PHP MySQL：在同一张表中选择不同的列的问题

Question

This has surely come up before but I haven't found a solution. I am trying to select username and password from a database to verify users a simple login script. It should simply find a row in the users table with a username and password matching those submitted through the login form.

I can match the username without any problem but not the password and I have no idea why.

The table contains columns called "username" and "password" and there is only 1 row in the table with a username 'admin' and a password 'testpassword'.

Here is the function containing three options - options 1 and 4 work, the other two don't. Option 2 is the same as option 1 except it looks up a different column. I have checked that the column name in the query matches the columns in the table and that the submitted values match. I'm not getting any error messages and can't see what might be wrong (something basic, I'm sure...).

function new_session ($username, $pw, $inactive) {

    // echo statements verify that variable match database values
    echo "<h2>username = " . $username . "</h2>";
    echo "<h2>password = " . $pw . "</h2>";
    echo "<h2>inactive = " . $inactive . "</h2>";

    $db = mydb::getConnection();

    //option 1
    $statement = $db->prepare('SELECT * FROM users WHERE username = :parameter');
    $statement->bindValue(':parameter', $username);

    //option 2
    //$statement = $db->prepare('SELECT * FROM users WHERE password = :parameter');
    //$statement->bindValue(':parameter', $pw);

    //option 3
    //$statement = $db->prepare('SELECT * FROM users WHERE password = :parameter1 AND username = :parameter2');
    //$statement->bindValue(':parameter1', $username);
    //$statement->bindValue(':parameter2', $pw);

    //option 4
    //$statement = $db->prepare('SELECT * FROM users WHERE username = "admin" AND password = "testpassword"');

    $statement->execute();
    $row = $statement->fetchAll();

    if (count($row) == 1) {
        // SESSION data is set here for options 1 and 4
    } 
}

Answer 1

First thing you need to check is if the passwords in your data base are hashed. They probably should be, and if they are you need to compare using the hashing function PASSWORD

$statement = $db->prepare('SELECT * FROM users WHERE password = PASSWORD(:parameter)');
$statement->bindValue(':parameter', $pw);

Now, if your passwords aren't hashed (shame on you), you might have a different problem. As you can see in the above, password is a function name in mysql. It might be having problems parsing your statement because you are using password as a column name. Put tick-marks around the column name password . Like this:

$statement = $db->prepare('SELECT * FROM users WHERE `password` = :parameter');
$statement->bindValue(':parameter', $pw);

Notice that those are tick marks , not a single quote. They are found on the same key that ~ is on, above the tab key. These tick marks will indicate that password is a column name.

Answer 2

The word "PASSWORD" is a mysql command. so escape it first like this:

 //option 3
    //$statement = $db->prepare('SELECT * FROM users WHERE `password` = :parameter1 AND username = :parameter2')

If this query gives error, then I think you have your password encoded. Then use this for md5:

$statement->bindValue(':parameter', md5($pw));

And for sha1:

$statement->bindValue(':parameter', sha1($pw));

I see no other errors which might could result in no rows :o

Answer 3

感谢所有建议，并抽出宝贵时间研究此问题，我按照建议转义了密码一词，但是我很as愧地说问题是密码表输入的最大长度正在修剪最后一个字符，而我没有发现它。