PHP | SQL - mysqli_stmt_prepare 失败并连接到数据库
[英]PHP | SQL - mysqli_stmt_prepare fails and connected to the database
问题描述
I'm trying to execute a parameterized query to update some stuff in the database.
我正在尝试执行参数化查询来更新数据库中的一些内容。
The problem is that it mysqli_stmt_prepare fails.问题是 mysqli_stmt_prepare 失败了。 The require is used to connect to the database. require 用于连接数据库。
require 'includes/dbInclude.php';
if ($codeQuery > 0){
$confirmationUsername = $_GET['confirmationUsername'];
$active = "active";
$noCode = "";
$insertSql = "UPDATE users SET accountStatus = ? WHERE username = $confirmationUsername";
$insertSql2 = "UPDATE users SET confirmationCode = ? WHERE username = $confirmationUsername";
$statement = mysqli_stmt_init($connection);
$statement2 = mysqli_stmt_init($connection);
if (!mysqli_stmt_prepare($statement, $insertSql)){
header("Location: registerComplete.php?error=sqlError1");
exit();
}
elseif (!mysqli_stmt_prepare($statement2, $insertSql2)){
header("Location: registerComplete.php?error=sqlError2");
exit();
}
else{
mysqli_stmt_bind_param($statement, "s", $active);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_param($statement2, "s", $noCode);
mysqli_stmt_execute($statement2);
}
}
dbInclude.php contains: dbInclude.php 包含:
<?php
//connection variables
$serverName = "localhost";
$dbUsername = "root";
$dbPassword = "";
$dbName = "ecglive";
//connection
$connection = mysqli_connect($serverName, $dbUsername, $dbPassword, $dbName);
//connection error
if(!$connection){
die("There was an error connceting to the database: " . mysqli_connect_error());
}
And where I used it works.在我使用它的地方工作。 I alos tried copy that code to this one just to see if there was any problem connecting to the database.我还尝试将该代码复制到此代码,只是为了查看连接到数据库时是否有任何问题。 It isn't.它不是。
It always goes on the first error if, where it says sqlError1 and if I delete it, then it goes to the sqlError2.它总是出现第一个错误,如果它说 sqlError1,如果我删除它,那么它会转到 sqlError2。
Did I make any mistake?我做错了吗?
2 个解决方案
解决方案1
1 已采纳 2019-04-19 18:22:35
You need to bind the username in addition to the accountstatus to help mitigate SQL injection.除了accountstatus状态之外,您还需要绑定username以帮助缓解 SQL 注入。
require 'includes/dbInclude.php';
if ($codeQuery > 0){
$confirmationUsername = $_GET['confirmationUsername'];
$active = "active";
$noCode = "";
$insertSql = "UPDATE users SET accountStatus = ? WHERE username = ?";
$insertSql2 = "UPDATE users SET confirmationCode = ? WHERE username = ?";
$statement = mysqli_stmt_init($connection);
$statement2 = mysqli_stmt_init($connection);
if (!mysqli_stmt_prepare($statement, $insertSql)){
exit(header("Location: registerComplete.php?error=sqlError1") );
} elseif (!mysqli_stmt_prepare($statement2, $insertSql2)){
exit(header("Location: registerComplete.php?error=sqlError2") );
} else{
mysqli_stmt_bind_param($statement, "ss", $active,$confirmationUsername);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_param($statement2, "ss", $noCode,$confirmationUsername);
mysqli_stmt_execute($statement2);
}
}
解决方案2
1 2019-04-19 18:47:52
This code uses a very strange style, and one that's far more verbose than necessary.这段代码使用了一种非常奇怪的风格,而且比必要的要冗长得多。 Here's a more minimal form of same:这是一个更简单的形式:
require 'includes/dbInclude.php';
// Enable exception reporting
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
if ($codeQuery > 0) {
try {
// Prepare one query that sets both properties.
$stmt = $connection->prepare('UPDATE users SET accountStatus=?,confirmationCode=? WHERE username=?');
// Bind parameters directly form the source, no variables needed.
$stmt->bind_param('ss', 'active', '', $_GET['confirmationUsername']);
// Attempt to execute
$stmt->execute();
}
catch (Exception $e) {
// Error handling here...
header("Location: registerComplete.php?error=sqlError2");
exit();
}
}
You're really not doing a lot here, so there's no reason for that code to be so verbose.您实际上并没有在这里做很多事情,因此没有理由让该代码如此冗长。
That being said, if this is a registration system for some kind of user access control layer and this isn't an academic project you should stop working on this code before you create a huge mess.话虽这么说,如果这是某种用户访问控制层的注册系统,并且这不是学术项目,那么您应该在造成巨大混乱之前停止处理此代码。 Writing your own access control layer is not easy and there are many opportunities to get it severely wrong.编写自己的访问控制层并不容易,而且有很多机会犯严重错误。
Any modern development framework like Laravel comes with a robust authentication system built-in.任何像Laravel这样的现代开发框架都内置了一个强大的身份验证系统。 This is a solved problem and there's no need for you to try and re-invent the wheel here.这是一个已解决的问题,您无需在这里尝试重新发明轮子。
At the absolute least follow recommended security best practices and never store passwords as plain-text or a weak hash like SHA1 or MD5 .至少要遵循推荐的安全最佳实践,并且永远不要将密码存储为纯文本或SHA1 或 MD5等弱散列。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.