我尝试检查激活链接是否有效或无效,但是我总是从我的代码中获得$activated_message,即使激活令牌或电子邮件是不正确的。我的sql语句或函数有什么问题?由于
<?php
include("mysql_functions.php");
// Check if all fields are not empty.
if (!empty($_GET['email']) && !empty($_GET['activation_token'])) {
// MySQL database select query.
$mysql_select_query = "SELECT * FROM Accounts WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";
// Execute the MySQL database select query and check if POST password matches MySQL database hashed password.
if(mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_select_query, false)) {
// Valid activation link.
// MySQL database update query.
$mysql_update_query = "UPDATE Accounts SET activated='1' WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";
// Execute the MySQL database update query to activate the account and check if it is successful.
if (mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_update_query, false)) {
// The account was successfully activated.
echo $activated_message;
} else {
echo $not_activated_message;
}
} else {
// Invalid activation link.
echo $invalid_activation_link;
}
} else {
echo $not_activated_message;
}
// ------------------------ FUNCTION: MYSQL QUERY EXECUTOR -----------------------
// Function for executing MySQL queries.
function mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_query, $return_mysql_query_result_boolean) {
// Create the MySQL database connection.
$mysql_database_connection = mysqli_connect($mysql_server, $mysql_username, $mysql_password, $mysql_database_name);
// Check if connected to MySQL database.
if ($mysql_database_connection) {
// Connected to the MySQL database.
// Execute the MySQL query.
if ($mysql_query_result = mysqli_query($mysql_database_connection, $mysql_query)) {
// MySQL query has executed successfully.
// Check if any data needs to be returned.
if ($return_mysql_query_result_boolean) {
// Get an associated array from the MySQL result.
$mysql_query_result = mysqli_fetch_assoc($mysql_query_result);
}
// Close the MySQL database connection.
mysqli_close($mysql_database_connection);
// Return the MySQL query result.
return $mysql_query_result;
} else {
// MySQL query has not executed successfully.
echo "Error: " . mysqli_error($mysql_database_connection);
return false;
}
} else {
// Could not connect to the MySQL database.
die("Error connecting to MySQL database: " . mysqli_connect_error());
return false;
}
}
?>
问题在于,当给定的查询是正确的时,mysql_execute_query
总是返回解析为TRUE
的结果。
您应该读取select语句的结果,并将逻辑建立在此基础上,而不是基于查询是否工作的事实。
也就是说,你的代码有很多错误:
- 主代码中的嵌套if结构不是很好读或可维护
- 你是开放的SQL注入攻击,检查准备语句
- 为每个查询连接到数据库是不必要的
希望我能帮到你一点,祝你好运,编程快乐!
请检查行:
if ($mysql_query_result = mysqli_query($mysql_database_connection, $mysql_query)) {
因为它总是返回true,所以无论条件如何,你总是得到激活消息
请检查您的更新查询。您将"激活"字段设置为1,然后在查询结束时再次设置为零,这不会给您预期的结果。
// MySQL database select query.
$mysql_select_query = "SELECT * FROM Accounts WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";
// Execute the MySQL database select query and check if POST password matches MySQL database hashed password.
if(mysql_execute_query($mysql_server, $mysql_username, $mysql_password, $mysql_database_name, $mysql_select_query, false)) {
// Valid activation link.
// MySQL database update query.
$mysql_update_query = "UPDATE Accounts SET activated='1' WHERE email='" . $_GET['email'] . "' AND activation_token='" . $_GET['activation_token'] . "' AND activated='0' LIMIT 1";