决方案
#1
2
String concatenation on PHP uses . (dot) as operator, not + (plus).
PHP使用的字符串连接。(点)作为运算符,而不是+ (+)
You actual code uses +:
实际代码使用+:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.
这就是为什么PHP说$昵称不是一个数字变量。它不能求和字符串,只能连接。
Change your operator to . and it will work:
把你的操作符改成。它会工作:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";
You can also use this syntax, with the same result but cleaner code:
您还可以使用此语法,其结果相同,但代码更简洁:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";
Security Alert
You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.
您的代码是对SQL注入的支持。您应该使用准备好的语句,而不是将变量连接到查询中。
#2
1
Thanks to the help of Yolo and Elias Soares. The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias.
感谢Yolo和Elias Soares的帮助。脚本现在运行完美,我还使用了准备好的语句来对抗elias的sql注入的风险。
$con = getConnection();
//check connection
if(!$con){
die("Connection to database failed". mysql_connect_error() );
} else echo ("connection to database successfull");
//prepared statement for sql query
$stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
$stmt -> bind_param("s", $nickname);
$stmt->execute();
//checkking result, if nickname is already used
if($stmt->get_result()){
echo "0";
} else {
//insert user
}#1
2
String concatenation on PHP uses . (dot) as operator, not + (plus).
PHP使用的字符串连接。(点)作为运算符,而不是+ (+)
You actual code uses +:
实际代码使用+:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" + $nickname+ "'";
This is why PHP is telling that $nickname isn't a numeric variable. It cannot sum strings, only concatenate.
这就是为什么PHP说$昵称不是一个数字变量。它不能求和字符串,只能连接。
Change your operator to . and it will work:
把你的操作符改成。它会工作:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='" . $nickname . "'";
You can also use this syntax, with the same result but cleaner code:
您还可以使用此语法,其结果相同,但代码更简洁:
$checkUserExistanceSql = "SELECT nickname FROM user WHERE nickname='{$nickname}'";
Security Alert
You code is sucessive to SQL injection. You should use prepared statements instead of concatenating your variables into the Query.
您的代码是对SQL注入的支持。您应该使用准备好的语句,而不是将变量连接到查询中。
#2
1
Thanks to the help of Yolo and Elias Soares. The script runs flawless now, I also used prepared statement to counter the risk of sql injection as mentiones by elias.
感谢Yolo和Elias Soares的帮助。脚本现在运行完美,我还使用了准备好的语句来对抗elias的sql注入的风险。
$con = getConnection();
//check connection
if(!$con){
die("Connection to database failed". mysql_connect_error() );
} else echo ("connection to database successfull");
//prepared statement for sql query
$stmt = $con -> prepare("SELECT nickname FROM user WHERE (nickname=?)");
$stmt -> bind_param("s", $nickname);
$stmt->execute();
//checkking result, if nickname is already used
if($stmt->get_result()){
echo "0";
} else {
//insert user
}