使用PDO的简单登录功能

Question

im still in the early learning stages, banging my head against walls looking for clues. Iv been reading the manual to no avail.

im building a user log in system based on the phpAcadamy tutorial 'Register & Login'. They use mysql_connect in the tutorial, but I am using a PDO connection to mysql.

1) the function user_id_from_username should return the user_id entry for the posted $username. mine does not, im confused about how to simply return the entry, and i just need a little bit of guidance and explanation.

2) the login function works, BUT i need it to return $user_id if TRUE, so that i can set the session.

here is my code:

    <?php 
    function user_id_from_username(PDO $db, $username) {
    $stmt = $db->prepare('SELECT `user_id` FROM `users` WHERE `username` = 1');
    $stmt->bindParam(1, $username);
    $stmt->execute();
    return ($stmt->fetchColumn());
    }   //??? I NEED THIS FUNCTION TO RETURN THE `user_id` ENTRY FOR $username

    function login(PDO $db, $username, $password) {
    $user_id = user_id_from_username($db, $username);
    $password = md5($password);
    $stmt = $db->prepare('SELECT COUNT(`user_id`) FROM `users` WHERE `username` = ? AND `password` = ?');
    $stmt->bindParam(1, $username);
    $stmt->bindParam(2, $password);
    $stmt->execute();
    return (bool) $stmt->fetchColumn();
    }   //??? I NEED THIS FUNCTION TO RETURN $user_id IF TRUE (to set session)

    //---------------------login.php-----------------------

    if (empty($_POST) === false) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    if (empty($username) === true || empty($password) === true) {
    $errors[] = 'You need to enter a username and password.';
    } else if (user_exists($db, $username) === false) {
    $errors[] = 'We can\'t find that username. Have you registered?';
    } else if (user_active($db, $username) === false) {
    $errors[] = 'You haven\'t activated your account!';
    } else {
    $login = login($db, $username, $password);
    if ($login === false) {
    $errors[] = 'That username/password combination is incorrect.';
    } else {
    die($login);


    }
    }
    print_r($errors);
    }

So, according to this login script, after a successful login (good username and password, and active account) it should output the $user_id integer: "die($login)".

(I didnt include the other two functions: user_exists and user_active, because i have them working properly)

It prints the error array correctly, it logs in ok, except for this next step.

Thanks in advance for helping me out!

Answer 1

You have to put ? here

$stmt = $db->prepare('SELECT `user_id` FROM `users` WHERE `username` = 1');

should be

$stmt = $db->prepare('SELECT `user_id` FROM `users` WHERE `username` = ?');

Edit

Use this function

function login(PDO $db, $username, $password) {
$user_id = user_id_from_username($db, $username);
$password = md5($password);
$stmt = $db->prepare('SELECT COUNT(`user_id`) FROM `users` WHERE `username` = ? AND `password` = ?');
$stmt->bindParam(1, $username);
$stmt->bindParam(2, $password);
$stmt->execute();
if($stmt->fetchColumn() > 0) {
    return $user_id;
} else {
    return false;
}
}

Answer 2

In prepared statements ? is used. The ? is replaced with the variable given in bind_param . In your code ? will be replaced with $username

$stmt = $db->prepare('SELECT `user_id` FROM `users` WHERE `username` = ?');
$stmt->bindParam(1, $username);

Answer 3

Using user_id_from_username() in login function makes absolutely no sense.
As well as getting count instead of actual id

You could do it in one step:

function login(PDO $db, $username, $password) {
    $password = md5($password); // you should add salt and change hash function
    $sql = 'SELECT user_id FROM `users` WHERE `username` = ? AND `password` = ?';
    $stmt = $db->prepare($sql);
    $stmt->execute(array($username, $password));
    return $stmt->fetchColumn();
}