我试图检查激活链接是否有效或无效,但我总是从我的代码中得到$activated\消息,即使激活令牌或电子邮件不正确。我的sql语句或函数有什么问题?谢谢
<?php
include("mysql_functions.php");
// Check if all fields are not empty.
if (!empty($_GET['email']) && !empty($_GET['activation_token'])) {
// MySQL database select query.
$mysql_select_query = "SELECT * FROM Accounts WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";
// Execute the MySQL database select query and check if POST password matches MySQL database hashed password.
if(mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_select_query, false)) {
// Valid activation link.
// MySQL database update query.
$mysql_update_query = "UPDATE Accounts SET activated='1' WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";
// Execute the MySQL database update query to activate the account and check if it is successful.
if (mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_update_query, false)) {
// The account was successfully activated.
echo $activated_message;
} else {
echo $not_activated_message;
}
} else {
// Invalid activation link.
echo $invalid_activation_link;
}
} else {
echo $not_activated_message;
}
// ------------------------ FUNCTION: MYSQL QUERY EXECUTOR -----------------------
// Function for executing MySQL queries.
function mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_query, $return_mysql_query_result_boolean) {
// Create the MySQL database connection.
$mysql_database_connection = mysqli_connect($mysql_server, $mysql_username, $mysql_password, $mysql_database_name);
// Check if connected to MySQL database.
if ($mysql_database_connection) {
// Connected to the MySQL database.
// Execute the MySQL query.
if ($mysql_query_result = mysqli_query($mysql_database_connection, $mysql_query)) {
// MySQL query has executed successfully.
// Check if any data needs to be returned.
if ($return_mysql_query_result_boolean) {
// Get an associated array from the MySQL result.
$mysql_query_result = mysqli_fetch_assoc($mysql_query_result);
}
// Close the MySQL database connection.
mysqli_close($mysql_database_connection);
// Return the MySQL query result.
return $mysql_query_result;
} else {
// MySQL query has not executed successfully.
echo "Error: " . mysqli_error($mysql_database_connection);
return false;
}
} else {
// Could not connect to the MySQL database.
die("Error connecting to MySQL database: " . mysqli_connect_error());
return false;
}
}
?>
3条答案
按热度按时间mepcadol1#
问题在于
mysql_execute_query
总是返回一个解析为TRUE
当给定的查询正确时。您应该读取select语句的结果,并以此为逻辑基础,而不是基于查询是否工作的事实。
也就是说,你的代码有很多错误:
主代码中的嵌套if结构不太可读或可维护
如果您对sql注入攻击持开放态度,请检查准备好的语句
不需要为每个查询连接到数据库
希望我能帮你一点,祝你好运,快乐编码!
eiee3dmh2#
请检查您的更新查询。您正在将“activated”字段设置为1,然后在查询结束时再次将其设置为零,这不会给出预期的结果。
kxkpmulp3#
请检查线路:
if ($mysql_query_result = mysqli_query($mysql_database_connection, $mysql_query)) {
因为它总是返回true,所以不管条件如何,都会得到激活消息。